Cisco Finally Patches 0-Day Exploit Disclosed In Wikileaks-CIA Leak

Cisco Systems has finally released an update for its IOS and IOS XE software to address a critical vulnerability, disclosed nearly two months back in the CIA Vault 7 leak, that affects more than 300 of its switch models.

The company identified the vulnerability in its product while analyzing “Vault 7” dump — thousands of documents and files leaked by Wikileaks, claiming to detail hacking tools and tactics of the U.S. Central Intelligence Agency (CIA).

As previously reported, the vulnerability (CVE-2017-3881) resides in the Cluster Management Protocol (CMP) — which uses Telnet or SSH to deliver signals and commands on internal networks — in Cisco IOS and Cisco IOS XE Software.

The vulnerability can be exploited remotely by sending “malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections,” researchers say.

The company warned users on April 10 that an exploit targeting the flaw had been made public (here’s a proof-of-concept (PoC) exploit) and provided some mitigation advice, but patched the issue this week only.

Once exploited, an unauthenticated, remote attacker can remotely execute malicious code on a device with elevated privileges to take full control of the device or cause a reboot of the affected device.

The vulnerability is in the default configuration of the affected Cisco devices and affects 264 Catalyst switches, 51 industrial Ethernet switches, and 3 other devices if they are running IOS and are configured to accept Telnet connections.

The affected Cisco switch models include Catalyst switches, Embedded Service 2020 switches, IE Industrial Ethernet switches, ME 4924-10GE switch, Enhanced Layer 2/3 EtherSwitch Service Module, Enhanced Layer 2 EtherSwitch Service Module, RF Gateway 10, SM-X Layer 2/3 EtherSwitch Service Module, and Gigabit Ethernet Switch Module for HP (check the list of affected models here).

The vulnerability was given a score of 9.8 (higher level of risk) based on the Common Vulnerability Scoring System, which means the issue is truly bad.

The only mitigation available for users was to disable the Telnet connection to the switch devices in favor of SSH, but now since the company has patched the issue, administrators are strongly advised to install the patch as soon as possible.

Read more…