A vulnerability in Cisco’s widely deployed IOS software that was disclosed in the recent WikiLeaks dump of CIA exploits has triggered the company to release a critical warning for its Catalyst networking customers.
The vulnerability -- which could let an attacker cause a reload of an affected device or remotely execute code and take over a device -- impacts more than 300 models of Cisco Catalyst switches from the model 2350-48TD-S Switch to the Cisco SM-X Layer 2/3 EtherSwitch Service Module.
Specifically, the vulnerability is contained in the Cluster Management Protocol which uses Telnet as a signaling and command protocol between cluster members. The vulnerability is due to the combination of two factors Cisco said:
- The failure to restrict the use of CMP-specific Telnet options only to internal, local communications between cluster members and instead accept and process such options over any Telnet connection to an affected device, and
- The incorrect processing of malformed CMP-specific Telnet options.
Cisco wrote of the disclosure and its relationship to the so-called Vault 7 CIA release:
“Based on the “Vault 7” public disclosure, Cisco launched an investigation into the products that could potentially be impacted by these and similar exploits and vulnerabilities. As part of the internal investigation of our own products and the publicly available information, Cisco security researchers found a vulnerability in the Cluster Management Protocol code in Cisco IOS and Cisco IOS XE Software that could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges.
In terms of mitigations to consider, disabling the Telnet protocol as an allowed protocol for incoming connections would eliminate the exploit vector. Disabling Telnet and using SSH is recommended by Cisco. Information on how to do both can be found on the Cisco Guide to Harden Cisco IOS Devices. Customers unable or unwilling to disable the Telnet protocol can reduce the attack surface by implementing infrastructure access control lists (iACL).
Cisco wrote that there are no workarounds that address this vulnerability but disabling the Telnet protocol and using SSH as an allowed protocol for incoming connections would eliminate the exploit vector. Information on how to do both can be found on the Cisco Guide to Harden Cisco IOS Devices.
Cisco said customers unable or unwilling to disable the Telnet protocol can reduce the attack surface by implementing iACLs. Information on iACLs can be found on the following document: Protecting Your Core: Infrastructure Protection Access Control Lists.
Cisco wrote in a blog that since none of the tools and malware referenced in the initial Vault 7 disclosure have been made available by WikiLeaks, the scope of action that can be taken by Cisco is limited. What we can do, have been doing, and will continue to do is to actively analyze the documents that were already disclosed. Based on preliminary analysis of the disclosed documents:
- Malware exists that seems to target different types and families of Cisco devices, including multiple router and switches families.
- The malware, once installed on a Cisco device, seem to provide a range of capabilities: data collection, data exfiltration, command execution with administrative privileges (and without any logging of such commands ever been executed), HTML traffic redirection, manipulation and modification (insertion of HTML code on web pages), DNS poisoning, covert tunneling and others.
- The authors have spent a significant amount of time making sure the tools, once installed, attempt to remain hidden from detection and forensic analysis on the device itself.
- It would also seem the malware author spends a significant amount of resources on quality assurance testing – in order, it seems, to make sure that once installed the malware will not cause the device to crash or misbehave.
Sign up for Computerworld eNewsletters.