Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:30 PM
Connect Directly

Attackers Exploit Cisco Switch Issue as Vendor Warns of Yet Another Critical Flaw

Cisco says companies fixing previously known protocol issue should also patch against critical remote-code execution issue.

[This story was updated on 4/10/18 with Cisco's comments]

Cisco is urging organizations to immediately address a critical flaw in its network switches running IOS and IOS XE software amid reports of widespread attacks against the devices in several countries.

The company on Monday published a security advisory on the remote code execution flaw (CVE-2018-0171) in the Smart Install function in Cisco IOS and IOS XE software.

Cisco described the flaw — first disclosed March 29 by Embedi — as an issue that could allow an unauthenticated remote attacker to trigger a denial-of-service condition or to execute code of their choice on an affected device. Emedi on March 29 claimed it had found some 250,000 network devices that were vulnerable to the issue.

The RCE flaw is separate from a protocol misuse issue also related to the Smart Install function that Cisco first issued an advisory about on Feb 14, 2017 and has updated a couple of times. It is apparently the protocol misuse issue that attackers have been exploiting in the recent attacks,  not the RCE flaw.

However, Cisco has urged organizations to address both issues immediately, citing widespread and ongoing attacks against its switches in multiple countries. "While we have only observed attacks leveraging the protocol misuse issue, recently, another vulnerability in the Cisco Smart Install Client was disclosed and patched," the company said in a blog. "While mitigating the protocol misuse issue, customers should also address this vulnerability."

'Don't Mess With Our Elections'

Reuters over the weekend reported that some 200,000 Cisco switches had been compromised in attacks in multiple countries. Among those impacted were data centers and ISPs in Iran and Russia where the attackers displayed a US flag on the screens of compromised systems with the message, "Don't mess with our elections."

IRNA, Iran's official news agency said the attacks impacted at least 3,500 routers in the country. The agency quoted cybersecurity officials within the country as saying that attackers had tampered with configuration settings on the devices to cause systems to become unavailable.

Cisco had first warned about the protocol misuse issue that the threat actors leveraged in the attacks last February. The company has described the issue as something that attackers can abuse to modify the TFTP server setting to steal and modify configuration files, replace the operating system image, and set up command.

"Although this is not a vulnerability in the classic sense, the misuse of this protocol is an attack vector that should be mitigated immediately," Cisco had noted in an April 5 blog warning about the surge recent attacks targeting the issue.

According to the company, attackers have been using search engines like Shodan to scan for vulnerable devices throughout 2017 and the early part of this year. Though, Cisco has long ago provided instructions on how organizations can find vulnerable routers and mitigate the protocol misuse issue, some 168,000 devices worldwide remain exposed to the issue when Cisco conducted a recent scan. These devices need to be addressed immediately, the company has noted.

Cisco said that several threat actors, including nation-state groups like the Dragonfly campaign targeting western energy firms have been exploiting the protocol issue in widespread attacks in countries. Some of the attacks have targeted critical infrastructure organizations, Cisco has warned.


In an emailed response to questions from Dark Reading, a Cisco spokesperson said the timing of multiple recent advisories on the Smart Install issue may have caused some confusion over what exactly is going on. She confirmed that the recent attacks indeed involve the Smart Install protocol issue and not the Smart Install Denial of Service or Remote Code Execution flaws described in CVE-2018-0171.   

"At this time, the Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in these advisories."

Cisco's PSIRT published a document after this Dark Reading report posted, clarifying all the potential issues involving Smart Install with advice on how organizations can determine if they are impacted and what steps need to be taken.

"To ensure their network is protected against issues involving Smart Install, our recommendation for customers not actually using Smart Install is to disable the feature using the 'no vstack' command once setup is complete," she says.

"Customers who do use the feature – and leave it enabled – can use ACLs to block incoming traffic on TCP port 4786 (the proper security control). And additionally, patches for known security vulnerabilities should be applied as part of standard network security management."

So far, there is no evidence that the RCE flaw in Smart Install has been exploited. However, proof-of-concept code for exploiting is available. The vulnerability stems from improper validation of packet data. Attackers can exploit it by sending a specially crafted Smart Install message to a vulnerable device via TCP port 4786 causing the device to reload. Attackers could also exploit the flaw to execute arbitrary code or to cause a denial of service condition, Cisco said.

Prior to Cisco's new post, some security researchers said that the newly revealed flaw appears to be different from the one being exploited.

"This attack took advantage of Cisco’s Smart Install protocol," says Bob Noel, director of strategic relationships and marketing for Plixer. "Organizations were provided guidance that Cisco did not consider this a vulnerability, and therefore no changes would be done to the protocol."

Organizations were instructed to simply turn off the protocol, and those that remain exposed are those who have not done so, he says.

The damage an attacker could do with this would depend on their access privileges. By changing the startup configuration, an attacker could force a reboot of a switch and stop all traffic forwarding. "In a case where an attacker gained full administrative rights to a router/switch, they would be able to change the configuration of the device, add or remove security policies, or make any other changes," Noel says.

Ashley Stephenson, CEO of Corero Network Security, says available evidence suggests attackers would not have needed to exploit the RCE flaw in the recent attacks. "While there is no proof, this was likely accomplished by just misusing the protocol," he says.

The attacks show why it is important for organizations to understand the profile of systems exposed to the Internet. If it is exposed, someone will attempt to compromise it. "There is no excuse for exposing unnecessary ports or services, like TCP 4786 for Cisco Smart Install Client," Stephenson says.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for a two-day Cybersecurity Crash Course at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
9/5/2018 | 4:45:18 PM
Switch Issue
If you are getting the switch issue in the Cisco switches then you must have a talk with  Router Supports. They will help you if you face any kind of problem.
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-17
A local file inclusion vulnerability was discovered in the captcha function in Monstra 3.0.4 which allows remote attackers to execute arbitrary PHP code.
PUBLISHED: 2021-06-17
An Out-of-Bounds Read was discovered in arch/arm/mach-footbridge/personal-pci.c in the Linux kernel through 5.12.11 because of the lack of a check for a value that shouldn't be negative, e.g., access to element -2 of an array, aka CID-298a58e165e4.
PUBLISHED: 2021-06-17
Affected versions of Octopus Server are prone to an authenticated SQL injection vulnerability in the Events REST API because user supplied data in the API request isn’t parameterised correctly. Exploiting this vulnerability could allow unauthorised access to database tables.
PUBLISHED: 2021-06-17
Quassel through 0.13.1, when --require-ssl is enabled, launches without SSL or TLS support if a usable X.509 certificate is not found on the local system.
PUBLISHED: 2021-06-17
A use-after-free issue exists in the DGN file-reading procedure in the Drawings SDK (All versions prior to 2022.4) resulting from the lack of proper validation of user-supplied data. This can result in a memory corruption or arbitrary code execution, allowing attackers to cause a denial-of-service c...