Hundreds of Cisco Switches Vulnerable To Flaw Found in WikiLeaks Files

Zack Whittaker, writing for ZDNet: Cisco is warning that the software used in hundreds of its products are vulnerable to a "critical"-rated security flaw, which can be easily and remotely exploited with a simple command. The vulnerability can allow an attacker to remotely gain access and take over an affected device. More than 300 switches are affected by the vulnerability, Cisco said in an advisory. According to the advisory, the bug is found in the cluster management protocol code in Cisco's IOS and IOS XE software, which the company installs on the routers and switches it sells. An attacker can exploit the vulnerability by sending a malformed protocol-specific Telnet command while establishing a connection to the affected device, because of a flaw in how the protocol fails to properly process some commands. Cisco said that there are "no workarounds" to address the vulnerability, but it said that disabling Telnet would "eliminate" some risks.

Re:Who has switches with a public IP?

[sunderland56]

Don't ever assume that all hacks are coming from the outside.

Re:That's nice, but...

[HumanWiki]

Most switches support ACLs on all services, and/or on switch SVIs (if you don't have prohibitively many of those), and/or CoPP, so you can tell the switch not to talk to anything but your management stations. You just have to set things up so you can alter those ACLs en-masse when needed. No need for a firewall, really, as long as you aren't using ridiculous utilities that do not belong on a switch in the first place.

That said, there's pretty much zero reason to use telnet these days, and even the last vestiges of FTP and TFTP are starting to become unnecessary as more switch facilities are supporting SCP or (sigh) SFTP. Sigh on the latter because you really are putting a lot of trust in the other end of the connection because SFTP subprotocol code is not production quality code, even in the openSSH tree. But at least someone has to actually own the endpoint to get at it.

Yes, I understand that, that's great, a lot of that is best practice and in all my years and all the companies I've worked for and systems I've helped migrated, worked on, have managed, etc. I can count on one hand the number of them that were properly configured with ACLs blocking of stuff from user segments, properly configured interconnectivity, complex passwords, clear text protocls being fully off, etc. Not allowing this station etc. And you think your management computers are safe? not really. I've seen plenty of bastion systems being used as source mgmt points for all manner of systems and lazy engineers using web browsers on them to download whatever utility or tool they need. Just because you've locked out your stuff to a bastion server doesn't mean it's protected, it just means your compromise point is now actually pinpointed to a singular or group of devices. Lucky me. Less field work to do.

That's all great on paper, but it's not as wide-spread in most places as you'd think. I've met many CCIEs that are outright lazy when it comes to locking down switching and routing connections because it makes their job even harder to deal with the ever changing zones, lans, nodes, and whatever wildass hair mgmt gets in their butt that week about which people/persons "need" access to what and when.

I use firewall generically here and not literally a Firewall as well.