Pierluigi Paganini March 20, 2017

After the leak of the CIA Vault7 archive, experts from CISCO warn of Cisco IOS and IOS XE Software Cluster Management Protocol Remote Code Execution flaw.

Recently Wikileaks announced it is planning to share with IT firms details about vulnerabilities in a number of their products, the flaw are exploited by the hacking tools and techniques included in the CIA Vault7 data leak.

Assange sent an email to tech firms including “a series of conditions” that they need to fulfill before gaining access to details included in the Vault7.

But it seems that some IT Giants will not accept the conditions, one of them is CISCO that started its analysis of the documents included in the Vault7 documents. The company has already identified an IOS / IOS XE bug that affects more than 300 of its switch models.

The flaw in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software could be exploited by a remote, unauthenticated attacker to remotely execute code with elevated privileges and also to cause a reload of the affected device.

The hack could allow attackers to obtain full control of the vulnerale device.

The Cluster Management Protocol leverages on Telnet internally as a signaling and command protocol between members of the cluster.

“The vulnerability is due to the combination of two factors:

• The failure to restrict the use of CMP-specific Telnet options only to internal, local communications between cluster members and instead accept and process such options over any Telnet connection to an affected device, and
• The incorrect processing of malformed CMP-specific Telnet options.”

An attacker could trigger the vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections.

The vulnerability affects the default configuration of the flawed devices even when the user doesn’t have switch clusters configured, and can be exploited over either IPv4 or IPv6.

“An attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections. An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device”, Cisco’s advisory states.

CISCO advisory confirms that the vulnerability affects 264 Catalyst switches, 51 industrial Ethernet switches, and three other CISCO devices. Of course, the vulnerable devices are all running IOS and configured to accept Telnet connections.

As mitigation measures, experts from CISCO suggest to disabled Telnet connections, SSH remains the best option to remotely access the devices.

At the time I was writing it is not clear if the flaw was exploited in the wild.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – CISCO, Vault7)

[adrotate banner=”13″]