Disable Telnet on switches, Cisco warns administrators

Wikileaks’ disclosure of a CIA database of product vulnerabilities has led Cisco Systems to acknowledge a Telnet vulnerability in its IOS / IOS XE operating systems that affects more than 300 models including Catalyst and Industrial Ethernet switches.

For the time being there is no workaround – although Cisco promises there will be a software fixes — so the company is urging administrators to turn off Telnet as an allowed protocol for incoming connections to eliminate the hole and instead use. SSH. How to do that can be found on the Cisco Guide to Harden Cisco IOS Devices.

The vulnerability in the operating systems’ Cluster Management Protocol could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges, Cisco says in its critical alert. That would allow an attacker to take over the device.

The protocol utilizes Telnet internally as a signaling and command protocol between cluster members. Cisco says the vulnerability is due to the combination of two factors:

  • The failure to restrict the use of CMP-specific Telnet options only to internal, local communications between cluster members and instead accept and process such options over any Telnet connection to an affected device, and
  • The incorrect processing of malformed CMP-specific Telnet options.

An attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections.

Checking for the presence of the CMP subsystem is only required on devices running Cisco IOS XE Software, not Cisco IOS Software, says the company. However, checking if the device is configured to accept Telnet connections is required for devices running either operating system. Devices running a vulnerable IOS XE Software release but not including the CMP protocol subsystem are not affected.

Cisco IPS Signature 7880-0 and Snort SIDs 41909 and 41910 can detect attempts to exploit this vulnerability.

Two weeks ago WikiLeaks revealed what it says is an archive of 8,761 documents and files — but not source code, names, email addresses and external IP addresses — describing includes malware, viruses, trojans, weaponized “zero day” exploits, malware remote control systems and associated documentation that can be used by the agency for spying on a range of products using Apple’s iOS, Google’s Android and Microsoft’s Windows operating systems.

A day later WikiLeaks said it would hand over details on the vulnerabilities to vendors so they can patch their software. However, citing unnamed sources Motherboard reported on Friday that WikiLeaks is asking vendors to sign off on a series of conditions before being able to receive the actual technical details. One source said a condition is fixes be issued within 90 days.

That would appear to be assurance a vendor won’t hide the vulnerability, or give it a low priority. On the other hand it may take a vendor longer than three months to fix the bug(s). Motherboard also notes vendors may be shy about accepting anything from WikiLeaks that might be stolen property.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now