Cisco Finds Vulnerability in its IOS Software by Reviewing CIA Vault 7 Leak

Discussion in '[H]ard|OCP Front Page News' started by Zarathustra[H], Mar 20, 2017.

  1. Zarathustra[H]

    Zarathustra[H] [H]ard|News Staff Member

    Messages:
    21,948
    Joined:
    Oct 29, 2000
    Whenever governments or companies release documentation late in the day on a Friday, you can be pretty sure it's something they hope people won't notice. Such is probably the case with CVE-2017-3881, a vulnerability Cisco discovered in its IOS and IOS XE software which could allow an attacker to reload an affected device or remotely execute code with elevated privileges.

    This find demonstrates the value in digging deep into the details. While this vulnerability was documented in Wikileaks Vault 7 CIA dump, it was not one of the methods identified in summary documents. Cisco has not yet released a software update to fix this issue, but state that it can be identified using Cisco IPS Signature 7880-0 and Snort SIDs 41909 and 41910.

    I'm not an expert in the field of enterprise network security products, but it seems unusual to me for a company to announce their own vulnerability before they have patched it. Maybe this is because the fix is relatively simple. Don't use Telnet for clusters. Using Telnet for pretty much anything in 2017 knowing what we know today about security seems like a bad idea.

    Disabling the Telnet protocol as an allowed protocol for incoming connections would eliminate the exploit vector. Disabling Telnet and using SSH is recommended by Cisco. Information on how to do both can be found on the Cisco Guide to Harden Cisco IOS Devices.

    Customers unable or unwilling to disable the Telnet protocol can reduce the attack surface by implementing infrastructure access control lists (iACLs). Information on iACLs can be found on the following document: Protecting Your Core: Infrastructure Protection Access Control Lists
     
  2. lcpiper

    lcpiper [H]ardness Supreme

    Messages:
    7,374
    Joined:
    Jul 16, 2008
    That's a hell of a long list of effected switches and many of them are extremely popular models for their day. The 3750 series were awesome switches, they were tanks. This product listing effects a whole bunch of the world.
     
  3. schizrade

    schizrade [H]ardness Supreme

    Messages:
    4,579
    Joined:
    Feb 15, 2003
    If you work in this field and are using Telnet and SNMPv1 you should just quit and shine shoes or something. Old equipment that does not support SSH should be retired or have remote support terminated and run off a secured terminal server via console.

    /rant.
     
    Makaveli@BETA and Zarathustra[H] like this.
  4. Zion Halcyon

    Zion Halcyon [H]ard|Gawd

    Messages:
    1,726
    Joined:
    Dec 28, 2007
    Let me translate this - Since Wikileaks exposed the Security Vulnerabilities the CIA paid CISCO to keep open (as per the WIkileaks Docs), CISCO is now addressing them (while likely creating other vulnerabilities to keep the CIA checks coming)...
     
  5. schizrade

    schizrade [H]ardness Supreme

    Messages:
    4,579
    Joined:
    Feb 15, 2003
    Yeah I still have a few 3750 and 3750Gs running, but enabled SSH on K9 models and killed off remote support on the non-k9 models. They are doing non-critical duty at this point, so getting to them in any kind of immediate fashion is not worth leaving telnet on.
     
  6. Zarathustra[H]

    Zarathustra[H] [H]ard|News Staff Member

    Messages:
    21,948
    Joined:
    Oct 29, 2000
    My sentiments exactly.

    Why anyone would use a plain text protocol for anything today is completely beyond me.
     
  7. schizrade

    schizrade [H]ardness Supreme

    Messages:
    4,579
    Joined:
    Feb 15, 2003
    Where did you read into that? Did you even read the release? Here:

     
  8. Kelter

    Kelter Limp Gawd

    Messages:
    283
    Joined:
    Dec 23, 2005
    Looks to be most of the older equipment.. don't see any of the Nexus line affected. The bulk of this stuff wouldn't be accessible in most environments anyways as most would be used as core/leaf switches. If using them for your outside switches or running multiple contexts.. should probably make sure telnet is off and enforce ssh.

    Problem is, this is the stuff that a lot of smaller companies without seasoned network admins buy... they have folks that know just enough to set it up, but don't know to turn off certain features. Only when the companies require some sort of compliancy do they look into and enforce the various security measures.
     
  9. lcpiper

    lcpiper [H]ardness Supreme

    Messages:
    7,374
    Joined:
    Jul 16, 2008
    Actually, I think a former CIA contractor exposed the information and Wikileaks only published it. At least this is Wikileaks defense on this subject. They claim they are not responsible for the release and that it is their responsibility, as a member of the world's media, to report all the information in it's entirety.

    Just thought I would add a little definition to your statement.
     
  10. lcpiper

    lcpiper [H]ardness Supreme

    Messages:
    7,374
    Joined:
    Jul 16, 2008
    Ours are not connected to the world soooo.
     
  11. Crixus

    Crixus Limp Gawd Staff Member

    Messages:
    238
    Joined:
    Nov 29, 2011
    I telnet to SMTP servers with any any rules.

    HELO <only when they make me pentest>
     
  12. Crixus

    Crixus Limp Gawd Staff Member

    Messages:
    238
    Joined:
    Nov 29, 2011
    Verify with Shodan. lol
     
    windianrecords and lcpiper like this.
  13. EODetroit

    EODetroit Gawd

    Messages:
    872
    Joined:
    Oct 20, 2004
    I just bought an 8 port 2960 gigabit switch off ebay for a few bucks in the past couple of months for my home network. Guess I'll have to disable telnet just in case someone hacked my internet router or something. But the "attack surface" seems really small.
     
  14. Kelter

    Kelter Limp Gawd

    Messages:
    283
    Joined:
    Dec 23, 2005
    Unless you have configured a public IP on your switch or set up some port forward for telnet or NAT to private address on the switch, I would say your 'attack surface' is non-existent. Most home ISP's don't cater to having these type of devices as actual 'edge' devices... not saying it can't be done, but to do it you have to either know what you are doing or maybe I suppose absolutely not know what you are doing.
     
  15. lcpiper

    lcpiper [H]ardness Supreme

    Messages:
    7,374
    Joined:
    Jul 16, 2008

    I could, but we have no physical connections to the world for our dev networks. We have servers, we have workstations, nothing touches anything that is connected. No cell phones into the building.

    I went to a cardiologist last Friday, they are going to put me on a monitor. It's cute, you get the four electrodes, the monitor that hangs from around your neck and is connected to the electrodes. And they hand you a cell phone that connects via Bluetooth to the monitor and phones home with the data. Yea that shit ain't coming inside here, no way. I'll just have to leave it at home and they'll get what data they get after work when I can put it on then.

    If you have something that you really want to keep secure, this is part of what you have to do. Otherwise take your chances and hope you, and your vendor software is up to the task. But as we see right here, even CISCO isn't bulletproof.
     
  16. Raekwon

    Raekwon [H]ard|Gawd

    Messages:
    1,996
    Joined:
    Nov 29, 2001
    It's fairly common for vulnerabilities or bugs to be announced and Cisco just lists workaround with no known fixes.
     
    Zarathustra[H] and Crixus like this.
  17. Crixus

    Crixus Limp Gawd Staff Member

    Messages:
    238
    Joined:
    Nov 29, 2011
    Very true. Not just Cisco either.
     
  18. Zarathustra[H]

    Zarathustra[H] [H]ard|News Staff Member

    Messages:
    21,948
    Joined:
    Oct 29, 2000

    Interesting. Must be more common on enterprise products.

    On the consumer side I'm used to companies wanting to keep things hushed up until they can roll out a patch, so that people aren't abusing the exploit in the wild while they are rushing to fix it.