Cisco PSIRT – Mitigating and Detecting Potential Abuse of Cisco
Smart Install Feature
Cisco PSIRT has become aware of attackers potentially abusing the Smart Install (SMI) feature in Cisco IOS and IOS XE Software. While this is not considered a vulnerability, PSIRT published a Cisco Security Response on February 14, 2017 to inform customers about possible abuse of the Smart Install feature if it remains enabled after device installation. The Security Response also provides guidance on actions customers should consider to protect their networks against abuse of this setup feature.
New tools: The Cisco Talos group has developed a tool that customers can use to scan for devices that have the Smart Install feature enabled in their environment. Just scanning for TCP port 4786 being open is not sufficient as this port is used by other protocols as well and this might thus result in false positive. For more information, see Cisco Coverage for Smart Install Client Protocol Abuse.
Cisco has also published a new IPS signature and new Snort rules that help detect the use of Smart Install protocol messages in customer networks.
Mitigation: If customers find devices in their network that continue to have the Smart Install feature enabled, Cisco strongly recommends that they disable the Smart Install feature with the no vstack configuration command.
Otherwise, customers should apply the appropriate security controls for the Smart Install feature and their environment. The recommendations noted below and in the Security response will avoid the risk of attackers abusing this feature.
Cisco Smart Install is a legacy feature that provides zero-touch deployment for new switches, typically access layer switches. The feature has been designed for use within the local customer network and should not be exposed to un-trusted networks. Newer technology, such as the Cisco Network Plug and Play feature are recommended for more secure setup of new switches, though the Smart Install feature remains an option for platforms that do not currently support the Cisco Network Plug and Play feature.
A Smart Install network consists of one Smart Install director switch or router, also known as the integrated branch director (IBD), and one or more Smart Install client switches, also known as integrated branch clients (IBCs). Only Smart Install client switches are affected by the abuse described in this document.
The Smart Install feature is enabled by default on client switches. No configuration is needed on Smart Install client switches.
The following example shows the output of the show vstack config command in a Cisco Catalyst Switch with the Smart Install client feature enabled:
switch#show vstack config | inc Role Role: Client (SmartInstall enabled)
If left enabled on IBCs, the absence of an authorization or authentication mechanism in the Smart Install (SMI) protocol used by Smart Install clients and a Smart Install director could allow an attacker to send crafted SMI protocol messages as if those messages were sent from the Smart Install director. This could allow the attacker to perform any of the following actions on a targeted system:
If the management IP address of a client switch is exposed to the Internet, an attacker could abuse Smart Install features remotely.
To mitigate the risk of abuse, Cisco recommends that customers implement the security best practices discussed in the following documents:
While there are no obvious indicators of an attacker abusing the Smart Install capabilities, Cisco recommends that customers look for any unscheduled device configuration changes, reloads, or access from external IP addresses.
The exception is abuse that involves writing to a Smart Install client switch. If write operations are induced via the Smart Install feature and the logging level is set to 6 (“informational”) or higher, the following message will appear in the logs:
%SMI-6-UPGRD_STARTED: Device (IP address: 0.0.0.0) startup-config upgrade has started
In addition to local logs on client switches and logs that a client switch sends to a syslog server, customers should also look into firewall logs and NetFlow data.
Cisco has published Intrusion Prevention System (IPS) signature ID 7856-0 as well as Snort rules 41722-41725 to help detect the use of Smart Install protocol messages in customer networks. Please see the Talos blog post referenced under New Tools: above for details on the Snort rules.
To avoid false positives this signature and Snort rules should be enabled only in networks not using the Smart Install feature or at places in the network where Smart Install protocol messages are not expected to be seen.
The following best practices should also be used to provide more visibility into possible anomalies in an environment: