The Cyber Fusion Center has learned of malicious, seemly automated, exploitation of recent Cisco IOS and Cisco IOS XE critical vulnerabilities (CVE-2018-0171 & CVE-2018-0156) within Cisco Smart Install to cause mass network outages. Attackers are actively leveraging these vulnerabilities to reset vulnerable devices to factory default settings and force device restarts, resulting in a Denial of Service (DOS) condition. The Cyber Fusion Center has tracked attacks across internet facing devices as well as internalswitches which are reachable across site-to-site VPNs.
These attacks impact Cisco Smart Install (SMI) client switches (known as integrated branch clients (IBCs), typically access layer switches). The Cisco Smart Install functionality is enabled by default on Cisco IOS and IOS XE switches that have not been updated to the latest Cisco software releases. The Cyber Fusion Center highly recommends updating devices to the latest version of Cisco IOS or Cisco IOS XE which mitigate these and several other critical vulnerabilities. If updating network devices is not feasible and clients do not use SMI, two non-impactful workarounds and temporary mitigations are available. Please review the “Mitigations and Response” section of this advisory.
Two recent critical and high severity Denial of Service (DOS) and Remote Code Execution (RCE) vulnerabilities have been disclosed in Cisco Smart Install (SMI) clients. Cisco Smart Install is a plug-and-play configuration management feature intended to allow zero-touch deployments of new network switches. The Cisco Smart Install (SMI) feature is enabled by default on Cisco switch software.
The vulnerabilities are due to improper validation of Smart Install package data. Cisco Smart Install service listens on TCP port 4786 by default. A successful exploit of CVE-2018-0171 allows remote, unauthenticated attackers to cause a buffer overflow on affected devices which could cause:
- A “reload” of the affected device, resetting the system to factory default configuration(s)
- Execution of arbitrary code (including potentially installing persistent backdoors)
- Causing an indefinite loop on the affect device which causes important system processes to crash
Remote attackers can send specially crafted Smart Install message packets to an effected device and cause arbitrary remote code execution (RCE), wipe a devices configuration and force a reload of the of the affected system, obtain full control of the system, or to cause indefinite loops on affected devices which cause critical processes to crash.
The ability for unauthenticated remote attackers to execute arbitrary code on Cisco networks devices by exploiting a feature that is enable and remotely exposed by default makes the criticality of these vulnerabilities extremely high. CVE-2018-0171 has been assigned a CVSS score of 9.8 out of 10.0.
The Cyber Fusion Center has also seen active mass exploitation of these vulnerabilities, including the use of publicly available Proof of Concept (POC) code for CVE-2018-0171 to wipe devices configurations and reset them to factory default. Additionally, attacks in Russia, Iran, and other Middle Eastern countries have reset devices and shown taunting messages and an American flag. The Cyber Fusion Center strongly cautions that messages such as these should not be used for attribution.
Additionally, CVE-2018-0171 could allow remote attackers to completely compromise the device, allowing unauthorized access to an organizations network, exposing protected assets, and could allow attackers to program backdoors on affected systems for persistent access.
Cisco IOS and Cisco IOS XE network switches which have not installed the latest available software updates as of March 28th, 2018 are vulnerable to these attacks. The affected sub-system, the Cisco Smart Install (SMI) client is installed and enabled by default.
To identify which version of the Cisco IOS or Cisco IOS XE software your device(s) is currently running, use the following command:
To determine if your Cisco IOS or Cisco IOS XE network switch is vulnerable, use the “show vstack config” command as follows:
“show vstack config”
If eitherof the two following outputs is shown, and the Cisco device has not been updated to the latest available software, your device is vulnerable:
switch# show vstack config Role: Client (SmartInstall enabled)
switch2# show vstack config Capability: Client Oper Mode: Enabled Role: Client
If “Role: Client (SmartInstall enabled)” or “Oper Mode: Enable” and “Role: Client” is present in the devices running configuration the Cisco device is vulnerable.
Mitigation and Response
Cisco has released new Cisco IOS and Cisco IOS XE software images which resolve the issues identified in this Cyber Fusion Center advisory. Due to the potential impact and severity of the vulnerability (described in the section labeled “potential impact”) and the fact that this is being actively exploited, the Cyber Fusion Center recommends that client apply these new software patches as soon as possible.
Additionally, clients who do not wish to use the Cisco Smart Install (SMI) client to perform zero-touch provisioning across their network switches may apply a temporary workaround by disabling the Cisco Smart Install feature using the following command:
If that option is not available for the client, the next-best option would be to restrict access to the SMI port (TCP/4786) via an Access Control List (ACL) as such:
ip access-list extended CFC_DISABLE_ALL_SMI deny tcp any any eq 4786 permit ip any any
Note: The above Access Control List (ACL) disables all access to Cisco Smart Install (SMI) and will impact clients who still need to use the feature. Clients should modify access lists accordingly if they require certain systems to still be able to provision switches via SMI.
Additionally, it’s possible to discover potentially vulnerable Cisco IOS and Cisco IOS XE devices by performing a network scan for devices that answer over port 4786. Cisco Talos has also released a tool (https://github.com/Cisco-Talos/smi_check) which will scan a network for potentially vulnerable devices.
The Cyber Fusion Center (CFC) has already updated all managed Network Intrusion Detection Systems (IDS) with signatures to ensure attempts to exploit this vulnerability are promptly detected. The CFC will also be proactively reaching out to Vulnerability Scanning clients whose devices are potentially vulnerable these issues.
Port 4486 or port 4786 or both?
Thank you very much for pointing this out! I’ve gone ahead and updated the blog to reflect that it’s indeed port 4786