A cache of CIA documents was dropped on the internet two weeks ago via WikiLeaks. It was a huge volume of data, some of which detailed CIA tools for breaking into smartphones and even smart TVs. Now, Cisco has said its examination of the documents points to a gaping security hole in more than 300 models of its switches. There’s no patch for this critical vulnerability, but it’s possible to mitigate the risk with some settings changes.

Cisco’s security arm sent out an advisory on Friday alerting customers that the IOS and IOS XE Software Cluster were vulnerable to hacks based on the leaked documents. The 318 affected switch models are mostly in the Catalyst series, but there are also some embedded systems and IE-series switches on the list. These are enterprise devices that cost a few thousand dollars at least. So, nothing in your house is affected by this particular attack.

The vulnerability is tied to the way Cisco’s Cluster Management Protocol (CMP) utilizes Telnet for internal signaling. It is possible to accidentally leave the Telnet protocol open to outside commands. This is a somewhat common mistake, and that’s what the CIA exploit is based upon. It works by feeding a malformed CMP-specific Telnet ping into the switch while establishing a new Telnet session. This can grant the remote user the power to run arbitrary code on the switch, which is essentially the holy grail of exploits. The CIA could use this method to gain full control of the device, and thus all the traffic passing through it.

Cisco says there’s currently no way to patch the switch firmware to prevent this attack. The issue lies in the way vulnerable devices process Telnet commands. Specifically, they process all of them, even if no “cluster management commands” are present in the device’s configuration. There are two changes network administrators can make to prevent the attack from working. First, disable Telnet for incoming connections. If for some reason that’s not feasible for a business to disable Telnet pings, an access list can be used to strictly limit the devices that are allowed to send Telnet requests.

The specific code used to gain access to the switches was not included in the documents dumped by WikiLeaks. The organization claimed it would disclose those to companies privately in order to get the holes patched. However, Motherboard reports that has yet to happen. Cisco says it will issue a patch at some point in the future, but no timeline is available.

Source :

extremetech

Leave a Reply