Pierluigi Paganini August 13, 2014

Researchers at BlackHat discovered a Denial of Service Vulnerability in Cisco IOS Software and Cisco IOS XE Software EnergyWise.

Researchers from ERNW GMBH revealed that misconfigurations and vulnerabilities in Cisco’s EnergyWise suite could be exploited by attackers to cause huge blackouts. The team has presented the results of their study during the last Black Hat  conference in Las Vegas, they discussed about possible abuse of the protocol used by Cisco EnergyWise

Cisco has designed its EnergyWise architecture to allow companies to measure power consumption, an information that is crucial for private entities to control and reduce energy costs.

The energy management protocol is able to control devices attached to the network simply sending them control messages that allow to recognize them and monitor their activities. The problem is that a bad actor could be able to sniff data from the network and capture the shared secret, in this way he can hijack a domain, since the domain shared secret is used to recognize and find neighbors in the network under control. Once a device is recognized as a “neighbor,” it can be used to send messages and compromise server/domain capabilities, once an attacker sniff the shared secret is able to do it.

“Once we know the shared secret it’s game over,”  said ERNW GMBH researcher Matthias Luft.

The researcher have reverse-engineered the proprietary protocol implemented in Cisco EnergyWise architecture and demonstrated how an attackers is able to hijack the TMP’s domains to run denial-of-service attacks.

Cisco immediately issued a security advisory announcing that “a vulnerability in the EnergyWise module of Cisco IO and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of the affected device.”

“The vulnerability is due to improper parsing of crafted EnergyWise packets destined to an affected device. An attacker could exploit this vulnerability by sending a crafted EnergyWise packet to be processed by an affected device. An exploit could allow the attacker to cause a reload of the affected device.” states the advisory.

Cisco informed its customers that devices that are running an affected release of Cisco IOS and Cisco IOS XE Software and configured for EnergyWise operation are affected by this vulnerability, anyway the EnergyWise feature is not enabled by default.

It is easy to verify if a device is configured with EnergyWise, users can execute the command show run | include energywise command.

The following example is the output of the show run | include energywise command on a Cisco IOS device configured with the minimum EnergyWise configuration needed to enable its operation:

Router#show run | include energywise 
energywise domain test_domain security shared-secret 0 test123

Cisco has already released a software updates that fix this vulnerability.

Pierluigi Paganini

(Security Affairs –  Cisco EnergyWise, hacking)