This past Friday Cisco publicly disclosed a software vulnerability in the Cisco Cluster Management Protocol in Cisco IOS and Cisco IOS XE software. The following is our action report for clients utilizing Cisco devices.
Summary
CVE-2017-3881 is a critical vulnerability in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE software allowing an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges.
The vulnerability has high visibility due to its recent release within the “Vault 7” CIA hacking arsenal leak by Wikileaks.
Vulnerability Description
The Cisco Cluster Management Protocol (CMP) utilizes Telnet internally as a signaling and command protocol between cluster members. The vulnerability is due to the combination of two factors:
- the failure to restrict the use of CMP-specific Telnet options only to communications between cluster members
- the incorrect processing of malformed CMP-specific Telnet options.
An attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device.
Impacted Versions
Over 300 Cisco Switches running Cisco IOS or IOS XE software are affected by this vulnerability.
For devices running Cisco IOS XE Software:
To determine if the CMP subsystem is present on the running software image. Execute the command from a privileged CLI prompt on the device:
show subsys class protocol | include ^cmp
Output when CMP subsystem is present:
Switch#show subways class protocol | include ^cmp cmp Protocol 1.000.001 Switch#
Notice the command returns “CMP Protocol 1.000.001”
For devices running CISCO IOS Software:
To determine if the device is configured to accept incoming Telnet connections, execute the command from a privileged CLI prompt:
show running-config | include ^line vty|transport input
Output when default vty input is configured and telnet connections are accepted:
Switch#show running-config | include ^line vty | transport input line vty 0 4 line vty 5 15 Switch#
Output when transport input is explicitly set to SSH on select VTYs:
Switch#show running-config | include ^line vty | transport input line vty 0 4 transport input ssh line vty 5 15 transport input shh line vty 6 15 Switch#
You may notice that VTYs number 6 to 15 are still using default protocols, and will still accept Telnet connections.
Recommended Actions
For Clients with Cisco FirePower IDS / IPS devices managed by the Kudelski Security Cyber Fusion Center (CFC): The CFC has enabled Firepower signatures to detect potential exploitation of this vulnerability.
Kudelski Security also recommends that clients enable ACLs to limit inbound access to CMP via Telnet.
Sources
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-3881
https://wikileaks.org/ciav7p1/
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp
http://sensorstechforum.com/cve-2017-3881-affects-300-cisco-switches/
Kudelski Security Research 