A vulnerability affecting more than 300 different Cisco router SKU’s was discovered by Cisco in the Wikileaks’ Vault-7 dump of classified CIA hacking tools and tactics utilized to gain unauthorized access to iPhone, Android devices, multiple web browsers, operating systems, vehicles, etc. etc. Wikileaks had initially released the first full part of the series dubbed “Year Zero” on March 7th 2017 in a press release that included their own analysis on their website. The Vault-7 analysis by Wikileaks included multiple examples of attack methodologies and tools to be used in a variety of scenarios, but the examples included no mention of Cisco.
It was actually Cisco’s own security researchers who analyzed the content of the Vault-7 documents and came across the critical vulnerability that when exploited could lead to unauthenticated remote code execution. Cisco released an advisory for the critical vulnerability on March 17th with a list of the 318 products affected.
The vulnerability itself affects Cisco Management Protocol (CMP) in both Cisco IOS and Cisco IOS XE software. Essentially, Cisco Management Protocol communicates internally by using telnet services. The vulnerability is triggered due to a combination of two issues. First off, malformed CMP related telnet options aren’t processed correctly and secondly, there’s a failure to restrict the use of these CMP related options to internal/local communications within the cluster. This means Cisco will accept and process telnet related options from any telnet connection to a vulnerable device assuming one is able to access it.
Patch Status at Posting
As of March 21st, Cisco has no update available, but Cisco has released two modifications you can make to mitigate or reduce the attack surface. One method consists of fully disabling telnet and switching to SSH, which mitigates the vulnerability fully. If switching to SSH isn’t possible Cisco recommends implementing iACLs to help reduce the attack surface.
The exploitation of this bug would require some kind of access to the internal network services whether by misconfiguration or by a compromise of web services to gain access to access an affected device. Still, the fact that an unauthenticated remote attacker could force a reload of the device and escalate privileges, gaining code execution over hundreds of affected Cisco products should be enough to get any Network Admin’s (using Cisco devices) attention.
At the moment, there is no exploit code in the wild available for the attack, but that doesn’t mean an attack like this could never happen. A skilled attacker could easily use an already compromised website’s telnet client to breach the router and move laterally through the network with the know how and the details already available for the attack.
Mitigation Recommendations for Customers
Customers should ensure their Cisco device management network is not exposed to the public Internet, and access via unencrypted telnet should be disabled or not exposed on a public interface – a standard security best practice.
Alert Logic Coverage
Alert Logic vulnerability scanning already reports any exposed telnet to the customer in the normal course of the service.