Cisco Smart Install Protocol was misused, tens of thousands of critical infrastructure may be attacked

by do son · April 7, 2018

According to securityaffairs on April 6, Cisco issued a security announcement that Cisco Smart Install Protocol (SMI) has been abused, hundreds of thousands of devices online exposure. Some current researchers have reported that intelligent installation protocols for smart installation clients (also known as Integrated Branch Clients (IBCs)) may allow unauthenticated remote attackers to change boot profiles and force reloading of devices. Load a new IOS image on the device and execute high-privilege CLI commands on switches running Cisco IOS and IOS XE software.

By Cisco [Public domain], via Wikimedia Commons

According to Cisco, they found that the number of Internet scans that attempted to detect devices has increased significantly because the intelligent installation features of these devices are still enabled after installation, and there is no proper security control so that it is likely to make the related devices misunderstand Use this feature. Cisco does not consider this to be a vulnerability in the Cisco IOS, IOS XE, or Smart Install feature itself, but because it does not require smart install agreements designed for authentication. Cisco has said that it has updated the “Intelligent Installation Configuration Guide,” which contains the best security solutions for deploying the Cisco Smart Install feature in customer infrastructure.

At the end of March, Cisco patched more than 30 vulnerabilities in its IOS software, including the CVE-2018-0171 vulnerability that affected the smart installation of Cisco IOS Software and Cisco IOS XE Software. An unauthenticated remote attacker could exploit this vulnerability to reload vulnerable devices or execute arbitrary code on the affected devices.

A security announcement issued by Cisco shows that the vulnerability is due to improper verification of packet data. An attacker could exploit this vulnerability by sending the created Smart Install (SMI) protocol to the affected device on TCP port 4786.

Current experts have identified approximately 250,000 vulnerable Cisco devices with TCP port 4786. A recent scan by Cisco found that 168,000 systems were exposed online.