Cisco EnergyWise suite vulnerable to Denial of Service attack

Researchers at BlackHat discovered a Denial of Service Vulnerability in Cisco IOS Software and Cisco IOS XE Software EnergyWise.

Researchers from ERNW GMBH revealed that misconfigurations and vulnerabilities in Cisco’s EnergyWise suite could be exploited by attackers to cause huge blackouts. The team has presented the results of their study during the last Black Hat conference in Las Vegas, they discussed about possible abuse of the protocol used by Cisco EnergyWise

Cisco has designed its EnergyWise architecture to allow companies to measure power consumption, an information that is crucial for private entities to control and reduce energy costs.

The energy management protocol is able to control devices attached to the network simply sending them control messages that allow to recognize them and monitor their activities. The problem is that a bad actor could be able to sniff data from the network and capture the shared secret, in this way he can hijack a domain, since the domain shared secret is used to recognize and find neighbors in the network under control. Once a device is recognized as a “neighbor,” it can be used to send messages and compromise server/domain capabilities, once an attacker sniff the shared secret is able to do it.

“Once we know the shared secret it’s game over,” said ERNW GMBH researcher Matthias Luft.

The researcher have reverse-engineered the proprietary protocol implemented in Cisco EnergyWise architecture and demonstrated how an attackers is able to hijack the TMP’s domains to run denial-of-service attacks.

Cisco immediately issued a security advisory announcing that “a vulnerability in the EnergyWise module of Cisco IO and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of the affected device.”

“The vulnerability is due to improper parsing of crafted EnergyWise packets destined to an affected device. An attacker could exploit this vulnerability by sending a crafted EnergyWise packet to be processed by an affected device. An exploit could allow the attacker to cause a reload of the affected device.” states the advisory.

Cisco informed its customers that devices that are running an affected release of Cisco IOS and Cisco IOS XE Software and configured for EnergyWise operation are affected by this vulnerability, anyway the EnergyWise feature is not enabled by default.

It is easy to verify if a device is configured with EnergyWise, users can execute the command show run | include energywise command.

The following example is the output of the show run | include energywise command on a Cisco IOS device configured with the minimum EnergyWise configuration needed to enable its operation:

Router#show run | include energywise 
energywise domain test_domain security shared-secret 0 test123

Cisco has already released a software updates that fix this vulnerability.

Pierluigi Paganini

(Security Affairs – Cisco EnergyWise, hacking)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.