SEARCH FINANCIAL SERVICES INFRASTRUCTURE SECURITY SCIENCE INTERVIEWS

 

     

Cisco PSIRT – Mitigating and Detecting Potential Abuse of Cisco Smart Install Feature

By Michael Schueler, Customer Support Engineer at Cisco Systems

March 1, 2017

Cisco PSIRT has become aware of attackers potentially abusing the Smart Install (SMI) feature in Cisco IOS and IOS XE Software. While this is not considered a vulnerability, PSIRT published a Cisco Security Response on February 14, 2017 to inform customers about possible abuse of the Smart Install feature if it remains enabled after device installation. The Security Response also provides guidance on actions customers should consider to protect their networks against abuse of this setup feature.

New tools: The Cisco Talos group has developed a tool that customers can use to scan for devices that have the Smart Install feature enabled in their environment. Just scanning for TCP port 4786 being open is not sufficient as this port is used by other protocols as well and this might thus result in false positive. For more information, see Cisco Coverage for Smart Install Client Protocol Abuse.

Cisco has also published a new IPS signature and new Snort rules that help detect the use of Smart Install protocol messages in customer networks.

Mitigation: If customers find devices in their network that continue to have the Smart Install feature enabled, Cisco strongly recommends that they disable the Smart Install feature with the no vstack configuration command.

Otherwise, customers should apply the appropriate security controls for the Smart Install feature and their environment. The recommendations noted below and in the Security response will avoid the risk of attackers abusing this feature.

Details

Cisco Smart Install is a legacy feature that provides zero-touch deployment for new switches, typically access layer switches. The feature has been designed for use within the local customer network and should not be exposed to un-trusted networks. Newer technology, such as  the Cisco Network Plug and Play feature are recommended for more secure setup of new switches, though the Smart Install feature remains an option for platforms that do not currently support the Cisco Network Plug and Play feature.

A Smart Install network consists of one Smart Install director switch or router, also known as the integrated branch director (IBD), and one or more Smart Install client switches, also known as integrated branch clients (IBCs). Only Smart Install client switches are affected by the abuse described in this document.

The Smart Install feature is enabled by default on client switches. No configuration is needed on Smart Install client switches.

The following example shows the output of the show vstack config command in a Cisco Catalyst Switch with the Smart Install client feature enabled:

switch#show vstack config | inc Role
 Role: Client (SmartInstall enabled)

If left enabled on IBCs, the absence of an authorization or authentication mechanism in the Smart Install (SMI) protocol used by Smart Install clients and a Smart Install director could allow an attacker to send crafted SMI protocol messages as if those messages were sent from the Smart Install director. This could allow the attacker to perform any of the following actions on a targeted system:

  • Change the TFTP server address on an IBC.
  • Copy an IBC’s startup-config file to a previously changed, attacker-controlled TFTP server.
  • Substitute a client’s startup-config file with a file that the attacker prepared, and force a reload of that IBC after a defined time interval.
  • Load an attacker-supplied IOS Software image onto an IBC.
  • Execute high-privilege configuration mode CLI commands on an IBC, including “do-exec” CLI commands. Any output of or prompt resulting from the command(s) run will appear on the IBC’s local console. This is possible only in Cisco IOS Software releases 15.2(2)E and later, and Cisco IOS XE Software releases 3.6.0E and later.

If the management IP address of a client switch is exposed to the Internet, an attacker could abuse Smart Install features remotely.

Recommendations

To mitigate the risk of abuse, Cisco recommends that customers implement the security best practices discussed in the following documents:

 

Warning Indicators

While there are no obvious indicators of an attacker abusing the Smart Install capabilities, Cisco recommends that customers look for any unscheduled device configuration changes, reloads, or access from external IP addresses.

The exception is abuse that involves writing to a Smart Install client switch. If write operations are induced via the Smart Install feature and the logging level is set to 6 (“informational”) or higher, the following message will appear in the logs:

%SMI-6-UPGRD_STARTED: Device (IP address: 0.0.0.0) startup-config upgrade has started

In addition to local logs on client switches and logs that a client switch sends to a syslog server, customers should also look into firewall logs and NetFlow data.

Cisco has published Intrusion Prevention System (IPS) signature ID 7856-0 as well as Snort rules 41722-41725 to help detect the use of Smart Install protocol messages in customer networks. Please see the Talos blog post referenced under New Tools: above for details on the Snort rules.

To avoid false positives this signature and Snort rules should be enabled only in networks not using the Smart Install feature or at places in the network where Smart Install protocol messages are not expected to be seen.

The following best practices should also be used to provide more visibility into possible anomalies in an environment:

  • Implement supplemental instrumentation focused on high-value network segments, devices, and individuals. This provides oversight of network devices and enables traffic monitoring. For more information, see Telemetry-Based Infrastructure Device Integrity Monitoring.
  • Implement Cisco IOS NetFlow to gain visibility into traffic flows that emanate from each portion of the network and to evaluate actual traffic against expected traffic.
  • Monitor network device event logging to identify unexpected network device-level activity.

For additional best practices, see the Cisco Guide to Harden Cisco IOS Devices and the Cisco IOS Image Verification white paper.

Terms of Use | Copyright © 2002 - 2017 CONSTITUENTWORKS SM  CORPORATION. All rights reserved. | Privacy Statement