Attackers are taking aim at critical infrastructure in multiple countries by exploiting a software flaw in some Cisco switches that has been a point of concern for more than a year.
According to a blog post issued April 5 by Cisco’s Talos security unit, the cyber-attacks are exploiting what Cisco officials are calling a “protocol misuse” situation in Cisco’s Smart Install Client, which is designed to enable the no-touch installation and deployment of new Cisco hardware, in particular Cisco switches. The Talos unit is blaming nation-states for the bulk of these attacks, saying they are similar to those detailed in a release last month by U.S. Cert that alleged hackers associated with the Russian government were targeting U.S. government agencies and organizations in such critical areas as nuclear, water, aviation, energy, commercial facilities and manufacturing.
Cisco in February 2017 issued an alert after discovering a rise in the number of internet scans for systems where the Smart Install Client was not turned off or configured with the property security controls. Without the right security controls, hackers can send new commands to the switches running Cisco’s IOS or IOS XE network operating system.
According to the blog post by Nick Biasini, a threat researcher at Cisco Talos, the Smart Install protocol can be misused to “modify the TFTP server setting exfiltrate configuration files via TFTP, modify the configuration file, replaces the IOS image, and set up accounts, allowing for the execution of IOS commands.” Biasini added that “although this is not a vulnerability in the classic sense, the misuse of this protocol is an attack vector that should be mitigated immediately.”
Cisco used the Shodan tool to find that more than 168,000 systems worldwide are potentially exposed to threats through the Smart Install Client, a number that is smaller than the 251,000 cyber-security firm Tenable found were exposed in 2016. Still, it’s a lot of systems, and scanning by potential bad actors for the Smart Install technology has been ongoing since Cisco’s initial disclosure 14 months ago. That said, there was a spike in scanning starting in November 2017, which has peaked in April, according to numbers compiled by Talos.
“It is noteworthy that we are seeing an increase in scanning for the Cisco Smart Install Client,” Biasini wrote.
The Talos blog post comes a week after Cisco released a patch for a stack-based buffer overflow vulnerability found by security company Embedi that created a critical remote code execution flaw and could allow attackers to gain full control over a vulnerable switch. According to Embedi’s report issued March 29, a “short scan of the Internet … detected 250,000 vulnerable devices and 8.5 million devices that have a vulnerable port open. Probably, this happens because on Smart Install clients the port TCP (4786) is opened by default and network administrators do not notice this somehow.”
The spike in scanning noted by Talos regarding the Smart Install Client is aimed at the TCP 4786 port.
According to Cisco, organizations can determine if a device is impacted by the Smart Install issues by running the command “show vstack config,” which will show if the Smart Install Client is active. Also, “additional indicators could be present if the logging levels are set to 6 (informational) or higher,” Biasini wrote. “These logs could include, but are not limited to, write operations via TFTP, execution of commands and device reloads.”
The easiest way to mitigate the issue is to run the command “no vstack” on the affected device. If this isn’t possible, the best option is to restrict access through an access control list for the interface.
In his post, Biasini urged network administrators “to be especially vigilant. It can be easy to ‘set and forget’ these devices, as they are typically highly stable and rarely changed. Combine this with the advantages that an attacker has when controlling a network device, and routers and switches become tempting targets. … Customers [should] review their architecture, use the tools provided by Talos to scan their network, and remove Cisco Smart Install Client from all devices where it is not used.”