Vulnerability in Cisco IOS left users without Internet

Vulnerability in Cisco IOS left users without Internet


Currently, a powerful botnet attack. All Internet addresses are scanned for the presence of fresh vulnerabilities in the software of the Cisco IOS that allows you to remotely execute commands on Cisco devices. The bot walks to the device and remove the configuration, recording instead its files.

The vulnerability has received the identifier CVE-2018-0171 and scored 9.8 points on a scale of CVSS. If you have just turned off the Internet or off in the near future, then with high probability, this is due to the above vulnerability. The Network performance issues are observed now. Including the team

The team Cisco published a report according to which hundreds of thousands of devices on the Network vulnerable with Smart Install. The company has warned critical infrastructure about the risks of using vulnerable devices.

Technology Smart Install allows you to automate the process of initial configuration and download the current operating system image for a new network switch.

About the problem of burst scans in an attempt to detect vulnerable devices that are activated Smart Install, Cisco reported in February last year. At that time it was said that hacker groups can use Smart Install to receive copies of the configurations of affected devices customers. In addition, it was reported that the attackers used the tool open source for scanning in search of vulnerable systems. This tool is called Smart Install Exploitation Tool (SIET).

Now, Cisco issued a new statement:

“Cisco is aware of a significant increase in the number of attempts to scan for vulnerable devices with an activated Smart Install. As a result of successful attack an attacker can modify the configuration file, force restart your device to upload new image IOS, to run CLI commands with the highest rights”.

According to experts, some of these attacks were carried out by a group known as Dragonfly, Crouching Yeti and Energetic Bear. In this regard, administrators are advised to install the update or disable in device settings SMI technology designed to automate the initial setup and download the firmware for the new switches.

The problem is that many owners do not adjust or turn off the SMI Protocol and the client continues to wait for commands “setupconfiguration” in the background. Using the vulnerability, an attacker can modify the settings of the TFTP server and retrieve the configuration files via TFTP, change the General configuration file of the switch, replace the OS image IOS, to create a local account and to provide an opportunity for the attacker to log into the device and execute any command.

To exploit the vulnerability the attacker needs to contact TCP port 4786 is open by default. It is reported that the problem can be used as a DoS attack, leading the vulnerable devices into an endless loop of reboots.

According to Cisco Talos, currently available 168 thousand switches that support SMI. However, according to analytical group Embedi in total, the Internet discovered more than 8.5 million units with an open port 4786, and the patch that fixes the critical vulnerability is not established approximately 250 000 of them.

Analysts Embedi conducted penetration testing on devices Catalyst 4500 Supervisor Engine and switch series Cisco Catalyst 3850 and Cisco Catalyst 2960, but probably we are talking about the vulnerability of all devices running on Smart Install, namely:

  • Catalyst 4500 Supervisor Engines;
  • Catalyst 3850 Series;
  • Catalyst 3750 Series;
  • Catalyst 3650 Series;
  • Catalyst 3560 Series;
  • Catalyst 2960 Series;
  • Catalyst 2975 Series;
  • IE 2000;
  • IE 3000;
  • IE 3010;
  • IE 4000;
  • IE 4010;
  • IE 5000;
  • SM-ES2 SKUs;
  • SM-ES3 SKUs;
  • NME-16ES-1G-P;
  • SM-X-ES3 SKUs.

Team Cisco has published a series of instructions to administrators to disable the Protocol on vulnerable devices, and also released a tool for scanning local networks or the Internet to search for vulnerable devices.