Building a slide deck, pitch, or presentation? Here are the big takeaways:

  • Leveraging a protocol misuse issue in the Cisco Smart Install Client, nation state actors have been able to target cyberattacks at critical infrastructure in many countries.
  • Cisco has released a new open source tool that scans for the Cisco Smart Install protocol, which may impact more than 168,000 systems.

A flaw in Cisco switches has allowed hackers to target critical infrastructure in many countries with cyberattacks, according to a Thursday security report from the Cisco Talos team. As many as 168,000 systems may be affected by the flaw.

According to the report, attackers are targeting a protocol issue with the Cisco Smart Install Client. If a user doesn’t configure or turn off the Cisco Smart Install, it will hang out in the background waiting for commands on what to do.

The post noted that, if abused, the Smart Install protocol can be used to “modify the TFTP server setting, exfiltrate configuration files via TFTP, modify the configuration file, replace the IOS image, and set up accounts, allowing for the execution of IOS commands.”

SEE: System update policy (Tech Pro Research)

The Talos team used the search tool Shodan to determine that more than 168,000 systems could be vulnerable to an attack from this flaw. However in 2016, cyber security firm Tenable noted that there were 251,000 exposed Cisco Smart Install Clients, the report said.

The report also noted that incidents of scanning for Cisco Smart Install Clients saw a “sharp increase” around November 9, 2017. This doesn’t necessarily indicate malicious behavior, but is interesting nonetheless.

If an admin wants to determine whether or not their Smart Install Client is active, they need to run the show vstack config command, the report said. Here’s an example:

switch#show vstack config | inc Role

Role: Client (SmartInstall enabled)

It’s also important to check the logs to look for write operations, device reloads, and other indicators.

The easiest way to shut down the issue is to run the no vstack command on an affected device, the report said. If that’s not available, try restricting access with an access control list (ACL) for the interface. Here’s what that looks like:

ip access-list extended SMI_HARDENING_LIST

permit tcp host host eq 4786

deny tcp any any eq 4786

permit ip any any

For additional help, contact the Cisco Technical Assistance Center (TAC) for free incident response assistance.

“In order to secure and monitor perimeter devices, network administrators need to be especially vigilant. It can be easy to ‘set and forget’ these devices, as they are typically highly stable and rarely changed,” the report said. “Combine this with the advantages that an attacker has when controlling a network device, and routers and switches become very tempting targets.”