5 Jan 2018

Hundreds of Cisco Switch Models Vulnerable to CIA Hack found in Wikileaks ‘Vault 7’ Docs

Cisco Systems said it has found a critical vulnerability affecting the IOS and IOS XE software inside hundreds of models of its switches. The vulnerability can allow an attacker to remotely gain full control or cause a reload of an affected device.

According to the advisory, the bug is found in the Cluster Management Protocol (CMP) code in Cisco's IOS and IOS XE software, which the company installs on the switches it sells.

The CMP protocol has been designed to pass around information about switch clusters between cluster members using Telnet or SSH.

The vulnerability is in the default configuration of affected Cisco devices, even if the user doesn't configure any cluster configuration commands. The flaw can be exploited during Telnet session negotiation over either IPv4 or IPv6.

According to the Cisco researchers, this bug occurs in Telnet connections within the CMP, due to two factors:
  • The protocol doesn't restrict the use of CMP - specific Telnet options only to internal, local communications between cluster members; instead, it accepts and processes commands over any Telnet connection to an affected device.
  • The incorrect processing of malformed CMP-specific Telnet options.
So, in order to exploit this vulnerability, an attacker can send "malformed CMP - specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections," researchers say.
Click here to view a full list of affected Cisco Switches.

Disable Telnet on vulnerable switches

As of writing, a patch(es) has not been released and until patches are available, Cisco recommends its users to disable the Telnet connection to the switch devices in favor of SSH.

The SSH protocol is the only protocol that should be enabled for incoming connections on all VTYs. No Telnet connections should be possible to any VTY on the device while using this configuration.

Switch#show running-config | include ^line vty|transport input
line vty 0 4
transport input ssh
line vty 5 15
transport input ssh

image credit