Attacks on Cisco switches a reminder to pay attention to year-old fix

There may be mischief-making in the attacks last week against Russian and Iranian organizations with Cisco System switches. According to news reports, a new threat group calling itself JHT left messages in ASCII code saying “Don’t mess with our elections.”

A message from the U.S. government? Or from zealous activists? Who knows? Apparently no data was stolen or destroyed.

The message to infosec pros, though, should be to limit an opportunity in Cisco’s Smart Install Client they should have been fixed a long time ago, as well as plug a more recently-disclosed remote code execution vulnerability (CVE-2018-0171) in Smart Install Client that could allow attackers to take full control of the network equipment.

Cisco seems to think that hackers are exploiting the older protocol misuse, rather than the new vulnerability.


Last Thursday Cisco’s Talos threat intelligence team put out a blog saying it was aware of “specific advanced actors targeting Cisco switches by leveraging a protocol misuse issue in the Cisco Smart Install Client.” It had warned about this in an alert just over a year ago. While the number of potentially vulnerable Cisco devices has come down since then, Cisco said that a recent Internet showed 168,000 systems still have Smart Install Client still potentially exposed. According to The Hacker News, that includes over 4,000 in Canada.

Then on Friday Kaspersky Lab blogged that “there’s a massive attack against Cisco switches going on right now …. It seems that the attack is mostly targeting the Russian-speaking segment of the Internet, yet other segments are clearly more or less affected as well.”

And this, Kaspersky says, is what admins will see:

Over the weekend and today there have been a number of news reports citing a tweet from Iran’s  Communication and Information Technology Minister that the campaign impacted approximately 3,500 network switches in his country. At the time of the tweet he said a majority of the devices had been restored.

So what’s going on? First, some background. Cisco Smart Install Client is a plug-and-play utility that helps administrators configure and deploy Cisco equipment. According to The Hacker News, it is enabled by default on Cisco IOS and IOS XE switches and runs over TCP port 4786.

Cisco issued a warning about what it calls “misuse” of the Smart Install protocol — and not a vulnerability — just over a year ago. The protocol can be abused to modify the TFTP server setting, exfiltrate configuration files via TFTP, modify the configuration file, replace the IOS image, and set up accounts, allowing for the execution of IOS commands. In its April 6 blog update Cisco said it has seen a sharp increase in scanning for Cisco Smart Install Clients since Nov. 9, 2017.

System administrators who use Smart Install purely for zero-touch deployment should disable the feature with the configuration command no vstack once the switch has been deployed. Customers using Smart Install for more than zero-touch deployment and where the no vstack command is not available should ensure that only the integrated branch client (IBD) has TCP connectivity to all IBCs on port 4786.

Customers who don’t use Smart Install and are running a release of Cisco IOS or Cisco IOS XE Software where the command is available should disable the Smart Install feature with the configuration command no vstack.

In short, that problem should have been dealt with a while ago.

Meanwhile, there’s the critical vulnerability discussed last week by researchers at Embedi  of  a bug in Smart Install Client that could allow aremote attacker to take full control over network equipment and intercept traffic. Embedi disclosed the problem to Cisco, which issued a fix on March 28.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

Empowering the hybrid workforce: how technology can build a better employee experience

Across the country, employees from organizations of all sizes expect flexibility...

What’s behind the best customer experience: How to make it real for your business

The best customer experience – the kind that builds businesses and...

Overcoming the obstacles to optimized operations

Network-driven optimization is a top priority for many Canadian business leaders...

Thriving amid Canada’s tech talent shortage

With today’s tight labour market, rising customer demands, fast-evolving cyber threats...

Staying protected and compliant in an evolving IT landscape

Canadian businesses have changed remarkably and quickly over the last few...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now