Cisco issues critical warning after CIA WikiLeaks dump bares IOS security weakness

Credit to Author: Michael Cooney| Date: Tue, 21 Mar 2017 08:50:00 -0700

A vulnerability in Cisco’s widely deployed IOS software that was disclosed in the recent WikiLeaks dump of CIA exploits has triggered the company to release a critical warning for its Catalyst networking customers.

+More on Cisco Security on Network World: Cisco security advisory dump finds 20 warnings, 2 critical+

The vulnerability — which could let an attacker cause a reload of an affected device or remotely execute code and take over a device — affects more than 300 models of Cisco Catalyst switches from the model 2350-48TD-S Switch to the Cisco SM-X Layer 2/3 EtherSwitch Service Module.

Specifically, the vulnerability is contained in the Cluster Management Protocol which uses Telnet as a signaling and command protocol between cluster members. The vulnerability is due to the combination of two factors Cisco said:

Cisco wrote of the disclosure and its relationship to the so-called Vault 7 CIA release:

“Based on the “Vault 7” public disclosure, Cisco launched an investigation into the products that could potentially be impacted by these and similar exploits and vulnerabilities. As part of the internal investigation of our own products and the publicly available information, Cisco security researchers found a vulnerability in the Cluster Management Protocol code in Cisco IOS and Cisco IOS XE Software that could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges.

In terms of mitigations to consider, disabling the Telnet protocol as an allowed protocol for incoming connections would eliminate the exploit vector. Disabling Telnet and using SSH is recommended by Cisco. Information on how to do both can be found on the Cisco Guide to Harden Cisco IOS Devices. Customers unable or unwilling to disable the Telnet protocol can reduce the attack surface by implementing infrastructure access control lists (iACL).

Cisco wrote that there are no workarounds that address this vulnerability but disabling the Telnet protocol and using SSH as an allowed protocol for incoming connections would eliminate the exploit vector. Information on how to do both can be found on the Cisco Guide to Harden Cisco IOS Devices.

Cisco said customers unable or unwilling to disable the Telnet protocol can reduce the attack surface by implementing iACLs. Information on iACLs can be found on the following document: Protecting Your Core: Infrastructure Protection Access Control Lists.

Cisco wrote in a blog that since none of the tools and malware referenced in the initial Vault 7 disclosure have been made available by WikiLeaks, the scope of action that can be taken by Cisco is limited. What we can do, have been doing, and will continue to do is to actively analyze the documents that were already disclosed. Based on preliminary analysis of the disclosed documents:

In March WikiLeaks released more than 8,700 documents it claims came from the CIA’s Center for Cyber Intelligence. Some documents released describe how the spy agency used malware and hacking tools to target iPhones and smart television sets. Others detail the CIA unit’s efforts to compromise Windows, Apple’s OS X, Linux, and routers.

This story, “Cisco issues critical warning after CIA WikiLeaks dump bares IOS security weakness” was originally published by Network World.

http://www.computerworld.com/category/security/index.rss