Misuse of Cisco Smart Install Feature

12860602665?profile=RESIZE_400xThe US Cybersecurity and Infrastructure Security Agency (CISA) has disclosed that threat actors are abusing the legacy Cisco Smart Install (SMI) feature to access sensitive data.  The agency said it has seen adversaries "acquire system configuration files by leveraging available protocols or software on devices, such as abusing the legacy Cisco Smart Install feature."  It also said it continues to observe weak passwords used on Cisco network devices, thereby exposing them to password-cracking attacks.  Password types refer to algorithms that secure a Cisco device's password within a system configuration file.

Threat actors who can gain access to the device in this manner could easily access system configuration files, facilitating a more profound compromise of the victim networks.  "Organizations must ensure all passwords on network devices are stored using a sufficient level of protection," CISA said, adding it recommends "type 8 password protection for all Cisco devices to protect passwords within configuration files."  It also urges enterprises to review the National Security Agency's (NSA) Smart Install Protocol Misuse advisory and Network Infrastructure Security Guide for configuration guidance.[1]

Additional best practices include using a robust hashing algorithm to store passwords, avoiding password reuse, assigning strong and complex passwords, and refraining from using group accounts that do not provide accountability.

The development comes as Cisco warned of the public availability of a proof-of-concept (PoC) code for CVE-2024-20419 (CVSS score: 10.0), a critical flaw impacting Smart Software Manager On-Prem (Cisco SSM On-Prem) that could enable a remote, unauthenticated attacker to change the password of any users.  The networking equipment major has also alerted of multiple critical shortcomings (CVE-2024-20450, CVE-2024-20452, and CVE-2024-20454, CVSS scores: 9.8) in Small Business SPA300 Series and SPA500 Series IP Phones that could permit an attacker to execute arbitrary commands on the underlying operating system or cause a denial-of-service (DoS) condition.

"These vulnerabilities exist because incoming HTTP packets are not properly checked for errors, which could result in a buffer overflow," Cisco reported in a bulletin published on 7 August 2024.  "An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device.  A successful exploit could allow the attacker to overflow an internal buffer and execute arbitrary commands at the root privilege level."

The company said it does not intend to release software updates to address the flaws, as the appliances have reached End-of-Life (EOL) status, necessitating that users transition to newer models.

 

This article is shared at no charge and is for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC).  For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com    

Weekly Cyber Intelligence Briefings:

Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424

 

[1] https://thehackernews.com/2024/08/cisa-warns-of-hackers-exploiting-legacy.html

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!