Cisco released an update this week that addresses a vulnerability in software running in more than 300 of its switches. The flaw was disclosed among the WikiLeaks Vault 7 dump of alleged CIA offensive hacking tools, and proof-of-concept exploit code exists that targets the vulnerability.
Cisco said the vulnerability was in the Cluster Management Protocol (CMP) processing code running in its IOS and IOS XE software, the company’s longstanding networking operating system. In an advisory, Cisco cautioned that attackers could remotely execute code with elevated privileges, or cause a vulnerable switch or networking device to reload.
Cisco acknowledged the vulnerability, CVE-2017-3881, shortly after investigating the WikiLeaks dump. Attackers could abuse the code’s use of telnet in the software to access a switch and gain full control. Cisco said CMP uses telnet as a signaling and command protocol between devices in a cluster. It conceded that it failed to properly restrict the use of CMP-specific telnet to only internal communication, and that the code incorrectly processed malformed CMP telnet options.
“An attacker could exploit this vulnerability by sending malformed CMP-specific telnet options while establishing a telnet session with an affected Cisco device configured to accept telnet connections,” Cisco said in its advisory. “An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device.”
Cisco published a long list of switches from its Catalyst product line, as well as Cisco Embedded Service, IE 2000-5000, ME, RF and SM-X models. The switches are vulnerable, Cisco said, only if its CMP subsystem is present and running on IOS XE and the device is configured to accept telnet connections. This, Cisco said, is the default configuration.
The Vault 7 leaks began in March when WikiLeaks released more than 8,000 documents that describe secret methods allegedly used by the CIA’s Center for Cyber Intelligence to penetrate everything from cellphones and televisions, to enterprise hardware. The documents described many alleged vulnerabilities, but WikiLeaks did not released any of the tools or exploits associated with the disclosures.
That was the first of several Vault 7 leaks, and was followed up two weeks later with a cache of documents and information indicating the CIA had the capability to track iPhone users and had at its disposal malware implants for Apple firmware running on Macbooks.
The so-called Dark Matter release also included documentation for a tracking beacon that could be implanted on factory-fresh iPhones. The agency also concentrated on developing malware and exploits that would attack firmware running on Macs and iPhones, specifically EFI and UEFI firmware, giving it persistence on a target’s device.