Story image

CERT NZ issues security alert about Smart Install-enabled Cisco devices

19 Apr 2018

CERT NZ has issued a bulletin about a cyber attack campaign that is targeting Cisco devices that have enabled Smart Install (SMI).

The warning comes after both the US CERT and Cisco published details about internet scans that try to detect devices with the SMI still enabled.

The SMI lacks proper security controls after completing device setup. Those devices could be at risk of misuse, according to Cisco’s security advisory.

“Several researchers have reported on the use of Smart Install (SMI) protocol messages toward Smart Install clients, also known as integrated branch clients (IBC), allowing an unauthenticated, remote attacker to change the startup-config file and force a reload of the device, load a new IOS image on the device, and execute high-privilege CLI commands on switches running Cisco IOS and IOS XE Software,” the advisory says.

“These issues have been reported by Tenable Network Security, Daniel Turner of Trustwave SpiderLabs, and Alexander Evstigneev and Dmitry Kuznetsov of Digital Security.”

“There are no indicators of an attacker changing the TFTP server address or of an attacker copying files off the device using Smart Install capabilities. Cisco recommends that customers look for access from external IP addresses.”

CERT NZ adds that SMI-enabled Cisco devices are accessible through the internet.
 “These devices can be identified in a number of ways, including checking for devices with SMI port 4786 open and running.”

“Exploiting this protocol requires SMI to be enabled. It is prudent to work on the basis that all Cisco devices with SMI port 4786 open are affected until they are investigated.”

Cisco is careful not to call it a vulnerability in Cisco IOS, IOS CE, or the SMI feature, but that the smart install protocol does not require authentication by design.

As a response to the ‘misuse’, Cisco has updated its Smart Install Configuration Guide to include security best practices for deploying the Cisco Smart Install feature in customer infrastructures.

CERT NZ says that SMI-enabled Cisco devices should be investigated.  Cisco adds that security best practices depend on how the feature is used in a specific customer environment.

“This includes either disabling SMI or adding ACL on port 4786 if SMI is required. Review logs to identify any suspicious activity, such as commands from internet-based hosts or connections to unknown IPs,” CERT NZ continues.

CERT NZ advises businesses that believe they have been impacted to contact New Zealand’s National Cyber Security Centre.

SecOps: Clear opportunities for powerful collaboration
If there’s one thing security and IT ops professionals should do this year, the words ‘team up’ should be top priority.
Interview: Culture and cloud - the battle for cybersecurity
ESET CTO Juraj Malcho talks about the importance of culture in a cybersecurity strategy and the challenges and benefits of a world in the cloud.
Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.