CERT NZ has issued a bulletin about a cyber attack campaign that is targeting Cisco devices that have enabled Smart Install (SMI).
The warning comes after both the US CERT and Cisco published details about internet scans that try to detect devices with the SMI still enabled.
The SMI lacks proper security controls after completing device setup. Those devices could be at risk of misuse, according to Cisco’s security advisory.
“Several researchers have reported on the use of Smart Install (SMI) protocol messages toward Smart Install clients, also known as integrated branch clients (IBC), allowing an unauthenticated, remote attacker to change the startup-config file and force a reload of the device, load a new IOS image on the device, and execute high-privilege CLI commands on switches running Cisco IOS and IOS XE Software,” the advisory says.
“These issues have been reported by Tenable Network Security, Daniel Turner of Trustwave SpiderLabs, and Alexander Evstigneev and Dmitry Kuznetsov of Digital Security.”
“There are no indicators of an attacker changing the TFTP server address or of an attacker copying files off the device using Smart Install capabilities. Cisco recommends that customers look for access from external IP addresses.”
CERT NZ adds that SMI-enabled Cisco devices are accessible through the internet.
“These devices can be identified in a number of ways, including checking for devices with SMI port 4786 open and running.”
“Exploiting this protocol requires SMI to be enabled. It is prudent to work on the basis that all Cisco devices with SMI port 4786 open are affected until they are investigated.”
Cisco is careful not to call it a vulnerability in Cisco IOS, IOS CE, or the SMI feature, but that the smart install protocol does not require authentication by design.
As a response to the ‘misuse’, Cisco has updated its Smart Install Configuration Guide to include security best practices for deploying the Cisco Smart Install feature in customer infrastructures.
CERT NZ says that SMI-enabled Cisco devices should be investigated. Cisco adds that security best practices depend on how the feature is used in a specific customer environment.
“This includes either disabling SMI or adding ACL on port 4786 if SMI is required. Review logs to identify any suspicious activity, such as commands from internet-based hosts or connections to unknown IPs,” CERT NZ continues.
CERT NZ advises businesses that believe they have been impacted to contact New Zealand’s National Cyber Security Centre.