As you may have heard Cisco has issued a critical warning after Wikileaks released a CIA dump of Cisco exploits that expose an IOS weakness that affects the security of hundreds of switches including the most common 2960, 3560 and 3750 series Cisco switches found in networks around the world. (for a complete list of affected products click here.)
On March 7th Wikileaks released thousands of pages CIA documents, software tools and techniques used to hack into technology devices referred to as “Vault 7”. The New York Times said Vault 7 appears to be the largest leak of CIA documents in history. The Wikileaks revelation revealed a new critical zero-day IOS / IOS XE vulnerability that affects hundreds of Cisco switches, that could allow attackers to remotely executive malicious code and take control of the affected switch.
Specifically, the vulnerability resides in the Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software which uses Telnet as a signaling and command protocol between cluster members. The vulnerability is due to the combination of two factors Cisco said:
- The failure to restrict the use of CMP-specific Telnet options only to internal, local communications between cluster members and instead accept and process such options over any Telnet connection to an affected device, and
- The incorrect processing of malformed CMP-specific Telnet options.
An attacker could exploit the vulnerability by sending malformed Cluster Management Protocol (CMP)-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections. An exploit could allow an attacker to execute malicious code and obtain full control of the device or cause a reload of the affected device.
The vulnerability is in the default configuration of affected Cisco switches, even if the user doesn’t configure any cluster configuration commands. The flaw can be exploited during Telnet session negotiation over either IPv4 or IPv6.
What you can do about it:
The chances are you’re using one of these switches in your network. Here is what you can do about it:
- Disable Telnet – There are currently no fixes or workarounds available. Cisco said disabling the Telnet protocol as an allowed protocol for incoming connections would eliminate the vulnerability. (Click here for instructions on how to disable telnet)
- Implement iACL’s – Cisco is recommending customers who are unable to disable the Telnet protocol can reduce the attack surface by implementing infrastructure access control lists. (Click here for instructions on how to implement iACL’s)
We are here to help!
Network Craze is here to help! Cisco said it will release software updates that address the vulnerability, although the company did not specify when the software will be made available. In the meantime we can help review configurations, discuss your concerns and implement best practices. We have engineers on staff that can help walk you through the process to help you protect your network. Call us today to set up an appointment with one of our Cisco specialist or CCIE’s.