Critical Infrastructure at Risk: Advanced Actors Target Smart Install Client

Update: 4/9 Cisco PSIRT has released additional guidance available here.

Cisco has recently become aware of specific advanced actors targeting Cisco switches by leveraging a protocol misuse issue in the Cisco Smart Install Client. Several incidents in multiple countries, including some specifically targeting critical infrastructure, have involved the misuse of the Smart Install protocol. Some of these attacks are believed to be associated with nation-state actors, such as those described in U.S. CERT's recent alert. As a result, we are taking an active stance, and are urging customers, again, of the elevated risk and available remediation paths.

On Feb. 14, 2017, Cisco's Product Security Incident Response Team (PSIRT) released an advisory detailing active scanning associated with Cisco Smart Install Clients. The Cisco Smart Install Client is a legacy utility designed to allow no-touch installation of new Cisco equipment, specifically Cisco switches. As a response to this activity, Cisco Talos published a blog and released an open-source tool that scans for devices that use the Cisco Smart Install protocol. In addition to the release of the scanning tool, additional coverage has been released for Snort (SID: 41722-41725) to detect any attempts to leverage this type of technology.


The Cisco Smart Install protocol can be abused to modify the TFTP server setting, exfiltrate configuration files via TFTP, modify the configuration file, replace the IOS image, and set up accounts, allowing for the execution of IOS commands. Although this is not a vulnerability in the classic sense, the misuse of this protocol is an attack vector that should be mitigated immediately. Throughout the end of 2017 and early 2018, Talos has observed attackers trying to scan clients using this vulnerability. Recent information has increased the urgency of this issue.

While we have only observed attacks leveraging the protocol misuse issue, recently, another vulnerability in the Cisco Smart Install Client was disclosed and patched. This vulnerability has been discussed publicly, and proof-of-concept code has been released. While mitigating the protocol misuse issue, customers should also address this vulnerability.

Scope

As part of the Cisco Talos investigation, we began looking at how many devices are potentially vulnerable to this attack. The results were extremely troubling. Using Shodan, Talos was able to identify that more than 168,000 systems are potentially exposed via the Cisco Smart Install Client. This is an improvement from the reported numbers in 2016, when fellow cyber security firm Tenable reported observing 251,000 exposed Cisco Smart Install Clients. There may be variations in methodology between the scans, but this still represents a substantial reduction in available attack surfaces.

Additionally, while there has been on-and-off scanning since our initial disclosure, Talos has observed a sharp increase in scanning for Cisco Smart Install Clients on or around Nov. 9, 2017. Because of the relatively static nature of perimeter systems, we do not expect a great deal of scanning associated with malicious activity. Still, it is noteworthy that we are seeing an increase in scanning for the Cisco Smart Install Client.

Mitigation

You can determine if you have a device that is impacted by executing a command on the switch. Running the command show vstack config will allow you to determine if the Smart Install Client is active.Below is an example with output:
switch#show vstack config | inc Role
Role: Client (SmartInstall enabled)
Additional indicators could be present if the logging levels are set to 6 (informational) or higher. These logs could include, but are not limited to, write operations via TFTP, execution of commands and device reloads.

The simplest way to mitigate these issues is to run the command no vstack on the affected device. If, for some reason, that option isn't available for a customer, the best option would be to restrict access via an access control list (ACL) for the interface, a sample of which is shown below:
ip access-list extended SMI_HARDENING_LIST
     permit tcp host 10.10.10.1 host 10.10.10.200 eq 4786
     deny tcp any any eq 4786
     permit ip any any
This type of ACL would only allow hosts shown above to access the Smart Install Client, greatly limiting the exposure for attack.In addition to these types of mitigations, there is additional detection in our IPS technologies to determine if the Smart Install Client is being leveraged.

Support

For this and other issues, it is important to remember Cisco's commitment to supporting affected customers. All customers, regardless of contract status, receive free incident response assistance, similar to the assistance offered to contract customers, for any incident that involves known or reasonably suspected security vulnerabilities in a Cisco product. If you have experienced an incident involving a Cisco product, please contact the Cisco Technical Assistance Center (TAC):

Inside the United States or Canada: +1 800 553 2447 / +1 408 526 7209
Outside the United States: Worldwide Contacts

For more information, please see Cisco's Security Vulnerability Policy.

Conclusion

In order to secure and monitor perimeter devices, network administrators need to be especially vigilant. It can be easy to "set and forget" these devices, as they are typically highly stable and rarely changed. Combine this with the advantages that an attacker has when controlling a network device, and routers and switches become very tempting targets.

Having observed attackers actively leveraging this vector, Cisco strongly encourages all customers to review their architecture, use the tools provided by Talos to scan their network, and remove Cisco Smart Install Client from all devices where it is not used.

Tags: ,,,
Share: Email, ReBlog, Twitter, Facebook, Pinterest, Google+
Newer Post: Newer Post
Older Post: Older Post
Date:
Edit this post

Discussion

Powered by Manual Template
Name

.NET 0-day 0day ACDSee Adobe advisory adwind AMP Android Antenna House antivirus apple APT arbitrary code execution Attribution Automation Bahamut BASS beers with talos bitcoin Bitvote Black Hat botnet Brazil BRKSEC-2010 CASC chrome cisco Cisco Live Cisco Security Clam AV ClamAV Cobalt group code injection command injection conferences Coverage cryptocurrency cryptomining CSV CTA CVE-2016-8610 CVE-2017-0199 cve-2017-11882 CVE-2017-5638 CVE-2018-3857 CVE-2018-3858 CVE-2018-3859 CVE-2018-3860 CVE-2018-3870 CVE-2018-3871 CVE-2018-8506 cybercrime dark cloud DDE Decryptor Def Con detection dispute DOC DoS Excel Exploit exploit kits RTF fast flux Flash formbook Foscam Foxit Fuzzing gandcrab google GoScanSSH gozi gplayed GravityRAT Group123 Hangul healthcare HWP Hyland IcedID ICS IDA Pro IMAP incident response India inesap infostealer intel iOS IoT iot malware iPhone IR isfb jRAT JScript kernel mode KevDroid Korea Linux macros MalDoc Malware Malware Analysis Malware Research MDM meltdown meraki Microsoft Microsoft Patch Tuesday Middle East miners mining mobile device management monero Moxa ms tuesday natus NavRAT new router malware NordVPN North Korea nvidia Office office router attack Olympic Destoryer Olympic Destroyer Olympics opsec password stealer patch tuesday PDF phishing PhotoLine PLC podcast pony Powershell privilege escalation ProntoVPN PTEX PubNub PubNubRAT py2exe Pyeongchang pyrebox python Qatar ransomware RAT remcos remote access tool remote code execution research research spotlight reven ReversingLabs Rocke Rockwell Automation ROKRAT rootkit rtf ruby ryptoShuffler samsam samsung Scriptlets security updates sennoma signatures SimpleDirect Media Layer smartthings Smoke Loader Snort Snort Rules Sony South Korea spam spectre spyeye stealer steam struts support Talos TALOS-2017-0507 talosintelligence.com telegrab telegram Tetrane Thanatos ThanatosDecryptor threat intelligence Threat Research Threat Research Summit Threat Round-up Threat Roundup ThreatGrid threats TIFF trickbot trojan TTRS Umbrella ursnif VBScript VMI vpn filter attack VPNFiler VPNFilter VPNFilter malware vuln dev vulndev vulnerabilities Vulnerability vulnerability analysis Vulnerability Report Vulnerability Research vulnerability spotlight vulnerabillity vulnerable routers Whitepaper Windows WindowsCodecs.dll wipers xamarin XSS
false
ltr
item
materialize material: Critical Infrastructure at Risk: Advanced Actors Target Smart Install Client
Critical Infrastructure at Risk: Advanced Actors Target Smart Install Client
https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicKEVAXCtC36LTNFb50BRQ_1d4xTaJl6TmLQBoRGHNxETxCenYU_52pQAGEz07UW9wfvDZ6D6i4JKvIxrSR1rrgAnLpuhGKYFGCOyXmm0g7sq-NQqSv0FaXKY1Scym5JfBufZDQAjJvIY/s640/smi_graphic.png
https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicKEVAXCtC36LTNFb50BRQ_1d4xTaJl6TmLQBoRGHNxETxCenYU_52pQAGEz07UW9wfvDZ6D6i4JKvIxrSR1rrgAnLpuhGKYFGCOyXmm0g7sq-NQqSv0FaXKY1Scym5JfBufZDQAjJvIY/s72-c/smi_graphic.png
materialize material
https://materialize-material.blogspot.com/2018/04/critical-infrastructure-at-risk.html
https://materialize-material.blogspot.com/
http://materialize-material.blogspot.com/
http://materialize-material.blogspot.com/2018/04/critical-infrastructure-at-risk.html
true
1816414542238562206
UTF-8
Not found any posts Not found any related posts VIEW ALL Readmore Reply Cancel reply Delete By Home PAGES POSTS View All RECOMMENDED FOR YOU Tag ARCHIVE SEARCH ALL POSTS Not found any post match with your request Back Home Contents See also related Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sun Mon Tue Wed Thu Fri Sat January February March April May June July August September October November December Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec just now 1 minute ago $$1$$ minutes ago 1 hour ago $$1$$ hours ago Yesterday $$1$$ days ago $$1$$ weeks ago more than 5 weeks ago Followers Follow THIS CONTENT IS PREMIUM Please share to unlock Copy All Code Select All Code All codes were copied to your clipboard Can not copy the codes / texts, please press [CTRL]+[C] (or CMD+C with Mac) to copy