Overview
Assura does a significant amount of penetration tests for our clients and we like to communicate the trends that we see as we do these. During the last three, we’ve seen a recurring severe configuration vulnerability using the Smart Install feature of devices running Cisco’s IOS and IOS XE operating systems pop up and felt the need to write a Cyber Heads-up about it. This isn’t a new vulnerability — it was disclosed back in 2016, but it’s still more prevalent than it ought to be. To modify a quote from Ian Fleming’s Goldfinger: “Once is happenstance. Twice is a coincidence. The third time it’s [a trend].”
From Cisco’s security advisory on the matter:
Cisco Smart Install is a “plug-and-play” configuration and image-management feature that provides zero-touch deployment for new (typically access layer) switches. The feature allows a customer to ship a Cisco switch to any location, install it in the network, and power it on without additional configuration requirements. The Smart Install feature incorporates no authentication by design.
Cisco continues:
Cisco does not consider this a vulnerability in Cisco IOS, IOS XE, or the Smart Install feature itself but a misuse of the Smart Install protocol, which does not require authentication by design.
The vulnerability is exploited when an attacker finds a device running Cisco IOS or IOS XE with the Smart Install feature enabled either across the Internet (which we’ve found) or if they’ve compromised a victim’s internal network infrastructure. This permits the attacker to grab the full configuration script (i.e., the equivalent of a show run command) with password hashes, digital certificates, RADIUS keys, and other sensitive information. Smart Install permits an attacker to:
- Substitute the switch’s startup-config file with a file that the attacker prepared and force a reload of the switch after a defined time interval.
- Load the attacker-supplied IOS image onto the switch.
- Execute high-privilege configuration mode CLI commands on the switch, including do-exec CLI commands.
- Copy arbitrary files from the switch to the attacker-controlled TFTP server.
- Induce a denial-of-service attack
Moreover, if the victim organization uses “type 5” passwords, an attacker can easily compromise those hashes. If an organization uses the same local passwords for “enable 15” (i.e., super user) access to all of its devices (which is very common), the attacker has full control of the victim’s network.
More about this configuration vulnerability can be found at:
Assura’s Take
It is not recommended to leave Smart Install enabled on a switch once deployed. Unfortunately, the Smart Install feature is enabled by default on client switches. In certain releases of Cisco IOS there is a command available that will disable the Smart Install feature: no vstack. Administrators can verify whether Smart Install is enabled by issuing the command: show vstack config which should return Role: Client (Smart Install disabled). Make this check part of your pre-deployment security check prior to placing a Cisco switch into production. You can also do this with automated vulnerability scanning, just ensure that the scanner you use has a plug-in to identify the Smart Install service.
Cisco includes security best practices in the Smart Install Configuration Guide at http://www.cisco.com/c/en/us/td/docs/switches/lan/smart_install/configuration/guide/smart_install/concepts.html#23355. We recommend that they are followed.
It is also recommended that organizations limit the ability to connect to devices on TCP port 4786 (Smart Install) and port TCP and UDP port 69 (tftp) from outside of trusted networks.
If you’re an Assura Managed SIEM client, our SOC is monitoring for attempts to exploit this misconfiguration vulnerability. If you have questions about identifying or mitigating this vulnerability and you’re an Assura Managed SIEM or Virtual ISO™ client, contact our SOC or your Virtual ISO™. Otherwise, please feel free to contact us through our web site.