Back in February, Wikileaks published a massive volume of data allegedly leaked from the CIA that was dubbed Vault7. Among the many different technologies that have been revealed to be at risk are now over 300 different Cisco switch and router models.
Cisco first published its security advisory on the Vault7 leaks on March 17, identifying one flaw in particular that has widespread implications. The CVE-2017-3881 vulnerability is titled “Cisco IOS and IOS XE Software Cluster Management Protocol Remote Code Execution Vulnerability.”
“A vulnerability in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges,” Cisco warns in its advisory.
The advisory also warns that at present there are no workarounds for the flaw and as of today, there isn’t a patch for the issue either. The flaw impacts a wide rang of Cisco Catalyst switches as well as the Cisco IE Industrial ethernet switch product groups.
While there are no patches for the issue, there are several steps that Cisco users can take to help reduce the risk of being exploited by the CVE-2017-3881 vulnerability. For one, Cisco has updated Intrusion Prevention System (IPS) signatures available for its commercial IPS as well as the open-source Snort IPS systems, to help detect exploit attempts.
Additionally the flaw can be somewhat mitigated by disabling the Telnet protocol on the impacting switching hardware. In fact, Cisco recommend that organizations disable Telnet in favor of the more secure SSH (Secure SHell) technology and provides guidance on how to do so.
“Customers unable or unwilling to disable the Telnet protocol can reduce the attack surface by implementing infrastructure access control lists (iACLs),” Cisco advises.
This isn’t the first time a leak of alleged U.S government hacking tools has exposed Cisco equipment to potential risk. In August 2016, Cisco warned of security flaws exposed from the so-called Shadow Brokers data dump. The Shadow Brokers were attempting to sell exploits known as EXTRABACON and EPICBANANAS, which were able to exploit Cisco ASA and PIX firewall products.
Sean Michael Kerner is a senior editor at EnterpriseNetworkingPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.