Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Cisco Smart Install vulnerability exploited in the wild - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Cisco Smart Install vulnerability exploited in the wild

As mentioned in today’s SANS ISC podcast, Cisco Smart Install may being used in recent attacks on Iranian and Russian networks. Earliert this week, we saw a small spike in port 4786 attacks. But the size of the attack as reported by Kaspersky may indicate that this isn't just random scanning. Services like Shodan may have been used to identify vulnerable systems.

Cisco IOS and IOS XE Software both have a feature called “Smart Install”, described in Cisco’s Smart Install Configuration Guide as:

“Smart Install is a plug-and-play configuration and image-management feature that provides zero-touch deployment for new switches. You can ship a switch to a location, place it in the network and power it on with no configuration required on the device.”

The vulnerability allows not only denial-of-service (DoS) attacks but also remote arbitrary code execution in vulnerable Cisco devices. Specially crafted malicious messages can cause a stack-based buffer overflow because of a missing size check before copying to a buffer. A proof-of-concept is already publicly available.

Administrators of vulnerable devices are recommended to apply already available patches from Cisco.

A vulnerability on the Smart Install feature of Cisco IOS is not something new. If we look at the CVE history, we can find several vulnerabilities relating to this feature:

As you can see by the CVE numbers, there are reports for vulnerabilities since 2011 up to this year (2018). We can perhaps conjecture that more vulnerabilities might be discovered in the near future. So, it is a good idea to follow Cisco’s recommendation: port 4786 should be exposed to the “integrated branch director” (IBD) router only.

--
Renato Marinho
Morphus Labs| LinkedIn | Twitter

Renato

34 Posts
ISC Handler
I cant understand why these switches are exposed to the internet. Not surprised but still saddened.
Anonymous
So someone at Cisco FINALLY got so tired of having to issue patches for their products with hard-coded administrative credentials that management decided to eliminate the problem, the credentials. Nice.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!