At the moment, a powerful botnet attack is being conducted. All Internet addresses are scanned for a recent vulnerability in Cisco IOS software that allows you to remotely execute commands on Cisco devices. The bot enters the device and deletes the configuration, writing its files instead.
The vulnerability was identified by CVE-2018-0171 and scored 9.8 points on the CVSS scale. If you have just turned off the Internet or shut down in the near future, then with a high degree of probability this is due to the above-described vulnerability. The problems of the Network are noted now. Including the team Hi-News.ru.
The Cisco team has published a report according to which hundreds of thousands of devices on the Web are vulnerable due to Smart Install technology. The company warned critical infrastructure sites about the risks of using vulnerable devices.
Smart Install technology allows you to automate the process of initial configuration configuration and loading the current operating system image for a new network switch.
About the problem of the scans burst, in an attempt to detect unprotected devices on which Smart Install was activated, Cisco reported back in February last year. At the time, it was said that hacker groups could use Smart Install to obtain copies of configurations of affected client devices. In addition, it was reported that attackers used an open source tool to scan for vulnerable systems. This tool is called the Smart Install Exploitation Tool (SIET).
Now Cisco has issued a new statement:
"Cisco is aware of a significant increase in the number of attempts to scan for vulnerable devices with activated Smart Install. As a result of a successful attack, an attacker can change the configuration file, force the device to reboot, upload a new IOS image to the device, execute CLI commands with high privileges. "
According to experts, some of these attacks were carried out by a grouping known as Dragonfly, Crouching Yeti and Energetic Bear. In this regard, administrators are advised to install an update as soon as possible or disable the SMI technology in the device settings, which is designed to automate the initial configuration and load the firmware for new switches.
The problem is that many owners do not configure or disable the SMI protocol, and the client continues to wait for the "setup / setup" commands in the background. Using the vulnerability, an attacker can modify TFTP server settings and extract configuration files via TFTP, change the general switch configuration file, replace the IOS image, create local accounts, and enable attackers to log in to the device and execute any commands.
To exploit the vulnerability, the attacker needs to access TCP port 4786, which is open by default. It is reported that the problem can be used as a DoS attack, leading vulnerable devices to an endless cycle of reboots.
According to Cisco Talos, there are currently 168,000 SMI-enabled switches on the Web. However, according to the Embedi analysis group, a total of more than 8.5 million devices with an open port of 4786 have been found on the Internet, and patches that eliminate a critical vulnerability have not been installed for about 250,000 of them.
Embedi analysts tested the vulnerability on Catalyst 4500 Supervisor Engine, Cisco Catalyst 3850 series switches and Cisco Catalyst 2960 series switches, but it is probably a vulnerability for all Smart Install devices, namely:
- Catalyst 4500 Supervisor Engines;
- Catalyst 3850 Series;
- Catalyst 3750 Series;
- Catalyst 3650 Series;
- Catalyst 3560 Series;
- Catalyst 2960 Series;
- Catalyst 2975 Series;
- IE 2000;
- IE 3000;
- IE 3010;
- IE 4000;
- IE 4010;
- IE 5000;
- SM-ES2 SKUs;
- SM-ES3 SKUs;
- NME-16ES-1G-P;
- SM-X-ES3 SKUs.
The Cisco team published to disable the protocol on vulnerable devices, and also released a tool for scanning local networks or the Internet to search for vulnerable devices.
The article is based on materials .
Comments
Post a Comment