Story image

CERT NZ issues security alert about Smart Install-enabled Cisco devices

19 Apr 18

CERT NZ has issued a bulletin about a cyber attack campaign that is targeting Cisco devices that have enabled Smart Install (SMI).

The warning comes after both the US CERT and Cisco published details about internet scans that try to detect devices with the SMI still enabled.

The SMI lacks proper security controls after completing device setup. Those devices could be at risk of misuse, according to Cisco’s security advisory.

“Several researchers have reported on the use of Smart Install (SMI) protocol messages toward Smart Install clients, also known as integrated branch clients (IBC), allowing an unauthenticated, remote attacker to change the startup-config file and force a reload of the device, load a new IOS image on the device, and execute high-privilege CLI commands on switches running Cisco IOS and IOS XE Software,” the advisory says.

“These issues have been reported by Tenable Network Security, Daniel Turner of Trustwave SpiderLabs, and Alexander Evstigneev and Dmitry Kuznetsov of Digital Security.”

“There are no indicators of an attacker changing the TFTP server address or of an attacker copying files off the device using Smart Install capabilities. Cisco recommends that customers look for access from external IP addresses.”

CERT NZ adds that SMI-enabled Cisco devices are accessible through the internet.
 “These devices can be identified in a number of ways, including checking for devices with SMI port 4786 open and running.”

“Exploiting this protocol requires SMI to be enabled. It is prudent to work on the basis that all Cisco devices with SMI port 4786 open are affected until they are investigated.”

Cisco is careful not to call it a vulnerability in Cisco IOS, IOS CE, or the SMI feature, but that the smart install protocol does not require authentication by design.

As a response to the ‘misuse’, Cisco has updated its Smart Install Configuration Guide to include security best practices for deploying the Cisco Smart Install feature in customer infrastructures.

CERT NZ says that SMI-enabled Cisco devices should be investigated.  Cisco adds that security best practices depend on how the feature is used in a specific customer environment.

“This includes either disabling SMI or adding ACL on port 4786 if SMI is required. Review logs to identify any suspicious activity, such as commands from internet-based hosts or connections to unknown IPs,” CERT NZ continues.

CERT NZ advises businesses that believe they have been impacted to contact New Zealand’s National Cyber Security Centre.

Hillstone CTO's 2019 security predictions
Hillstone Networks CTO Tim Liu shares what key developments could be expected in the areas of security compliance, cloud, security, AI and IoT.
Can it be trusted? Huawei’s founder speaks out
Ren Zhengfei spoke candidly in a recent media roundtable about security, 5G, his daughter’s detainment, the USA, and the West’s perception of Huawei.
Oracle Java Card update boosts security for IoT devices
"Java Card 3.1 is very significant to the Internet of Things, bringing interoperability, security and flexibility to a fast-growing market currently lacking high-security and flexible edge security solutions."
Updated: Chch crypto-exchange Cryptopia suffers breach
Cryptopia has reportedly experienced a security breach that has taken the entire platform offline – and resulted in ‘significant losses’.
Sophos hires ex-McAfee SVP Gavin Struther
After 16 years as the APAC senior vice president and president for McAfee, Struthers is now heading the APJ arm of Sophos.
Security platform provider Deep Instinct expands local presence
The company has made two A/NZ specific leadership hires and formed several partnerships with organisations in the region.
Half of companies unable to detect IoT device breaches
A Gemalto study also shows that the of blockchain technology to help secure IoT data, services and devices has doubled in a year.
Stepping up to sell security services in A/NZ
WatchGuard Technologies A/NZ regional director gives his top tips on how to make a move into the increasingly lucrative cybersecurity services market.