{"uuid": "df3cc4d5-2d0f-45ab-be3a-3dc118e2aa14", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2018-0171", "type": "published-proof-of-concept", "source": "https://t.me/information_security_channel/16006", "content": "Unprotected Switches Expose Critical Infrastructure to Attacks: Cisco\nhttp://feedproxy.google.com/~r/Securityweek/~3/JIi2vCOXnz0/unprotected-switches-expose-critical-infrastructure-attacks-cisco\n\nCisco has advised organizations to ensure that their switches cannot be hacked via the Smart Install protocol. The networking giant has identified hundreds of thousands of exposed devices and warned that critical infrastructure could be at risk.\nThe Cisco Smart Install Client is a legacy utility that allows no-touch installation of new Cisco switches. Roughly one year ago, the company warned (http://blog.talosintelligence.com/2017/02/cisco-coverage-for-smart-install-client.html) customers about misuse of the Smart Install protocol following a spike in Internet scans attempting to detect unprotected devices that had this feature enabled. It also made available an open source tool (https://github.com/Cisco-Talos/smi_check) for identifying devices that use the protocol.\nAttackers can abuse the Smart Install protocol to modify the configuration file on switches running IOS and IOS XE software, force the device to reload, load a new IOS image, and execute high-privilege commands. These attacks rely on the fact that many organizations fail to securely configure their switches, rather than an actual vulnerability.\nAccording to Cisco, sophisticated nation-state groups have also abused Smart Install in their campaigns, including the Russia-linked threat actor tracked as Dragonfly, Crouching Yeti and Energetic Bear, which has been known to target critical infrastructure (https://www.securityweek.com/sofacy-targets-european-govt-us-accuses-russia-hacking).\nCisco has decided to once again warn organizations (http://blog.talosintelligence.com/2018/04/critical-infrastructure-at-risk.html) of the risks associated with Smart Install following the disclosure of a critical vulnerability  (https://www.securityweek.com/critical-flaw-exposes-many-cisco-devices-remote-attacks)discovered recently by researchers at Embedi.\nThe flaw, tracked as CVE-2018-0171, allows a remote and unauthenticated attacker to cause a denial-of-service (DoS) condition or execute arbitrary code by sending specially crafted Smart Install messages to an affected device on TCP port 4786. Researchers said they had identified roughly 250,000 vulnerable Cisco devices with TCP port 4786 open.\nCisco\u2019s own Internet scans revealed 168,000 systems potentially exposed due to their use of the Cisco Smart Install Client. The company says the number of impacted devices has decreased considerably since 2016, when security firm Tenable identified more than 250,000 exposed systems.\nThroughout the end of 2017 and early 2018, Cisco\u2019s Talos group noticed attackers increasingly looking for misconfigured clients. Now that CVE-2018-0171 has been found, the risk of attacks has increased even more, especially since Embedi has released technical details (https://embedi.com/blog/cisco-smart-install-remote-code-execution/) and proof-of-concept (PoC) code.\nThere is no evidence that CVE-2018-0171 has been exploited in malicious attacks. Cisco also noted that much of the activity it has seen is likely not malicious, but the company says the sharp increase in scanning is noteworthy.", "creation_timestamp": "2018-04-05T18:51:00.000000Z"}