Mass Attack on Cisco Equipment

Colleagues, a powerful botnet attack began yesterday and continues to this day. All IP addresses are scanned for a fresh vulnerability in Cisco IOS software (CVE-2018-0171, CVSS = 9.8) that allows you to remotely execute commands on Cisco devices. The bot enters the device and deletes the configuration, writing its files instead. We record attempts to exploit vulnerabilities from more than a hundred different addresses from different countries, and their pool continues to expand.

Cisco developers have already released patches for the detected vulnerability .

We recommend installing patches as soon as possible. Under the cut is a notification that Solar JSOC sends to customers, with details of the vulnerability and recommendations for counteraction.

The problem is related to incorrect validation of packages in the Cisco Smart Install (SMI) client. Taking advantage of the vulnerability, an attacker can modify the TFTP server settings and extract configuration files via TFTP, change the general configuration file of the switch, replace the IOS image, create local accounts and allow attackers to authenticate on the device and execute any commands.

Cisco devices that are vulnerable to this attack:
')
Catalyst 4500 Supervisor Engines
Catalyst 3850 Series
Catalyst 3750 Series
Catalyst 3650 Series
Catalyst 3560 Series
Catalyst 2960 Series
Catalyst 2975 Series
IE 2000
IE 3000
IE 3010
IE 4000
IE 4010
IE 5000
SM-ES2 SKUs
SM-ES3 SKUs
NME-16ES-1G-P
SM-X-ES3 SKUs

Most often, the attack is fixed on the equipment of the providers.

Recommendations:

1. Disable SMI protocol on network devices ( instructions here ).
2. Put the latest updates on vulnerable network devices.