Cisco Systems warned customers on Friday of a critical vulnerability that could allow an attacker to execute arbitrary code and obtain full control on more than 300 different models of its switches and routers. Cisco said it became aware of the vulnerability after WikiLeaks released its Vault 7 cache of documents that revealed the existence of covert tools allegedly used by the U.S. Central Intelligence Agency.
Cisco said there is currently no patch or workaround for the vulnerability that affects software that runs its Cisco Cluster Management Protocol (CMP) processing code that runs in the company’s Cisco IOS and Cisco IOS XE software.
“This vulnerability was found during the analysis of documents related to the Vault 7 disclosure,” wrote Cisco in its security bulletin. It said it was unaware of any “public announcements or malicious use of the vulnerability.”
Earlier this month, WikiLeaks released more than 8,000 documents referred to as the Vault 7 leak that describe secret methods allegedly used by the CIA’s Center for Cyber Intelligence to penetrate everything from cellphones and televisions, to enterprise hardware. According to WikiLeaks the release of the documents is the first of several. The documents described many alleged vulnerabilities, but WikiLeaks did not released any of the tools or exploits associated with the disclosures.
The Cisco flaw (CVE-2017-3881) affects more than 300 Cisco products including its Cisco Catalyst Blade Switch hardware used in Dell, IBM and HP Enterprise equipment.
According to Cisco, the vulnerability is tied to two factors related to how the CMP utilizes Telnet internally as a signaling and command protocol between cluster members. Cisco said the first relates to a vulnerability in the Cisco CMP processing code in Cisco IOS and Cisco IOS XE Software that could allow an unauthenticated, remote attacker to “cause a reload of an affected device or remotely execute code with elevated privileges.”
The second, according to Cisco, is tied to the incorrect processing of malformed CMP-specific Telnet options.
“In terms of mitigations to consider, disabling the Telnet protocol as an allowed protocol for incoming connections would eliminate the exploit vector. Disabling Telnet and using SSH is recommended by Cisco,” wrote Omar Santos, principal engineer, with Cisco Product Security Incident Response Team, in a blog post. “Customers unable or unwilling to disable the Telnet protocol can reduce the attack surface by implementing infrastructure access control lists.”
Cisco notes that the flaw impacts the default configuration of affected switches. It said hardware running Cisco IOS XE is vulnerable when “the CMP subsystem is present on the Cisco IOS XE software image running on the device, and the device is configured to accept incoming Telnet connections.”
Santos said the scope of Cisco’s mitigation efforts was limited due to the fact none of the Vault 7 tools and malware referenced by WikiLeaks have been disclosed. “An ongoing investigation and focused analysis of the areas of code that are alluded to in the disclosure is underway. Until more information is available, there is little Cisco can do at this time from a vulnerability handling perspective,” he wrote.
For his part, WikiLeaks’ Julian Assange has offered to provide vendors with details on the vulnerabilities at a later date.
“Telnet was first developed in 1969, long before the birth of the internet, so it’s easy to see why it would still have many unknown vulnerabilities,” said Phil Neray, vice president of industrial cybersecurity at CyberX. “Since cyberattackers can easily scan the internet for exposed Cisco servers using open source tools, we could see (adversaries) exploiting this newly discovered vulnerability either to create massive DDoS botnets or to snoop on traffic after gaining full control of the router.”
Neray said that this most recent vulnerability should serve as a wakeup call for the industry to phase out Telnet entirely and find more modern ways of remotely managing their devices.
According to Cisco’s analysis of the vulnerability, based on WikiLeak documents, malware that targets its hardware exhibits a range of capabilities that include: “data collection, data exfiltration, command execution with administrative privileges (and without any logging of such commands ever been executed), HTML traffic redirection, manipulation and modification (insertion of HTML code on web pages), DNS poisoning, covert tunneling and others.”
That analysis also concluded malware authors have gone to great lengths to remain hidden post infection from forensic analysis. “It would also seem the malware author spends a significant amount of resources on quality assurance testing – in order, it seems, to make sure that once installed the malware will not cause the device to crash or misbehave,” Santos wrote.