On the 29th of March a company that deals with security in embedded devices, called Embedi published their discovery about a critical vulnerability in most Cisco Switch devices (both running IOS and XE).
The vulnerability (CVE-2018-0171) is based on stack buffer overflow and is possible due to improper validation of packet data in Smart Install Client, a plug-and-play configuration and image-management feature that helps administrators to deploy (client) network switches easily. The service is running on TCP 4786, opened by default and listening when service is enabled (which is by default).
Yet again a new functionality that is meant for easier deployment and potential less operational costs during deployment poses a serious security risk. The vulnerability is deemed as critical because it gives complete access to the device or be used to do a DoS on the device, meaning it can crash the device. What makes the case even worse is that the Smart Install Client functionality is enabled by default.
Initially researchers believed that the vulnerability could only be used for attacks inside an enterprise network due to the communication ports usually not exposed to the Internet or to the fact that many of switch or other devices are only internal, because in a securely configured networks because the recommendation is that Smart Install technology participants should not be accessible through the Internet.
However during a short scan of the Internet, researchers detected over 250,000 vulnerable devices and 8,5 million devices that have a vulnerable port open.
Which Cisco devices are affected:
The vulnerability was proven to work on the following devices: Catalyst 4500 Supervisor Engines, Cisco Catalyst 3850 Series Switches, and Cisco Catalyst 2960 Series Switches.
- Cisco Catalyst 4500 Supervisor Engine 6L-E
- Cisco IOS 15.2.2E6 (Latest, Suggested)
- cat4500e-entservicesk9-mz.152-2.E6.bin (23-DEC-2016)
- Cisco Catalyst 2960-48TT-L Switch
- Cisco IOS 12.2(55)SE11 (Suggested)
- c2960-lanbasek9-mz.122-55.SE11.bin (18-AUG-2016)
- Cisco IOS 15.0.2-SE10a (Latest)
- c2960-lanbasek9-mz.150-2.SE10a.bin (10-NOV-2016)
- Cisco Catalyst 3850-24P-E Switch
- Cisco IOS-XE 03.03.05.SE
- cat3k_caa-universalk9.SPA.03.03.05.SE.150-1.EZ5.bin (03-NOV-2014)
And here are all devices that may fall into the Smart Install Client type and can be considered potentially vulnerable:
- Catalyst 4500 Supervisor Engines
- Catalyst 3850 Series
- Catalyst 3750 Series
- Catalyst 3650 Series
- Catalyst 3560 Series
- Catalyst 2960 Series
- Catalyst 2975 Series
- IE 2000
- IE 3000
- IE 3010
- IE 4000
- IE 4010
- IE 5000
- SM-ES2 SKUs
- SM-ES3 SKUs
- SM-X-ES3 SKUs
The original researchers reached Cisco with their finding before going public with it and the vendor had enough time to patch their software. Official releases after March have been patches against the vulnerability and available for download.
How does the attack work?
The attackers send a large number of very small requests from a high-bandwidth pipe behind ISP(s), that allow ip spoofing, destined at a large list of publicly accessible application servers. The attacker is spoofing the source IP on all these requests to the target public IP address. All servers are made to respond with much larger packets to the requests, wrongfully directing all that traffic towards the unsuspecting target. The idea is to cripple either the target server/device or to congest its internet pipe, both causing Denial of Service.
How to determine if your device is affected:
Issue the following command:
show vstack config
If the output shows that SmartInstall is enabled then proceed with the checks
Check your current running software versions
Use a Cisco official tool to check the vulnerabilities on your Cisco IOS/XE via the following link:
- Do not expose unnecessary any communication channels (services/ports) to unsecure networks such as the internet. Keep your devices behind firewalls in order to reduce the potential attack service.
- Remember to patch your systems regularly