Cisco has plugged a critical security hole in over 300 of its switches, and is urging users to apply the patches as soon as possible because an exploit for it has been available for a month now.
The vulnerability (CVE-2017-3881)
“A vulnerability in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges,” Cisco explained.
“An attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections.”
The vulnerability exists partly because of a failure to restrict the use of CMP-specific Telnet options only to internal, local communications between cluster members, and partly because malformed CMP-specific Telnet options are incorrectly processed. These problems have now apparently been rectified.
Another option for those who, for whatever reason, don’t want to implement the offered patches is to disable the Telnet protocol for incoming connections. Cisco has been recommending the switch to SSH for a while now, and this document contains instructions on how to do it. But this move only eliminates the exploit vector, not the vulnerability.
The list of vulnerable devices is too long to reprint (and you can find it in the advisory), but the overwhelming majority of them are Cisco Catalyst, Embedded Service, and Industrial Ethernet switches.
In April, security researcher Artem Kondratenko published a limited-efficacy PoC exploit for the vulnerability, but Cisco says they are not “aware of any malicious use of the vulnerability.”
The criticality of the vulnerability is reflected in its CVSS Score: 9.8 (out of 10). So if you own one of these Cisco switches, get patching.