Cisco Security Advisory-
Cisco is aware of the recent joint technical alert from US-CERT (TA18-106A) that details known issues which require customers take steps to protect their networks against cyber-attacks. Providing transparency and guidance to help customers best protect their network is a top priority. Cisco security teams have been actively informing customers about the necessary steps to secure Smart Install and the other protocols addressed in the joint alert through security advisories, blogs, and direct communications. Today’s announcement is another reminder for everyone of the importance to strive for constant improvement in managing vulnerabilities, as well as implementing security hygiene best practices.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180416-tsa18-106a
-
Securing Device Management Protocols
Management sessions to network devices provide the ability to view and collect information about a device and its operations. If this information is disclosed to a malicious user, the device can become the target of an attack, compromised, and used to perform additional attacks. Anyone with privileged access to a device has the capability for full administrative control of that device. It is imperative to secure management sessions in order to prevent information disclosure and unauthorized access.For each of the targeted protocols, Cisco advocates that customers follow best practices in the securing and hardening of their network devices. Specific best practice recommendations for each of the targeted protocols listed in the joint technical alert are provided here.
Telnet & HTTP
Because information can be disclosed in an interactive management session, this traffic must be encrypted so that a malicious user cannot gain access to the data that is transmitted. Traffic encryption allows a secure remote access connection to the device. If the traffic for a management session is sent over the network in clear text (for example, using Telnet on TCP port 23 or HTTP on TCP port 80), an attacker can obtain sensitive information about the device and the network.
Recommendations: Use Encrypted Protocols for Interactive Management
Utilize Secure Shell (SSH) using SSHv2 as described in the Secure Interactive Management Sessions section of the Cisco Guide to Harden Cisco IOS Devices.Utilize a secure HTTP server as described in the Encrypt Management Sessions section of the Cisco Guide to Harden Cisco IOS Devices.
Simple Network Management Protocol (SNMP)
It is critical that SNMP (on UDP ports 161 & 162) be properly secured in order to protect the confidentiality, integrity, and availability of both the network data and the network devices through which this data transits. SNMP provides information on the health of network devices. This information should be protected from malicious users that want to leverage this data in order to perform attacks against the network.
Recommendation: Secure SNMP
Secure SNMP as described in the Fortify Simple Network Management Protocol section of the Cisco Guide to Harden Cisco IOS Devices.
Cisco Smart Install (SMI port 4786)
Cisco Smart Install is a legacy feature that provides zero-touch deployment for new switches, typically access layer switches, and incorporates no authentication by design. Newer technology, such as the Cisco Network Plug and Play feature, is highly recommended for more secure setup of new switches. If not properly disabled or secured following setup, Smart Install could allow for the exfiltration and modification of configuration files, among other things, even without the presence of a vulnerability.
Recommendations: Disable/Minimize Exposure of Smart Install
Our recommendation for customers not actually using Smart Install is to disable the feature using the no vstack command once setup is complete. Customers who do use the feature—and need to leave it enabled—can use access control lists (ACLs) to block incoming traffic on TCP port 4786 (the proper security control). Additionally, patches for known security vulnerabilities should be applied as part of standard network security management. More information on the use of Smart Install and how to determine/limit the exposure of this feature can be found in the Action Required to Secure the Cisco IOS and IOS XE Smart Install Feature security advisory.
Warning (Login) Banners
From a security point of view, rather than legal, a login banner should not contain any specific information about the router name, model, software, or ownership. Malicious users can abuse this information.
Recommendation: Minimize Device Information in Login Banner
Follow the guidelines on warning banners as described in the Warning Banners section of the Cisco Guide to Harden Cisco IOS Devices.
Additional Support
Customers who suspect their devices are being potentially exploited by the attacks described in US-CERT Alert TA18-106A should contact their support team (Advanced Services, TAC, etc.) and provide additional details as requested by Cisco.
Conclusion
The protocols leveraged by the attacks described in US-CERT Alert TA18-106A are among the most common protocols used in the management of network devices. Unfortunately, many of these protocols, if not secure according to best practices, provide attackers with information about the devices that can be leveraged for nefarious purposes. It is highly recommended that customers follow the best practices contained in this document to mitigate the effects of the attacks referenced in US-CERT Alert TA18-106A.
References
Cisco Best Practices
- Cisco Guide to Harden Cisco IOS Devices
- Cisco Guide to Harden Cisco IOS XR Devices
- Cisco Guide to Securing Cisco NX-OS Software Devices
- Cisco Firewall Best Practices Guide
- Protecting Your Core: Infrastructure Protection Access Control Lists
- Control Plane Policing Implementation Best Practices
Related Cisco Security Advisories
- Action Required to Secure the Cisco IOS and IOS XE Smart Install Feature
- Cisco IOS Software Smart Install Remote Code Execution Vulnerability
- Cisco IOS Software Smart Install Denial of Service Vulnerability
- Cisco IOS Software Smart Install Denial of Service Vulnerability
- Cisco IOS and IOS XE Software Smart Install Denial of Service Vulnerability
- Cisco IOS and IOS XE Software Smart Install Memory Leak Vulnerability
- Cisco Smart Install Protocol Misuse (first published 14-Feb-2017)
- Cisco IOS and IOS XE Software Smart Install Denial of Service Vulnerability (first published 28-Mar-2018)
- Cisco IOS and IOS XE Software Smart Install Remote Code Execution Vulnerability (first published 28-Mar-2018)
- Cisco Event Response: Cisco ASA and IOS Vulnerabilities
- Cisco Adaptive Security Appliance SNMP Remote Code Execution Vulnerability
Industry References
- Alert (TA18-106A): Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices
- Russia government hackers attacking critical national infrastructure in UK and US
- U.S. pins yet another cyberattack on Russia
- U.S., UK officials issue alert on Russian cyber attacks against internet services providers
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Show LessVersion Description Section Status Date 1.0 Initial public release. — Final 2018-April-16
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.