Critical vulnerability opens Cisco switches to remote attack

Get a copy of the upcoming book "Secure Operations Technology"

A critical vulnerability affecting many of Cisco’s networking devices could be exploited by unauthenticated, remote attackers to take over vulnerable devices or trigger a reload and crash.

CVE-2018-0171

The company says that the vulnerability is not actively exploited in the wild, but as information about it and Proof-of-Concept code has now been published network administrators would do well to install the released security updates as soon a possible.

About the vulnerability (CVE-2018-0171)

The flaw was discovered by Embedi researchers nearly a year ago. It is a stack-based buffer overflow vulnerability present in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software.

“Smart Install is a ‘plug-and-play’ configuration and image-management feature that provides zero-touch deployment for new (typically access layer) switches,” Cisco explains.

“The feature allows a customer to ship a Cisco switch to any location, install it in the network, and power it on without additional configuration requirements. The Smart Install feature incorporates no authentication by design.”

The vulnerability can be exploited by by sending a crafted Smart Install message to an affected device on TCP port 4786.

Vulnerable devices

Embedi researchers confirmed that the flaw is found in Catalyst 4500 Supervisor Engines, Cisco Catalyst 3850 Series Switches, and Cisco Catalyst 2960 Series Switches, but that a slew of other devices are potentially vulnerable.

Cisco says that it affects devices that are running a vulnerable release of Cisco IOS or IOS XE Software and have the Smart Install client feature enabled.

“A Smart Install network consists of exactly one Smart Install director switch or router, also known as an integrated branch director (IBD), and one or more Smart Install client switches, also known as integrated branch clients (IBCs). A client switch does not need to be directly connected to the director; the client switch can be up to seven hops away,” Cisco noted. “Only Smart Install client switches are affected by the vulnerability.”

Cisco IOS XR Software or Cisco NX-OS Software is not affected.

Both Cisco and Embedi have provided instructions on how to check whether a device is vulnerable (i.e., how to check the software release, whether the Smart Install Client feature is enabled, and whether the aforementioned port is open).

How many vulnerable devices are out there?

“After the vulnerability was discovered, we decided that it could only be used for attacks inside an enterprise network. Because in a securely configured network, Smart Install technology participants should not be accessible through the Internet,” Embedi researchers noted.

“But scanning the Internet has shown that this is not true. During a short scan of the Internet, we detected 250,000 vulnerable devices and 8,5 million devices that have a vulnerable port open. Probably, this happens because on Smart Install clients the port TCP(4786) is opened by default and network administrators do not notice this somehow.”

As there are no workarounds for mitigating the flaw and PoC exploit code has been made available, administrators are advised to implement the offered updates.

UPDATE (APRIL 5, 2018):

And if you need more reasons for removing the Cisco Smart Install Client from all devices where it is not used, Cisco has shared more details about active attacks that leverage this protocol misuse issue (as they call it) in the Client and offered mitigation advice.