29 March 2017

SECURITY Think your Cisco switch is secure? Think again: Hundreds are vulnerable to a simple attack

By Brandon Vigliarolo

The Vault 7 documents released by WikiLeaks continue to reveal security weaknesses in trusted technology. This time it's Cisco's turn to reveal its mistakes to the world. 

WikiLeaks' dump of CIA spying programs has another victim: Cisco. The network hardware manufacturer's switches have a security flaw that is easy to exploit, widespread, and currently unpatched.

The hole, which is present in 318 different models of Cisco switches, is definitely a gaping one as well. It exploits the Cisco Cluster Management Protocol (CMP) to allow an outside user to gain Telnet access into the switch. The intruder can then reload a device or execute commands with elevated privileges.

To make matters worse, Cisco has admitted that there is currently no workaround or patch available to fix the problem short of disabling Telnet connections to affected devices.
How the hack happens

Cisco's CMP uses Telnet to communicate between machines in a cluster, and it fails to distinguish between internal requests and those sent from outside, and potentially unidentified, users.

An attacker who is able to gain access to a Cisco switch in this way can reboot the device, inject code, and otherwise completely control the switch.


CMP-specific commands are processed by default, even if the affected device is devoid of cluster configuration commands, so don't assume that a less essential device is safer.
Is your hardware vulnerable?

If you have one of the 318 affected devices you're right to worry, and not just because of the CIA: If they can get into your Cisco switch a skilled hacker can as well.

Just because your hardware is vulnerable doesn't mean it's truly at risk, though. The security hole is only open if two conditions are met: 
Your device uses Cisco IOS XE and has the CMP subsystem installed. 
Your device accepts Telnet connections. 

If either of those statements is untrue you're safe. Cisco provided instructions for checking in their security bulletin, so if you're unsure it's a good idea to connect to your switch and check.
The not-workaround-workaround to protect yourself

Cisco says there isn't a workaround for the problem, or a security patch, but that doesn't mean there aren't things you can do to secure yourself. 
If you don't absolutely need Telnet you can disable it in favor of SSH
Cisco devices can also be configured for access control, which restricts access to particular machines. 

Cisco hasn't given a timeline for when a patch will come out to fix the problem. If Telnet isn't completely necessary to your Cisco switch-based operation take the time to restrict it now.
The three big takeaways for TechRepublic readers: 
The CIA-related WikiLeaks documents have revealed that over 300 models of Cisco switches have a vulnerability allowing unauthorized users to gain control through a Telnet connection. 
Cisco has revealed that there is currently no workaround for the problem and hasn't said when a future patch might be forthcoming. 
The only current solutions are disabling Telnet, enabling SSH, and adding access restrictions to only allow certain machines to use Cisco CMP. 

Our increasingly connected world is also an increasingly hackable one. Stay ahead of attackers by subscribing to our Cybersecurity Insider newsletter.

No comments: