TACTICAL CYBER INTELLIGENCE REPORT

Actor Type: II
Serial: TR-18-098-001
Countries: IN, CN
Report Date: 20180406

Critical Flaw in Cisco Switches allows Remote Code Execution

A vulnerability has been identified in Cisco IOS Software and Cisco IOS XE Software that could allow an unauthenticated, remote attacker to execute arbitrary code, take full control over the targeted network and subsequently intercept sensitive traffic.

Impact

The vulnerability identified by researchers allows remote code execution in a large variety of Cisco switches.  This vulnerability, titled as CVE-2018-0171 [1] is present in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software which could likely allow an unauthenticated, remote attacker to trigger a reload of an affected device.  This results in a denial of service (DoS) condition or enables the execution of arbitrary code on that affected device.  The stacked based buffer overflow vulnerability is due to improper input validation.

The attacker could exploit this vulnerability by sending a crafted Smart Install message to an affected device on TCP port 4786.  A successful exploit may allow the attacker to cause a buffer overflow on the affected device, which could have the following impacts:

  • Triggering a reload of the device
  • Allowing the attacker to execute arbitrary code on the device
  • Causing an indefinite loop on the affected device that triggers a watchdog crash

A poc exploit has also been published at https://embedi.com/blog/cisco-smart-install-remote-code-execution/

Affected Devices

Following is a list of devices which are affected:

  • Catalyst 4500 Supervisor Engines
  • Catalyst 3850 Series
  • Catalyst 3750 Series
  • Catalyst 3650 Series
  • Catalyst 3560 Series
  • Catalyst 2960 Series
  • Catalyst 2975 Series
  • IE 2000
  • IE 3000
  • IE 3010
  • IE 4000
  • IE 4010
  • IE 5000
  • SM-ES2 SKUs
  • SM-ES3 SKUs
  • NME-16ES-1G-P
  • SM-X-ES3 SKUs

Prevention and Mitigation Techniques

Cisco has published an advisory and fixed the vulnerability. Our customers are advised to apply these patches as soon as possible.  An advisory is published at https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2

 

[1] https://nvd.nist.gov/vuln/detail/CVE-2018-0171

© 2018 Wapack Labs Corporation. All rights reserved

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!