SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
New Zealand
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewall
#
ransomware
Search
Story image
#
CIOs
#
Cisco
#
CERT
CERT NZ issues security alert about Smart Install-enabled Cisco devices
Thu, 19th Apr 2018
FYI, this story is more than a year old
Author image
By Sara Barker, Copywriter and Senior News Editor
Follow us

CERT NZ has issued a bulletin about a cyber attack campaign that is targeting Cisco devices that have enabled Smart Install (SMI).

The warning comes after both the US CERT and Cisco published details about internet scans that try to detect devices with the SMI still enabled.

The SMI lacks proper security controls after completing device setup. Those devices could be at risk of misuse, according to Cisco's security advisory.

“Several researchers have reported on the use of Smart Install (SMI) protocol messages toward Smart Install clients, also known as integrated branch clients (IBC), allowing an unauthenticated, remote attacker to change the startup-config file and force a reload of the device, load a new IOS image on the device, and execute high-privilege CLI commands on switches running Cisco IOS and IOS XE Software,” the advisory says.

“These issues have been reported by Tenable Network Security, Daniel Turner of Trustwave SpiderLabs, and Alexander Evstigneev and Dmitry Kuznetsov of Digital Security.

“There are no indicators of an attacker changing the TFTP server address or of an attacker copying files off the device using Smart Install capabilities. Cisco recommends that customers look for access from external IP addresses.

CERT NZ adds that SMI-enabled Cisco devices are accessible through the internet.  “These devices can be identified in a number of ways, including checking for devices with SMI port 4786 open and running.

“Exploiting this protocol requires SMI to be enabled. It is prudent to work on the basis that all Cisco devices with SMI port 4786 open are affected until they are investigated.

Cisco is careful not to call it a vulnerability in Cisco IOS, IOS CE, or the SMI feature, but that the smart install protocol does not require authentication by design.

As a response to the ‘misuse', Cisco has updated its Smart Install Configuration Guide to include security best practices for deploying the Cisco Smart Install feature in customer infrastructures.

CERT NZ says that SMI-enabled Cisco devices should be investigated.  Cisco adds that security best practices depend on how the feature is used in a specific customer environment.

“This includes either disabling SMI or adding ACL on port 4786 if SMI is required. Review logs to identify any suspicious activity, such as commands from internet-based hosts or connections to unknown IPs,” CERT NZ continues.

CERT NZ advises businesses that believe they have been impacted to contact New Zealand's National Cyber Security Centre.

Related stories
Cisco boosts Secure Application with added data, cloud security features
Exclusive: Logicalis Australia highlights CIOs stance on AI
BackBox introduces major update to Network Vulnerability Manager
How to converge physical security and IT to better protect businesses
Westcon-Comstor launches Tech ConneX platform for technical professionals
Top stories
Half of online traffic in 2024 generated by bots, report finds
Cisco launches Hypershield for AI-driven security upgrade
Axis unveils hybrid cloud platform for adaptable security solutions
Spirent partners with online payments platform to boost cyber defenses
Trustifi launches innovative phishing detection training for MSPs