Attackers Exploit Cisco Switch Issue as Vendor Warns of Yet Another Critical Flaw

  /     /     /  
Publicated : 22/11/2024   Category : security


Attackers Exploit Cisco Switch Issue as Vendor Warns of Yet Another Critical Flaw


Cisco says companies fixing previously known protocol issue should also patch against critical remote-code execution issue.



[This story was updated on 4/10/18 with Ciscos comments]
Cisco is urging organizations to immediately address a critical flaw in its network switches running IOS and IOS XE software amid reports of widespread attacks against the devices in several countries.
The company on Monday published a
security advisory
on the remote code execution flaw (
CVE-2018-0171
) in the Smart Install function in Cisco IOS and IOS XE software.
Cisco described the flaw — first disclosed March 29 by
Embedi
 — as an issue that could allow an unauthenticated remote attacker to trigger a denial-of-service condition or to execute code of their choice on an affected device. Emedi on March 29 claimed it had found some 250,000 network devices that were vulnerable to the issue.
The RCE flaw is separate from a protocol misuse issue also related to the Smart Install function that Cisco first issued an advisory about on
Feb 14, 2017
and has updated a couple of times. It is apparently the protocol misuse issue that attackers have been exploiting in the recent attacks,  not the RCE flaw.
However, Cisco has urged organizations to address both issues immediately, citing widespread and ongoing attacks against its switches in multiple countries. While we have only observed attacks leveraging the protocol misuse issue, recently, another vulnerability in the Cisco Smart Install Client was disclosed and patched, the company said in a
blog
. While mitigating the protocol misuse issue, customers should also address this vulnerability.
Dont Mess With Our Elections
Reuters
over the weekend reported that some 200,000 Cisco switches had been compromised in attacks in multiple countries. Among those impacted were data centers and ISPs in Iran and Russia where the attackers displayed a US flag on the screens of compromised systems with the message, Dont mess with our elections.
IRNA, Irans official news agency
said
the attacks impacted at least 3,500 routers in the country. The agency quoted cybersecurity officials within the country as saying that attackers had tampered with configuration settings on the devices to cause systems to become unavailable.
Cisco had first warned about the protocol misuse issue that the threat actors leveraged in the attacks last February. The company has described the issue as something that attackers can abuse to modify the TFTP server setting to steal and modify configuration files, replace the operating system image, and set up command.
Although this is not a vulnerability in the classic sense, the misuse of this protocol is an attack vector that should be mitigated immediately, Cisco had noted in an
April 5 blog
warning about the surge recent attacks targeting the issue.
According to the company, attackers have been using search engines like Shodan to scan for vulnerable devices throughout 2017 and the early part of this year. Though, Cisco has long ago provided instructions on how organizations can find vulnerable routers and mitigate the protocol misuse issue, some 168,000 devices worldwide remain exposed to the issue when Cisco conducted a recent scan. These devices need to be addressed immediately, the company has noted.
Cisco said that several threat actors, including nation-state groups like the
Dragonfly campaign
targeting western energy firms have been exploiting the protocol issue in widespread attacks in countries. Some of the attacks have targeted critical infrastructure organizations, Cisco has warned.
Update
In an emailed response to questions from Dark Reading, a Cisco spokesperson said the timing of multiple recent advisories on the Smart Install issue may have caused some confusion over what exactly is going on. She confirmed that the recent attacks indeed involve the Smart Install protocol issue and not the Smart Install Denial of Service or Remote Code Execution flaws described in CVE-2018-0171.   
At this time, the Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in these advisories.
Ciscos PSIRT
published a document
 after this Dark Reading report posted, clarifying all the potential issues involving Smart Install with advice on how organizations can determine if they are impacted and what steps need to be taken.
To ensure their network is protected against issues involving Smart Install, our recommendation for customers not actually using Smart Install is to disable the feature using the no vstack command once setup is complete, she says.
Customers who do use the feature – and leave it enabled – can use ACLs to block incoming traffic on TCP port 4786 (the proper security control). And additionally, patches for known security vulnerabilities should be applied as part of standard network security management.
So far, there is no evidence that the RCE flaw in Smart Install has been exploited. However, proof-of-concept code for exploiting is available. The vulnerability stems from improper validation of packet data. Attackers can exploit it by sending a specially crafted Smart Install message to a vulnerable device via TCP port 4786 causing the device to reload. Attackers could also exploit the flaw to execute arbitrary code or to cause a denial of service condition, Cisco said.
Prior to Ciscos new post, some security researchers said that the newly revealed flaw appears to be different from the one being exploited.
This attack took advantage of Cisco’s Smart Install protocol, says Bob Noel, director of strategic relationships and marketing for Plixer. Organizations were provided guidance that Cisco did not consider this a vulnerability, and therefore no changes would be done to the protocol.
Organizations were instructed to simply turn off the protocol, and those that remain exposed are those who have not done so, he says.
The damage an attacker could do with this would depend on their access privileges. By changing the startup configuration, an attacker could force a reboot of a switch and stop all traffic forwarding. In a case where an attacker gained full administrative rights to a router/switch, they would be able to change the configuration of the device, add or remove security policies, or make any other changes, Noel says.
Ashley Stephenson, CEO of Corero Network Security, says available evidence suggests attackers would not have needed to exploit the RCE flaw in the recent attacks. While there is no proof, this was likely accomplished by just misusing the protocol, he says.
The attacks show why it is important for organizations to understand the profile of systems exposed to the Internet. If it is exposed, someone will attempt to compromise it. There is no excuse for exposing unnecessary ports or services, like TCP 4786 for Cisco Smart Install Client, Stephenson says.
Related Content:
Slingshot Cyber Espionage Campaign Hacks Network Routers
Russian APT Compromised Cisco Router in Energy Sector Attacks
8 Nation-State Hacking Groups to Watch in 2018
Join Dark Reading LIVE for a two-day Cybersecurity Crash Course at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the agenda 
here
. Register with Promo Code DR200 and save $200.

Last News

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security

▸ Senate wants changes to cybercrime law. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Attackers Exploit Cisco Switch Issue as Vendor Warns of Yet Another Critical Flaw