There may be mischief-making in the attacks last week against Russian and Iranian organizations with Cisco System switches. According to news reports, a new threat group calling itself JHT left messages in ASCII code saying “Don’t mess with our elections.”
A message from the U.S. government? Or from zealous activists? Who knows? Apparently no data was stolen or destroyed.
The message to infosec pros, though, should be to limit an opportunity in Cisco’s Smart Install Client they should have been fixed a long time ago, as well as plug a more recently-disclosed remote code execution vulnerability (CVE-2018-0171) in Smart Install Client that could allow attackers to take full control of the network equipment.
Cisco seems to think that hackers are exploiting the older protocol misuse, rather than the new vulnerability.
Last Thursday Cisco’s Talos threat intelligence team put out a blog saying it was aware of “specific advanced actors targeting Cisco switches by leveraging a protocol misuse issue in the Cisco Smart Install Client.” It had warned about this in an alert just over a year ago. While the number of potentially vulnerable Cisco devices has come down since then, Cisco said that a recent Internet showed 168,000 systems still have Smart Install Client still potentially exposed. According to The Hacker News, that includes over 4,000 in Canada.
Then on Friday Kaspersky Lab blogged that “there’s a massive attack against Cisco switches going on right now …. It seems that the attack is mostly targeting the Russian-speaking segment of the Internet, yet other segments are clearly more or less affected as well.”
And this, Kaspersky says, is what admins will see:
Over the weekend and today there have been a number of news reports citing a tweet from Iran’s Communication and Information Technology Minister that the campaign impacted approximately 3,500 network switches in his country. At the time of the tweet he said a majority of the devices had been restored.
So what’s going on? First, some background. Cisco Smart Install Client is a plug-and-play utility that helps administrators configure and deploy Cisco equipment. According to The Hacker News, it is enabled by default on Cisco IOS and IOS XE switches and runs over TCP port 4786.
Cisco issued a warning about what it calls “misuse” of the Smart Install protocol — and not a vulnerability — just over a year ago. The protocol can be abused to modify the TFTP server setting, exfiltrate configuration files via TFTP, modify the configuration file, replace the IOS image, and set up accounts, allowing for the execution of IOS commands. In its April 6 blog update Cisco said it has seen a sharp increase in scanning for Cisco Smart Install Clients since Nov. 9, 2017.
System administrators who use Smart Install purely for zero-touch deployment should disable the feature with the configuration command no vstack once the switch has been deployed. Customers using Smart Install for more than zero-touch deployment and where the no vstack command is not available should ensure that only the integrated branch client (IBD) has TCP connectivity to all IBCs on port 4786.
Customers who don’t use Smart Install and are running a release of Cisco IOS or Cisco IOS XE Software where the command is available should disable the Smart Install feature with the configuration command no vstack.
In short, that problem should have been dealt with a while ago.
Meanwhile, there’s the critical vulnerability discussed last week by researchers at Embedi of a bug in Smart Install Client that could allow aremote attacker to take full control over network equipment and intercept traffic. Embedi disclosed the problem to Cisco, which issued a fix on March 28.