A critical vulnerability in many Cisco networking devices has left 8.5M switches vulnerable to exploitation by attackers. The vulnerability could be leveraged by remote, unauthenticated attackers, allowing them to take over vulnerable devices and then execute arbitrary code, trigger a reload of the device, or cause an indefinite loop on the device that triggers a watchdog crash.
Proof-of-Concept code has been published online by the security firm who discovered the problem, along with other information. Thus while the vulnerability is not actively being exploited in the wild, the company is advising network administrators to install its newly released security updates as soon as possible. Cisco warned that there are no workarounds.
The stack-based buffer overflow bug is present in both the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software.
In a blog post, Cisco explains, “Smart Install is a ‘plug-and-play’ configuration and image-management feature that provides zero-touch deployment for new (typically access layer) switches. The feature allows a customer to ship a Cisco switch to any location, install it in the network, and power it on without additional configuration requirements. The Smart Install feature incorporates no authentication by design.”
According to Help Net Security, researchers at the security firm Embedi initially discovered the flaw almost a year ago. At first, researchers believed it could only be exploited within an enterprise’s own network, however, as they investigated further, they found that millions of affected devices were exposed on the web.
“Because in a securely configured network, Smart Install technology participants should not be accessible through the internet. But scanning the internet has shown that this is not true,” wrote Embedi. “During a short scan of the internet, we detected 250,000 vulnerable devices and 8.5 million devices that have a vulnerable port open.”
The high number of vulnerable devices is likely because the Smart Install client’s port TCP 4786 is open by default, and Smart Install is supported by a wide range of Cisco routers and switchers.
According to Cisco, an attacker can take advantage of the bug simply by sending a crafted Smart Install message to these devices on TCP port 4786.
Embedi discovered the flaw last year, winning it an award at the GeekPwn conference in Hong Kong. The company reported it to Cisco in September.