Hundreds of Cisco Switches Vulnerable To Flaw Found in WikiLeaks Files (zdnet.com)

← Back to Stories (view on slashdot.org)

Hundreds of Cisco Switches Vulnerable To Flaw Found in WikiLeaks Files (zdnet.com)

Posted by msmash on Monday March 20, 2017 @08:00AM from the security-woes dept.

Zack Whittaker, writing for ZDNet: Cisco is warning that the software used in hundreds of its products are vulnerable to a "critical"-rated security flaw, which can be easily and remotely exploited with a simple command. The vulnerability can allow an attacker to remotely gain access and take over an affected device. More than 300 switches are affected by the vulnerability, Cisco said in an advisory. According to the advisory, the bug is found in the cluster management protocol code in Cisco's IOS and IOS XE software, which the company installs on the routers and switches it sells. An attacker can exploit the vulnerability by sending a malformed protocol-specific Telnet command while establishing a connection to the affected device, because of a flaw in how the protocol fails to properly process some commands. Cisco said that there are "no workarounds" to address the vulnerability, but it said that disabling Telnet would "eliminate" some risks.

15 of 76 comments (clear)

Min score:

Reason:

Sort:

If you still run Telnet by subk · 2017-03-20 08:04 · Score: 3, Interesting

You deserve to have this happen to you.

--
Now, if you'll excuse me, I have backups to corrupt.
That's nice, but... by acoustix · 2017-03-20 08:06 · Score: 2

That means someone would have to be dumb enough to
1) Have the mgmt of the switch be publicly available
2) Have Telnet enabled.
Don't get me wrong, it's a bad bug. But a security-minded admin should not have these problems.

--
"A plan fiendishly clever in its intricacies"- Homer Simpson
1. Re:That's nice, but... by HumanWiki · 2017-03-20 08:14 · Score: 4, Interesting
  
  That means someone would have to be dumb enough to
  1) Have the mgmt of the switch be publicly available
  2) Have Telnet enabled.
  Don't get me wrong, it's a bad bug. But a security-minded admin should not have these problems.
  Err.. yes/no..
  If I was going to attempt to exploit something like this, I'd assume most would be inaccessible from the internet as a general use or would be white listed only..
  What I WOULD do is use this in conjuction with a machine level hack/compromise inside their network and then run amuk from there.. That's much easier to do and less will have full firewall off from within their networks from all PC segments.
2. Re:That's nice, but... by sunderland56 · 2017-03-20 08:18 · Score: 2
  
  That means someone would have to be dumb enough to
  1) Have the mgmt of the switch be publicly available
  2) Have Telnet enabled.
  3) Purchase from a vendor that does not understand security well enough to disable telnet.
3. Re:That's nice, but... by HumanWiki · 2017-03-20 08:54 · Score: 3, Insightful
  
  Most switches support ACLs on all services, and/or on switch SVIs (if you don't have prohibitively many of those), and/or CoPP, so you can tell the switch not to talk to anything but your management stations. You just have to set things up so you can alter those ACLs en-masse when needed. No need for a firewall, really, as long as you aren't using ridiculous utilities that do not belong on a switch in the first place.
  That said, there's pretty much zero reason to use telnet these days, and even the last vestiges of FTP and TFTP are starting to become unnecessary as more switch facilities are supporting SCP or (sigh) SFTP. Sigh on the latter because you really are putting a lot of trust in the other end of the connection because SFTP subprotocol code is not production quality code, even in the openSSH tree. But at least someone has to actually own the endpoint to get at it.
  Yes, I understand that, that's great, a lot of that is best practice and in all my years and all the companies I've worked for and systems I've helped migrated, worked on, have managed, etc. I can count on one hand the number of them that were properly configured with ACLs blocking of stuff from user segments, properly configured interconnectivity, complex passwords, clear text protocls being fully off, etc. Not allowing this station etc. And you think your management computers are safe? not really. I've seen plenty of bastion systems being used as source mgmt points for all manner of systems and lazy engineers using web browsers on them to download whatever utility or tool they need. Just because you've locked out your stuff to a bastion server doesn't mean it's protected, it just means your compromise point is now actually pinpointed to a singular or group of devices. Lucky me. Less field work to do.
  That's all great on paper, but it's not as wide-spread in most places as you'd think. I've met many CCIEs that are outright lazy when it comes to locking down switching and routing connections because it makes their job even harder to deal with the ever changing zones, lans, nodes, and whatever wildass hair mgmt gets in their butt that week about which people/persons "need" access to what and when.
  I use firewall generically here and not literally a Firewall as well.
4. Re:That's nice, but... by acoustix · 2017-03-20 09:53 · Score: 2, Informative
  
  That means someone would have to be dumb enough to
  1) Have the mgmt of the switch be publicly available
  2) Have Telnet enabled.
  3) Purchase from a vendor that does not understand security well enough to disable telnet.
  Telnet is not enabled by default on any interface on Cisco switches. I've been using them since 1999 and I can't think of a time when an out-of-the-box switch had Telnet enabled.
  
  --
  "A plan fiendishly clever in its intricacies"- Homer Simpson
5. Re:That's nice, but... by Megane · 2017-03-20 10:05 · Score: 2
  
  I worked *FOR* Cisco in the early 2Ks (as a Software Eng, but not on IOS) and I recall them being very slow to put SSH into their firmware, long after the problem of plaintext passwords was well known. I don't think they even had it by 2005. So maybe *a* decade at most, but not decade*s* plural.
  
  --
  #naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
6. Re: That's nice, but... by PoopJuggler · 2017-03-20 11:28 · Score: 2
  
  No reason except for Cisco getting paid by the government to make their products exploitable...
Re:Who has switches with a public IP? by sunderland56 · 2017-03-20 08:20 · Score: 3, Insightful

Don't ever assume that all hacks are coming from the outside.
Unfixed Vault 7 vulnerablities... by slashkitty · 2017-03-20 09:03 · Score: 2

So, this leads to many questions: How long did the CIA know about this flaw and not tell Cisco Or, did Cisco know about this flaw and not warm users. How many other unpatched flaws are in the Vault 7 Is Cisco no issuing a REAL fix for this?

--
-- these are only opinions and they might not be mine.
1. Re:Unfixed Vault 7 vulnerablities... by guruevi · 2017-03-20 09:58 · Score: 2
  
  From the synopsis it does seem like Cisco is not providing a fix for this issue, only a "potential" workaround (meaning they baked it in and there are other methods of exploiting the same issue).
  
  --
  Custom electronics and digital signage for your business: www.evcircuits.com
2. Re:Unfixed Vault 7 vulnerablities... by AHuxley · 2017-03-20 12:19 · Score: 2
  
  Re "How long did the CIA know about this flaw"
  The US goes down a list of flaw questions.
  Is the US the only one using the same issue? Will other nations find it soon?
  Are other groups in the wild using it now? Will AV software detect the flaw soon?
  Can it be used against the USA if discovered without been noticed?
  Will the USA be detected in a later code review or from code litter?
  Can the flaw be proved to be the work of another nation when the US uses the same method?
  After all that is worked out, the USA will keep the flaw or find some way to get it fixed if it is a risk to the USA.
  
  Re "How many other unpatched flaws are in the Vault 7"
  That depends on the US and its public budget for its clandestine services per year and the cost per flaw created or found? How much can be coded for or created for the US clandestine services per year per budget?
  100 well crafted methods? To cover a year of changing consumer, prosumer and professional product lines globally of all brands the US has interest in?
  Other methods need physical access to place methods and or physical access to collect the resulting data.
  Create too many really unique methods in the wild and many groups start noticing the flow of data and the cost of nation funded staging servers.
  Too much expert code litter starts to point to national funding. Loss of methods to other nations, cults, faith groups, other nations trusted police, "trusted" NATO or EU nations, criminals using the same methods later might also keep the flaw count down per year. The US likes to track who got their code later and is using it and how it leaked.
  If not a lot of other nations, groups would be using the same methods back in the USA for their own political or national advantage.
  Other "trusted" nations might leak to the press and interesting nations then stop using that US crypto or US hardware. Low count, good quality that collects all.
  
  --
  Domestic spying is now "Benign Information Gathering"
Welcome to Cisco by Sycraft-fu · 2017-03-20 09:06 · Score: 2

Where telnet is still a thing, and last I checked was on by default.
Re:wikileaks delivers by AHuxley · 2017-03-20 11:51 · Score: 2

Re: "warehouse to be backdoored prior to shipment to final destination"
Tailored Access Operations (TAO)
"Photos of an NSA “upgrade” factory show Cisco router getting implant" (5/15/2014)
https://arstechnica.com/tech-p...
GCHQ, NSA, CIA have different ideas on what they want and why.

In some nations the NSA might be working with a national telco over decades. So it is safe for the NSA to use a that nations gov staff as they more loyal to the NSA than their own nation over generations.
In other nations the telco network might still be staffed with people who are totally loyal to their own nation. So that big dump of data back to a domestic staging server network might be detected. Code litter from another nations malware is left to fool any contractors or other gov investigators.
Other methods are needed.
The CIA might have a trusted local person sneak into a building under the cover of been new staff, a friend or more than a new friend to a long term staff member. Physical access gets past any network security and trusted devices can be altered on site and data collected by a person later on site. No internet link needed but physical device access is needed to alter code and then collect the result. No code litter is found.
Or just send a command to a US brand's hardware and collect it all with the internet.
Different methods for different nations and if staff are still loyal to their own nation.

--
Domestic spying is now "Benign Information Gathering"
How to fix this by AHuxley · 2017-03-20 12:46 · Score: 2

Keep your brand or company secure by:
Keep your most advanced work and secrets away from any network.
Only use advanced US networks, US products for work that is in use and in public.
When new services, products, contracts are been considered don't store anything on servers, network facing hardware.
Hold design meetings in secure areas, don't bring in smart phones, devices. Keep vital encrypted notes on paper in that secure room.
Use a one time pad to send vital messages to distant staff. Use staff to move a message to staff globally, face to face, in person.
Use a networked company message board as a numbers station to broadcast information globally. Everyone looks at it everyday but the message is only for one person.
If you have the funding set up bait, a honey pot of digital ideas on US branded hardware that faces the internet as normal.
Pack it with the most amazing new ideas your competitors had, renamed as your own emerging products. Patents, secret bank accounts, staff lists, work with other nations. Make that server amazing. Use very different code names for emerging products and projects. See if anyone comes looking later for the same junk words or for the staff that are internal security risks on lists that are fake.
Set up a random safe house with trusted security teams for years based on that staff risk review. See if anyone tries to offer the fake staff member a new job, wants to be "friends", makes a cash offer or poses as your nations security services to do an interview...
Really simple counterintelligence that any nation or company can create.
That needs a lot of funding but protects against human and network methods.
Be aware of any new staff from other nations or your own nations new staff. New "friends" wanting a secure site tour. Physical site access can plant malware thats then collected later by hand.

--
Domestic spying is now "Benign Information Gathering"