sb-nz logo
Story image

CERT NZ issues security alert about Smart Install-enabled Cisco devices

19 Apr 2018

CERT NZ has issued a bulletin about a cyber attack campaign that is targeting Cisco devices that have enabled Smart Install (SMI).

The warning comes after both the US CERT and Cisco published details about internet scans that try to detect devices with the SMI still enabled.

The SMI lacks proper security controls after completing device setup. Those devices could be at risk of misuse, according to Cisco’s security advisory.

“Several researchers have reported on the use of Smart Install (SMI) protocol messages toward Smart Install clients, also known as integrated branch clients (IBC), allowing an unauthenticated, remote attacker to change the startup-config file and force a reload of the device, load a new IOS image on the device, and execute high-privilege CLI commands on switches running Cisco IOS and IOS XE Software,” the advisory says.

“These issues have been reported by Tenable Network Security, Daniel Turner of Trustwave SpiderLabs, and Alexander Evstigneev and Dmitry Kuznetsov of Digital Security.”

“There are no indicators of an attacker changing the TFTP server address or of an attacker copying files off the device using Smart Install capabilities. Cisco recommends that customers look for access from external IP addresses.”

CERT NZ adds that SMI-enabled Cisco devices are accessible through the internet.  “These devices can be identified in a number of ways, including checking for devices with SMI port 4786 open and running.”

“Exploiting this protocol requires SMI to be enabled. It is prudent to work on the basis that all Cisco devices with SMI port 4786 open are affected until they are investigated.”

Cisco is careful not to call it a vulnerability in Cisco IOS, IOS CE, or the SMI feature, but that the smart install protocol does not require authentication by design.

As a response to the ‘misuse’, Cisco has updated its Smart Install Configuration Guide to include security best practices for deploying the Cisco Smart Install feature in customer infrastructures.

CERT NZ says that SMI-enabled Cisco devices should be investigated.  Cisco adds that security best practices depend on how the feature is used in a specific customer environment.

“This includes either disabling SMI or adding ACL on port 4786 if SMI is required. Review logs to identify any suspicious activity, such as commands from internet-based hosts or connections to unknown IPs,” CERT NZ continues.

CERT NZ advises businesses that believe they have been impacted to contact New Zealand’s National Cyber Security Centre.

Story image
Alibaba Cloud and LGMS tackle hybrid and multi-cloud security
Alibaba Cloud and LGMS, a cybersecurity consulting company, are teaming up to tackle the challenge of security around digital transformation and hybrid cloud.More
Story image
Sophos Rapid Response puts out the ransomware fire
“Attackers are using a range of techniques and whichever defence has a weakness is how they get in. When one technique fails they move on to the next, until they find a weak spot."More
Story image
As digital transformation grows in A/NZ companies, misconceptions about their role in cloud security abound
While an 81% majority of A/NZ organisations are accelerating their digital transformation, a giant 99% of surveyed respondents say they believe their cloud security provider provides enough protection, according to a Trend Micro study. More
Story image
APAC secure content management market to hit $2.2 billion by 2024
The proliferation of cloud-based deployments will largely drive this, the report says, as the COVID-19 pandemic motivates more enterprises to move their workloads to the cloud and rely more on the internet. More
Story image
Online gaming a 'hotbed' for DDoS attacks — report
The latency and availability issues present in online gaming, in particular, presented an attractive target to attackers, in addition to the enduring popularity of gaming in the era of COVID-19.More
Story image
Trend Micro adds cloud-native container security to Cloud One Services Platform
Designed to ease the security of container builds, deployments and runtime workflows, the new service helps developers accelerate innovation and minimise application downtime across Kubernetes environments.More