Vulnerability in Cisco IOS left users without Internet

Date:

2018-04-06 21:15:08

Views:

278

Rating:

1Like 0Dislike

Share:

Vulnerability in Cisco IOS left users without Internet

Currently, a powerful botnet attack. All Internet addresses are scanned for the presence of fresh vulnerabilities in the software of the Cisco IOS that allows you to remotely execute commands on Cisco devices. The bot walks to the device and remove the configuration, recording is her own files.

A Vulnerability has received the identifier CVE-2018-0171 and scored 9.8 points on a scale of CVSS. If you have just turned off the Internet or off in the near future, then with high probability, this is due to the above vulnerability. The Network performance issues are observed now. Including the team Hi-News.ru.

Cisco has published a report according to which hundreds of thousands of devices on the Network vulnerable with Smart Install. The company has warned critical infrastructure about the risks of using vulnerable devices.

Smart Install allows you to automate the process of initial configuration and download the current operating system image for a new network switch.

About the problem of burst scans in an attempt to detect vulnerable devices that are activated Smart Install, Cisco reported in February last year. At that time it was said that hacker groups can use Smart Install to receive copies of the configurations of affected devices customers. In addition, it was reported that the attackers used the tool open source for scanning in search of vulnerable systems. This tool is called Smart Install Exploitation Tool (SIET).

Now Cisco issued a new statement:

"Cisco is aware of a significant increase in the number of attempts to scan for vulnerable devices with an activated Smart Install. As a result of successful attack an attacker can modify the configuration file, force restart your device to upload new image IOS, to run CLI commands with the highest rights".

According to experts, some of these attacks were carried out by a group known as Dragonfly, Crouching Yeti and Energetic Bear. In this regard, administrators are advised to install the update or disable in device settings SMI technology designed to automate the initial configuration and download the firmware for the new switches.

The Problem is that many owners do not adjust or turn off the SMI Protocol and the client continues to wait for commands "ustanovlennuyu" in the background. Using the vulnerability, an attacker can modify the settings of the TFTP server and retrieve the configuration files via TFTP, change the General configuration file of the switch, replace the OS image IOS, to create a local account and to provide an opportunity for the attacker to log into the device and execute any command.

To exploit the vulnerability the attacker needs to contact TCP port 4786 is open by default. It is reported that the problem can be used as a DoS attack, leading the vulnerable devices into an endless loop of reboots.

According to the Cisco Talos, currently available 168 thousand switches that support SMI. However, according to analytical group Embedi in total, the Internet discovered more than 8.5 million units with an open port 4786, and the patch that fixes the critical vulnerability is not established approximately 250 000 of them.

Analysts Embedi conducted penetration testing on devices Catalyst 4500 Supervisor Engine and switch series Cisco Catalyst 3850 and Cisco Catalyst 2960, but probably we are talking about the vulnerability of all devices running on Smart Install, namely:

the
    the
  • Catalyst 4500 Supervisor Engines;
  • the
  • Catalyst 3850 Series;
  • the
  • Catalyst 3750 Series;
  • the
  • Catalyst 3650 Series;
  • the
  • Catalyst 3560 Series;
  • the
  • Catalyst 2960 Series;
  • the
  • Catalyst 2975 Series;
  • the
  • IE 2000;
  • the
  • IE 3000;
  • the
  • IE 3010;
  • the
  • IE 4000;
  • the
  • IE 4010;
  • the
  • IE 5000;
  • the
  • SM-ES2 SKUs;
  • the
  • SM-ES3 SKUs;
  • the
  • NME-16ES-1G-P;
  • the
  • SM-X-ES3 SKUs.

Cisco has published the Protocol is disabled on the affected devices, and also released a tool for scanning local networks or the Internet to search for vulnerable devices.

Recommended

Closes Google mail Inbox and offers to go to Gmail

Closes Google mail Inbox and offers to go to Gmail

IT giant Google decided to close the postal service Inbox, open company 4 years ago. This decision was taken because of the desire to focus exclusively on Gmail. The fact that Inbox is closed, Google reported in its official blog. Inbox functioned ...

The neural network from Facebook learned to understand memes

The neural network from Facebook learned to understand memes

Artificial intelligence based on neural networks already used in many areas of our lives and teach him new tricks. For example, recently specialists, working to improve Facebook and Instagram, presented the Rosetta artificial intelligence that can un...

Google wants to

Google wants to "kill" the URL in the name of security users

Google Engineers are going to arrange another reform on the Internet. The Google Chrome browser already eradicates the HTTP Protocol, marking using his sites as unsafe and forcing administrators to move to HTTPS encryption. According to Wired, before...

Comments (0)

This article has no comment, be the first!

Add comment

Related News

Roskomnadzor decided to block Telegram through the court

Roskomnadzor decided to block Telegram through the court

As reported by numerous sources with reference to the press service of Roskomnadzor, the Agency appealed to the court to block the messaging service Telegram. The lawsuit was filed to the Tagansky district court of Moscow and was ...

Telegram could

Telegram could "undermine the national currency" of Iran

a Platform for the exchange of messages, Telegram, created by Pavel Durov and his team, had just completed the second round of the ICO record, and the results did not like the government of Iran. The app is extremely popular in au...

Microsoft has begun integrating Azure with bloccano Ethereum

Microsoft has begun integrating Azure with bloccano Ethereum

the Developers of the cloud platform Azure from Microsoft reported that they began work on the integration of the service with bloccano Ethereum. According to them, the new decision will allow to start applications for simultaneou...