Pierluigi Paganini May 11, 2017

Cisco patched the critical CVE-2017-3881 flaw that affects CISCO Catalyst switches and that can be potentially exploited by attackers to hijack networks.

Cisco patched a critical security flaw, tracked as CVE-2017-3881, affecting its CISCO Catalyst switches that can be potentially exploited by attackers to hijack networks.

The vulnerability was disclosed in the CIA Vault 7 data leak, according to Switchzilla a remote attacker can exploit it by simply establishing a Telnet connection and sending a cluster management protocol (CMP) command to the affected network device.

“The Cluster Management Protocol utilizes Telnet internally as a signaling and command protocol between cluster members. The vulnerability is due to the combination of two factors:

• The failure to restrict the use of CMP-specific Telnet options only to internal, local communications between cluster members and instead accept and process such options over any Telnet connection to an affected device, and
• The incorrect processing of malformed CMP-specific Telnet options.

” reads the Cisco security advisory published on Monday.

The vulnerability affects the default configuration of the flawed devices even when the user doesn’t have switch clusters configured, and can be exploited over either IPv4 or IPv6.

“An attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections,” 

Artem Kondratenko published the CVE-2017-3881 Cisco Catalyst RCE Proof-Of-Concept exploit code.

“Do you still have telnet enabled on your Catalyst switches? Think twice, here’s a proof-of-concept remote code execution exploit for Catalyst 2960 switch with latest suggested firmware. Check out the exploit code here.” wrote Kondratenko.”What follows is a detailed write-up of the exploit development process for the vulnerability leaked from CIA’s archive on March 7th 2017 and publicly disclosed by Cisco Systems on March 17th 2017. At the time of writing this post there is no patch available. Nonetheless there is a remediation – disable telnet and use SSH instead.”

Just after the disclosure of the CVE-2017-3881 flaw, CISCO confirmed that the IOS / IOS XE bug affects more than 300 of its switch models, including Cisco Catalyst, Embedded Services, and Industrial Ethernet switch models.

As mitigation measures, experts from CISCO suggested to disabled Telnet connections, SSH remains the best option to remotely access the devices.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – CVE-2017-3881, Cisco Catalyst)

[adrotate banner=”13″]