Cisco Critical Warning

During a recent WikiLeaks dump of CIA cyber-vulnerability exploits a vulnerability in Cisco’s IOS software that was disclosed and it has resulted in the company releasing a critical warning to its Catalyst customers.

The vulnerability allows an attacker to cause a reload of an affected device or remotely execute code which results in them being able to take over a device. This vulnerability affects more than 300 models of Cisco Catalyst switches from the model 2350-48TD-S Switch to the Cisco SM-X Layer 2/3 EtherSwitch Service Module.

Specifically, the vulnerability is contained in the Cluster Management Protocol which uses Telnet as a signaling and command protocol between cluster members. The vulnerability is due to the combination of two factors Cisco said:

  1. The failure to restrict the use of CMP-specific Telnet options only to internal, local communications between cluster members and instead accept and process such options over any Telnet connection to an affected device, and
  2. The incorrect processing of malformed CMP-specific Telnet options.

Here is what Cisco had to say about the vulnerability:

“Based on the “Vault 7” public disclosure, Cisco launched an investigation into the products that could potentially be impacted by these and similar exploits and vulnerabilities. As part of the internal investigation of our own products and the publicly available information, Cisco security researchers found a vulnerability in the Cluster Management Protocol code in Cisco IOS and Cisco IOS XE Software that could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges.”

The vulnerability can be mitigated by disabling the Telnet protocol as an allowed protocol for incoming connections. This will eliminate the exploit vector. Disabling Telnet and using SSH is recommended by Cisco. Information on how to do both can be found on the Cisco Guide to Harden Cisco IOS Devices. Customers unable or unwilling to disable the Telnet protocol can reduce the attack surface by implementing infrastructure access control lists (iACL).

At this time, there is no other way to address this vulnerability, disabling the Telnet protocol and using SSH as an allowed protocol for incoming connections will eliminate the exploit vector. Information on how to do both can be found on the Cisco Guide to Harden Cisco IOS Devices. If for some reason you are unable or unwilling to disable the Telnet protocol the only other way to reduce your risk is to implement iACLs.

Cisco is still reviewing the exploits that were included in the Vault 7 release, so it is possible that more vulnerabilities with Cisco devices could be identified. If you have not been paying attention to this, it is something that needs to be placed on your daily radar. Within the WikiLeaks release there is Malware that seems to target different types and families of Cisco devices, including multiple router and switches families. The malware, once installed on a Cisco device, seem to provide a range of capabilities: data collection, data exfiltration, command execution with administrative privileges (and without any logging of such commands ever been executed), HTML traffic redirection, manipulation and modification (insertion of HTML code on web pages), DNS poisoning, covert tunneling and others.

Whoever crafted these exploits spent a significant amount of time making sure the tools, once installed, attempt to remain hidden from detection and forensic analysis on the device as well as making sure they were stable and would not crash the device.

As I said before, you need to have this on your radar and mitigate any issues as quickly as possible.

4/4/2017 9:00:00 AM