Vulnerable Cisco Catalyst 2960G-48TC-L Switch Photo: CiscoCisco has
published information (bulletin ID: cisco-sa-20170317-cmp) about a critical vulnerability in the Cluster Management Protocol (CMP) that ships with Cisco IOS XE Software. Vulnerability
CVE-2017-3881 allows remote code execution with elevated privileges in the Cisco IOS internetwork operating system by any unauthorized remote user (who is aware of the bug).
About him was precisely known to the CIA, which follows from the documents published on the site Wikileaks
in the framework of the project Vault 7 (Year Zero) . Cisco security experts say they have found vulnerability information by analyzing these documents.
The CMP protocol is based on the
telnet protocol, but supports specific parameters. The bug is associated with incorrect processing of these very specific CMP parameters, which are obtained via telnet. What specific parameters should be used to manifest a bug when processing a request is not reported.
')
Cisco company publishes instructions on how to check for the presence of the CMP subsystem in the software that runs on the device.
CMP check:
show subsys class protocol | include ^cmp
If there is no CMP subsystem, the answer is:
Switch#show subsys class protocol | include ^cmp
Switch#
If the CMP subsystem is present, the response will be as follows:
Switch#show subsys class protocol | include ^cmp
cmp Protocol 1.000.001
Switch#
If there is a CMP subsystem on your switch, you can check whether the CMP is accepting incoming telnet connections. And, accordingly, is it possible to carry out the aforementioned attack on him with the remote execution of the code by means of a specially formed command.
Check for support for incoming telnet connections:
show running-config | include ^line vty|transport input
For example, if the default settings are used, the virtual terminal line (VTY) will simply indicate the terminal numbers without special notes:
Switch#show running-config | include ^line vty|transport input
line vty 0 4
line vty 5 15
Switch#
The default settings include incoming telnet connections on all virtual terminals from the 0th to the 15th. Therefore, this is a vulnerable configuration.
For comparison, here is a special configuration where only the SSH protocol is allowed on all virtual terminals:
Switch#show running-config | include ^line vty|transport input
line vty 0 4
transport input ssh
line vty 5 15
transport input ssh
Switch#
This configuration will not be vulnerable.
Cisco checked Cisco IOS XE Software versions and accurately determined the list of 318 switches and other network devices affected by this vulnerability. If the device is not listed, then it is definitely safe.
The list includes 264 Catalyst series switches, 40 Industrial Industrial Ethernet switches and 14 other Cisco devices.
Models of vulnerable devices Attempts to exploit this vulnerability can be seen in logs by
Cisco IPS Signature 7880-0 , Snort SID 41909 and 41910 signatures, Cisco reports.
To bypass the vulnerability in any way is impossible only if you completely disable incoming telnet connections and leave SSH. Cisco currently recommends this configuration. If disabling telnet is unacceptable for you, you can reduce the likelihood of an attack by restricting access using
Infrastructure Protection Access Control Lists .
Cisco has promised to release a patch in the future.
Cisco was the first major hardware vendor to uncover a vulnerability mentioned in the CIA documents. So far,
only software developers reported closing bugs. Of course, the documents still need to be carefully analyzed. The Wikileaks site has not yet released the CIA's exploit files in open access, but promised to provide them first of all to vendors for the priority closure of vulnerabilities before putting these tools in the hands of everyone. Julian Assange also mentioned that the published portion of Year Zero is only 1% of the total Vault 7. Documents are at the disposal of Wikileaks and will be laid out in parts.