Cisco Smart Install vulnerability exploited in the wild
Last Updated: 2018-04-09 21:01:24 UTC
by Renato Marinho (Version: 1)
As mentioned in today’s SANS ISC podcast, Cisco Smart Install may being used in recent attacks on Iranian and Russian networks. Earliert this week, we saw a small spike in port 4786 attacks. But the size of the attack as reported by Kaspersky may indicate that this isn't just random scanning. Services like Shodan may have been used to identify vulnerable systems.
Cisco IOS and IOS XE Software both have a feature called “Smart Install”, described in Cisco’s Smart Install Configuration Guide as:
“Smart Install is a plug-and-play configuration and image-management feature that provides zero-touch deployment for new switches. You can ship a switch to a location, place it in the network and power it on with no configuration required on the device.”
The vulnerability allows not only denial-of-service (DoS) attacks but also remote arbitrary code execution in vulnerable Cisco devices. Specially crafted malicious messages can cause a stack-based buffer overflow because of a missing size check before copying to a buffer. A proof-of-concept is already publicly available.
Administrators of vulnerable devices are recommended to apply already available patches from Cisco.
A vulnerability on the Smart Install feature of Cisco IOS is not something new. If we look at the CVE history, we can find several vulnerabilities relating to this feature:
- CVE-2018-0171: DoS (device crash) & arbitrary code execution;
- CVE-2018-0156: DoS;
- CVE-2016-6385: DoS (memory consumption);
- CVE-2016-1349: DoS (device reload);
- CVE-2013-1146: DoS (device reload);
- CVE-2012-0385: DoS (device reload);
- CVE-2011-3271: DoS & arbitrary code execution.
As you can see by the CVE numbers, there are reports for vulnerabilities since 2011 up to this year (2018). We can perhaps conjecture that more vulnerabilities might be discovered in the near future. So, it is a good idea to follow Cisco’s recommendation: port 4786 should be exposed to the “integrated branch director” (IBD) router only.
Morphus Labs| LinkedIn | Twitter