Security News > 2018 > April > Unprotected Switches Expose Critical Infrastructure to Attacks: Cisco
Cisco has advised organizations to ensure that their switches cannot be hacked via the Smart Install protocol. The networking giant has identified hundreds of thousands of exposed devices and warned that critical infrastructure could be at risk. The Cisco Smart Install Client is a legacy utility that allows no-touch installation of new Cisco switches. Roughly one year ago, the company warned customers about misuse of the Smart Install protocol following a spike in Internet scans attempting to detect unprotected devices that had this feature enabled. It also made available an open source tool for identifying devices that use the protocol. Attackers can abuse the Smart Install protocol to modify the configuration file on switches running IOS and IOS XE software, force the device to reload, load a new IOS image, and execute high-privilege commands. These attacks rely on the fact that many organizations fail to securely configure their switches, rather than an actual vulnerability. According to Cisco, sophisticated nation-state groups have also abused Smart Install in their campaigns, including the Russia-linked threat actor tracked as Dragonfly, Crouching Yeti and Energetic Bear, which has been known to target critical infrastructure. Cisco has decided to once again warn organizations of the risks associated with Smart Install following the disclosure of a critical vulnerability discovered recently by researchers at Embedi. The flaw, tracked as CVE-2018-0171, allows a remote and unauthenticated attacker to cause a denial-of-service (DoS) condition or execute arbitrary code by sending specially crafted Smart Install messages to an affected device on TCP port 4786. Researchers said they had identified roughly 250,000 vulnerable Cisco devices with TCP port 4786 open. Cisco’s own Internet scans revealed 168,000 systems potentially exposed due to their use of the Cisco Smart Install Client. The company says the number of impacted devices has decreased considerably since 2016, when security firm Tenable identified more than 250,000 exposed systems. Throughout the end of 2017 and early 2018, Cisco’s Talos group noticed attackers increasingly looking for misconfigured clients. Now that CVE-2018-0171 has been found, the risk of attacks has increased even more, especially since Embedi has released technical details and proof-of-concept (PoC) code. There is no evidence that CVE-2018-0171 has been exploited in malicious attacks. Cisco also noted that much of the activity it has seen is likely not malicious, but the company says the sharp increase in scanning is noteworthy. The vendor has provided recommendations for preventing potential attacks and advised customers to remove the Smart Install Client from devices where it’s not needed. Smart Install is enabled by default on switches that have not received a recent update that automatically disables the feature when it’s not in use. While it’s unclear if Smart Install was involved, Cylance reported recently that the Dragonfly cyberespionage group had hijacked a core Cisco router at a major state-owned energy conglomerate in Vietnam and abused it to obtain credentials that were later leveraged in attacks targeting energy companies in the United Kingdom. Related: US Accuses Russian Government of Hacking Infrastructure Related: DHS, FBI Warn of Ongoing APT Attack Against Critical Infrastructure (function() { var po = document.createElement("script"); po.type = "text/javascript"; po.async = true; po.src = "https://apis.google.com/js/plusone.js"; var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(po, s); })(); Tweet Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.Previous Columns by Eduard Kovacs:Unprotected Switches Expose Critical Infrastructure to Attacks: CiscoIntel Discontinues Keyboard App Affected by Critical FlawsDelta, Sears Hit by Card Breach at Online Services FirmAWS Launches New Tools for Firewalls, Certificates, CredentialsCritical Vulnerability Patched in Microsoft Malware Protection Engine sponsored links Tags: Cyberwarfare NEWS & INDUSTRY Virus & Threats Risk Management Vulnerabilities
News URL
Related news
- Critical Flaws in Tank Gauge Systems Expose Gas Stations to Remote Attacks (source)
- Researchers Warn of Ongoing Attacks Exploiting Critical Zimbra Postjournal Flaw (source)
- CISA: Network switch RCE flaw impacts critical infrastructure (source)
- Critical Ivanti RCE flaw with public exploit now used in attacks (source)
- Microsoft and DOJ disrupt Russian FSB hackers' attack infrastructure (source)
- CISA says critical Fortinet RCE flaw now exploited in attacks (source)
- CISA Warns of Critical Fortinet Flaw as Palo Alto and Cisco Issue Urgent Security Patches (source)
- Iranian hackers act as brokers selling critical infrastructure access (source)
- U.S. and Allies Warn of Iranian Cyberattacks on Critical Infrastructure in Year-Long Campaign (source)
- Fortinet warns of new critical FortiManager flaw used in zero-day attacks (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2018-03-28 | CVE-2018-0171 | Out-of-bounds Write vulnerability in Cisco IOS 15.2(5)E A vulnerability in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition, or to execute arbitrary code on an affected device. | 9.8 |