Colleagues, a powerful botnet attack began yesterday and continues to this day. All IP addresses are scanned for a fresh vulnerability in Cisco IOS software (CVE-2018-0171, CVSS = 9.8) that allows you to remotely execute commands on Cisco devices. The bot enters the device and deletes the configuration, writing its files instead. We record attempts to exploit vulnerabilities from more than a hundred different addresses from different countries, and their pool continues to expand.
We recommend installing patches as soon as possible. Under the cut is a notification that Solar JSOC sends to customers, with details of the vulnerability and recommendations for counteraction. The problem is related to incorrect validation of packages in the Cisco Smart Install (SMI) client. Taking advantage of the vulnerability, an attacker can modify the TFTP server settings and extract configuration files via TFTP, change the general configuration file of the switch, replace the IOS image, create local accounts and allow attackers to authenticate on the device and execute any commands.
Cisco devices that are vulnerable to this attack: ')
Catalyst 4500 Supervisor Engines Catalyst 3850 Series Catalyst 3750 Series Catalyst 3650 Series Catalyst 3560 Series Catalyst 2960 Series Catalyst 2975 Series IE 2000 IE 3000 IE 3010 IE 4000 IE 4010 IE 5000 SM-ES2 SKUs SM-ES3 SKUs NME-16ES-1G-P SM-X-ES3 SKUs
Most often, the attack is fixed on the equipment of the providers.