Responding to the Cisco CMP Vulnerability

This past Friday Cisco publicly disclosed a software vulnerability in the  Cisco Cluster Management Protocol in Cisco IOS and Cisco IOS XE software.  The following is our action report for clients utilizing Cisco devices.

Summary

CVE-2017-3881 is a critical vulnerability in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE software allowing an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges.

The vulnerability has high visibility due to its recent release within the “Vault 7” CIA hacking arsenal leak by Wikileaks.

Vulnerability Description

The Cisco Cluster Management Protocol (CMP) utilizes Telnet internally as a signaling and command protocol between cluster members. The vulnerability is due to the combination of two factors:

  • the failure to restrict the use of CMP-specific Telnet options only to communications between cluster members
  • the incorrect processing of malformed CMP-specific Telnet options.

An attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device.

Impacted Versions

Over 300 Cisco Switches running Cisco IOS or IOS XE software are affected by this vulnerability.

 For devices running Cisco IOS XE Software:

To determine if the CMP subsystem is present on the running software image. Execute the command from a privileged CLI prompt on the device:

show subsys class protocol | include ^cmp

Output when CMP subsystem is present:

Switch#show subways class protocol | include ^cmp
cmp                                 Protocol    1.000.001
Switch#

Notice the command returns “CMP Protocol 1.000.001” 

For devices running CISCO IOS Software:

To determine if the device is configured to accept incoming Telnet connections, execute the command from a privileged CLI prompt:

show running-config | include ^line vty|transport input

Output when default vty input is configured and telnet connections are accepted:

Switch#show running-config | include ^line vty | transport input
line vty 0 4
line vty 5 15
Switch#

Output when transport input is explicitly set to SSH on select VTYs:

Switch#show running-config | include ^line vty | transport input
line vty 0 4
 transport input ssh
line vty 5 15
 transport input shh
line vty 6 15
Switch#

You may notice that VTYs number 6 to 15 are still using default protocols, and will still accept Telnet connections.

Recommended Actions

For Clients with Cisco FirePower IDS / IPS devices managed by the Kudelski Security Cyber Fusion Center (CFC): The CFC has enabled Firepower signatures to detect potential exploitation of this vulnerability.

Kudelski Security also recommends that clients enable ACLs to limit inbound access to CMP via Telnet.

Sources

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-3881
https://wikileaks.org/ciav7p1/
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp
http://sensorstechforum.com/cve-2017-3881-affects-300-cisco-switches/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s