Cisco has conducted an internal investigation and found that the Cluster Management Protocol (CMP) code for Cisco IOS and IOS XE contained a vulnerability. This issue poses the threat of remote execution issues for Cisco products.
The investigation was prompted when WikiLeaks came forward with a set of leaked CIA documents that included information on comprising smartphones and smart TVs. These details alerted Cisco to weak areas in over 300 models of its switches.
Cisco’s security team issued an advisory warning to customers using the two versions of the software, stating that they could be vulnerable to attack according to the CIA documents released by WikiLeaks.
Listed as ‘critical’ on the Cisco Advisories and Alerts page, the advisory said: “A vulnerability in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges.”
The vulnerability is rooted in the Cisco’s CMP use of Telnet for internal signalling, as Telnet can be left open to commands from the outside. The information found in the CIA leak exposed the possibility that a hacker could initiate a new Telnet session. This would give the infiltrator access to run arbitrary code remotely.
Once in a hacker would be able to take control of the device and monitor and have influence over all of the traffic going through the switch. The issue cannot be fixed with a patch, as devices process all telnet commands; this can only be stopped with the action of disable incoming connections for Telnet, or to compile an access list.
Paul Calatayud, chief technology officer at FireMon said: “It is always a good thing when a security vendor takes a proactive approach in discovering and announcing that there is a new exploit. Cisco did the right thing here. Even better, there is a simple fix which it to disable Telnet, and use stronger protocols that are available and supported.
“This action would be part of any CISO’s best practice anyway, so the question is do you have technologies that can assist in managing configurations to properly inform you that you are using risky protocols? If the answer is no, then the window that attackers have to take advantage of the weak point could be a lot bigger than those who do, making your organisation incredibly vulnerable to attack.”