Cisco Finds Vulnerability in its IOS Software by Reviewing CIA Vault 7 Leak

Zarathustra[H]

Extremely [H]
Joined
Oct 29, 2000
Messages
38,641
Whenever governments or companies release documentation late in the day on a Friday, you can be pretty sure it's something they hope people won't notice. Such is probably the case with CVE-2017-3881, a vulnerability Cisco discovered in its IOS and IOS XE software which could allow an attacker to reload an affected device or remotely execute code with elevated privileges.

This find demonstrates the value in digging deep into the details. While this vulnerability was documented in Wikileaks Vault 7 CIA dump, it was not one of the methods identified in summary documents. Cisco has not yet released a software update to fix this issue, but state that it can be identified using Cisco IPS Signature 7880-0 and Snort SIDs 41909 and 41910.

I'm not an expert in the field of enterprise network security products, but it seems unusual to me for a company to announce their own vulnerability before they have patched it. Maybe this is because the fix is relatively simple. Don't use Telnet for clusters. Using Telnet for pretty much anything in 2017 knowing what we know today about security seems like a bad idea.

Disabling the Telnet protocol as an allowed protocol for incoming connections would eliminate the exploit vector. Disabling Telnet and using SSH is recommended by Cisco. Information on how to do both can be found on the Cisco Guide to Harden Cisco IOS Devices.

Customers unable or unwilling to disable the Telnet protocol can reduce the attack surface by implementing infrastructure access control lists (iACLs). Information on iACLs can be found on the following document: Protecting Your Core: Infrastructure Protection Access Control Lists
 
That's a hell of a long list of effected switches and many of them are extremely popular models for their day. The 3750 series were awesome switches, they were tanks. This product listing effects a whole bunch of the world.
 
If you work in this field and are using Telnet and SNMPv1 you should just quit and shine shoes or something. Old equipment that does not support SSH should be retired or have remote support terminated and run off a secured terminal server via console.

/rant.
 
Let me translate this - Since Wikileaks exposed the Security Vulnerabilities the CIA paid CISCO to keep open (as per the WIkileaks Docs), CISCO is now addressing them (while likely creating other vulnerabilities to keep the CIA checks coming)...
 
That's a hell of a long list of effected switches and many of them are extremely popular models for their day. The 3750 series were awesome switches, they were tanks. This product listing effects a whole bunch of the world.

Yeah I still have a few 3750 and 3750Gs running, but enabled SSH on K9 models and killed off remote support on the non-k9 models. They are doing non-critical duty at this point, so getting to them in any kind of immediate fashion is not worth leaving telnet on.
 
If you work in this field and are using Telnet and SNMPv1 you should just quit and shine shoes or something. Old equipment that does not support SSH should be retired or have remote support terminated and run off a secured terminal server via console.

/rant.

My sentiments exactly.

Why anyone would use a plain text protocol for anything today is completely beyond me.
 
Let me translate this - Since Wikileaks exposed the Security Vulnerabilities the CIA paid CISCO to keep open (as per the WIkileaks Docs), CISCO is now addressing them (while likely creating other vulnerabilities to keep the CIA checks coming)...

Where did you read into that? Did you even read the release? Here:

The Cluster Management Protocol utilizes Telnet internally as a signaling and command protocol between cluster members. The vulnerability is due to the combination of two factors:

The failure to restrict the use of CMP-specific Telnet options only to internal, local communications between cluster members and instead accept and process such options over any Telnet connection to an affected device, and

The incorrect processing of malformed CMP-specific Telnet options.

An attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections. An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device.
 
Looks to be most of the older equipment.. don't see any of the Nexus line affected. The bulk of this stuff wouldn't be accessible in most environments anyways as most would be used as core/leaf switches. If using them for your outside switches or running multiple contexts.. should probably make sure telnet is off and enforce ssh.

Problem is, this is the stuff that a lot of smaller companies without seasoned network admins buy... they have folks that know just enough to set it up, but don't know to turn off certain features. Only when the companies require some sort of compliancy do they look into and enforce the various security measures.
 
Let me translate this - Since Wikileaks exposed the Security Vulnerabilities the CIA paid CISCO to keep open (as per the Wikileaks Docs), CISCO is now addressing them (while likely creating other vulnerabilities to keep the CIA checks coming)...

Actually, I think a former CIA contractor exposed the information and Wikileaks only published it. At least this is Wikileaks defense on this subject. They claim they are not responsible for the release and that it is their responsibility, as a member of the world's media, to report all the information in it's entirety.

Just thought I would add a little definition to your statement.
 
Yeah I still have a few 3750 and 3750Gs running, but enabled SSH on K9 models and killed off remote support on the non-k9 models. They are doing non-critical duty at this point, so getting to them in any kind of immediate fashion is not worth leaving telnet on.

Ours are not connected to the world soooo.
 
I telnet to SMTP servers with any any rules.

HELO <only when they make me pentest>
 
I just bought an 8 port 2960 gigabit switch off ebay for a few bucks in the past couple of months for my home network. Guess I'll have to disable telnet just in case someone hacked my internet router or something. But the "attack surface" seems really small.
 
I just bought an 8 port 2960 gigabit switch off ebay for a few bucks in the past couple of months for my home network. Guess I'll have to disable telnet just in case someone hacked my internet router or something. But the "attack surface" seems really small.

Unless you have configured a public IP on your switch or set up some port forward for telnet or NAT to private address on the switch, I would say your 'attack surface' is non-existent. Most home ISP's don't cater to having these type of devices as actual 'edge' devices... not saying it can't be done, but to do it you have to either know what you are doing or maybe I suppose absolutely not know what you are doing.
 
Verify with Shodan. lol


I could, but we have no physical connections to the world for our dev networks. We have servers, we have workstations, nothing touches anything that is connected. No cell phones into the building.

I went to a cardiologist last Friday, they are going to put me on a monitor. It's cute, you get the four electrodes, the monitor that hangs from around your neck and is connected to the electrodes. And they hand you a cell phone that connects via Bluetooth to the monitor and phones home with the data. Yea that shit ain't coming inside here, no way. I'll just have to leave it at home and they'll get what data they get after work when I can put it on then.

If you have something that you really want to keep secure, this is part of what you have to do. Otherwise take your chances and hope you, and your vendor software is up to the task. But as we see right here, even CISCO isn't bulletproof.
 
It's fairly common for vulnerabilities or bugs to be announced and Cisco just lists workaround with no known fixes.


Interesting. Must be more common on enterprise products.

On the consumer side I'm used to companies wanting to keep things hushed up until they can roll out a patch, so that people aren't abusing the exploit in the wild while they are rushing to fix it.
 
Back
Top