Cisco IOS Breach Advisory

In keeping with Unified Technologies’ commitment to inform our customers and general public of important threats to secure computing, access and connectivity, the content below was prepared to provide some insight into some critical flaws in widely deployed Cisco equipment. Cisco has had a difficult quarter in terms of vulnerabilities as this follows the January release of the far-reaching Cisco Adaptive Security Appliance Remote Code Execution and Denial of Service Vulnerability.

Cisco IOS XE Software Static Credential Vulnerability

A vulnerability in Cisco IOS XE Software could allow an unauthenticated, remote attacker to log in to a device running an affected release of Cisco IOS XE Software (Earlier than IOS XE 16.X). IOS XE run on a wide range of Cisco network devices. The vulnerability is due to an undocumented user account with administrator like privileges that has a default username and password. An attacker could exploit this vulnerability by using this account to remotely connect to an affected device. A successful exploit could allow the attacker to log in to the device with the highest level of privilege on the device (e.g. deletion of configuration and compromising access control lists).

The “show version” command can be used on the affected platforms to confirm whether the version installed is vulnerable to possible exploits.

The long-term solution to this problem is to upgrade to a newer version of the IOS XE software. These upgrades require maintenance windows and these tasks tend to have the best results when suitably qualified subject matter experts are involved in the planning and deployment phases.

To address this vulnerability, administrators may remove the default account by using the no username cisco command in the device configuration. Administrators may also address this vulnerability by logging in to the device and changing the password for this account.

Cisco IOS and IOS XE Software Smart Install Remote Code Execution Vulnerability

A vulnerability in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition, or to execute arbitrary code on an affected device.

The vulnerability is due to improper validation of packet data. An attacker could exploit this vulnerability by sending a crafted Smart Install message to an affected device on TCP port 4786. A successful exploit could allow the attacker to cause a buffer overflow on the affected device, which could have the following impacts:

  • Restart the device
  • Execute arbitrary commands
  • Crash the device

The “show version” and the “show vstack config” command can be used on the affected platforms to verify whether the version installed is vulnerable to possible exploits as well as if the Smart Install Client is enabled.

The Smart Install feature is primarily used as a deployment tool when Cisco devices are being provisioned or first introduced into a network and as such the feature can be disabled if not being used. Oher solutions include blocking the TCP port that is used for the exploit. These tasks tend to have the best results when suitably qualified subject matter experts are involved in the planning and deployment phases.

Action Needed

The Talos team at Cisco recently become aware of specific advanced actors targeting Cisco switches by leveraging a protocol misuse issue in the Cisco Smart Install Client. There seems to be an uptick in attempts globally trying to exploit the vulnerability, including some specifically targeting critical infrastructure. Some of these attacks are believed to be associated with nation-state actors. U.S. CERT’s (Computer Emergency Readiness Team) recently released an alert detailing scope and scale of the attack. Both vulnerabilities are critical but due to the increases activity being observed related to the Smart Install issue, we are urging customers of the elevated risk and available options for remediation!