Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Hackers Use Flaw in Cisco Switches to Attack Critical Infrastructure

    By
    Jeffrey Burt
    -
    April 6, 2018
    Share
    Facebook
    Twitter
    Linkedin
      infrastructure security

      Attackers are taking aim at critical infrastructure in multiple countries by exploiting a software flaw in some Cisco switches that has been a point of concern for more than a year.

      According to a blog post issued April 5 by Cisco’s Talos security unit, the cyber-attacks are exploiting what Cisco officials are calling a “protocol misuse” situation in Cisco’s Smart Install Client, which is designed to enable the no-touch installation and deployment of new Cisco hardware, in particular Cisco switches. The Talos unit is blaming nation-states for the bulk of these attacks, saying they are similar to those detailed in a release last month by U.S. Cert that alleged hackers associated with the Russian government were targeting U.S. government agencies and organizations in such critical areas as nuclear, water, aviation, energy, commercial facilities and manufacturing.

      Cisco in February 2017 issued an alert after discovering a rise in the number of internet scans for systems where the Smart Install Client was not turned off or configured with the property security controls. Without the right security controls, hackers can send new commands to the switches running Cisco’s IOS or IOS XE network operating system.

      According to the blog post by Nick Biasini, a threat researcher at Cisco Talos, the Smart Install protocol can be misused to “modify the TFTP server setting exfiltrate configuration files via TFTP, modify the configuration file, replaces the IOS image, and set up accounts, allowing for the execution of IOS commands.” Biasini added that “although this is not a vulnerability in the classic sense, the misuse of this protocol is an attack vector that should be mitigated immediately.”

      Cisco used the Shodan tool to find that more than 168,000 systems worldwide are potentially exposed to threats through the Smart Install Client, a number that is smaller than the 251,000 cyber-security firm Tenable found were exposed in 2016. Still, it’s a lot of systems, and scanning by potential bad actors for the Smart Install technology has been ongoing since Cisco’s initial disclosure 14 months ago. That said, there was a spike in scanning starting in November 2017, which has peaked in April, according to numbers compiled by Talos.

      “It is noteworthy that we are seeing an increase in scanning for the Cisco Smart Install Client,” Biasini wrote.

      The Talos blog post comes a week after Cisco released a patch for a stack-based buffer overflow vulnerability found by security company Embedi that created a critical remote code execution flaw and could allow attackers to gain full control over a vulnerable switch. According to Embedi’s report issued March 29, a “short scan of the Internet … detected 250,000 vulnerable devices and 8.5 million devices that have a vulnerable port open. Probably, this happens because on Smart Install clients the port TCP (4786) is opened by default and network administrators do not notice this somehow.”

      The spike in scanning noted by Talos regarding the Smart Install Client is aimed at the TCP 4786 port.

      According to Cisco, organizations can determine if a device is impacted by the Smart Install issues by running the command “show vstack config,” which will show if the Smart Install Client is active. Also, “additional indicators could be present if the logging levels are set to 6 (informational) or higher,” Biasini wrote. “These logs could include, but are not limited to, write operations via TFTP, execution of commands and device reloads.”

      The easiest way to mitigate the issue is to run the command “no vstack” on the affected device. If this isn’t possible, the best option is to restrict access through an access control list for the interface.

      In his post, Biasini urged network administrators “to be especially vigilant. It can be easy to ‘set and forget’ these devices, as they are typically highly stable and rarely changed. Combine this with the advantages that an attacker has when controlling a network device, and routers and switches become tempting targets. … Customers [should] review their architecture, use the tools provided by Talos to scan their network, and remove Cisco Smart Install Client from all devices where it is not used.”

      Jeffrey Burt
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×