04-04-2018 10:37 PM - edited 03-20-2019 10:02 PM
I don't get it, does turning off vstack with
no vstack
prevent this vulnerability?
Solved! Go to Solution.
04-04-2018 11:57 PM
I can hereby confirm that, disabling vstack will prevent this vulnerability.
Before disabling vstack:
X@X:/mnt/c/Python$ python vstack.py -t 172.26.23.250 [*] Connecting to Smart Install Client 172.26.23.250 port 4786 [*] Send a malicious packet
After this switch crashes and reloads.
Then i use no vstack and try again:
X@X:/mnt/c/Python$ python vstack.py -t 172.26.23.250 [*] Connecting to Smart Install Client 172.26.23.250 port 4786 Traceback (most recent call last): File "vstack.py", line 32, in <module> con.connect((options.target, options.port)) File "/usr/lib/python2.7/socket.py", line 224, in meth return getattr(self._sock,name)(*args) socket.error: [Errno 111] Connection refused
We've implemented no vstack on 3000 switches, since we do not use Smart Install.
04-04-2018 11:57 PM
I can hereby confirm that, disabling vstack will prevent this vulnerability.
Before disabling vstack:
X@X:/mnt/c/Python$ python vstack.py -t 172.26.23.250 [*] Connecting to Smart Install Client 172.26.23.250 port 4786 [*] Send a malicious packet
After this switch crashes and reloads.
Then i use no vstack and try again:
X@X:/mnt/c/Python$ python vstack.py -t 172.26.23.250 [*] Connecting to Smart Install Client 172.26.23.250 port 4786 Traceback (most recent call last): File "vstack.py", line 32, in <module> con.connect((options.target, options.port)) File "/usr/lib/python2.7/socket.py", line 224, in meth return getattr(self._sock,name)(*args) socket.error: [Errno 111] Connection refused
We've implemented no vstack on 3000 switches, since we do not use Smart Install.
04-05-2018 01:28 PM
04-05-2018 10:32 PM - edited 04-05-2018 10:33 PM
This is exactly why i posted this in the first place. I couldn't find any information whether or not the no vstack would help anything. So i asked here and then tested it myself, because i'm impatient. :-)
03-20-2019 11:15 AM
Thank You for the info on "No Vstack". I'll check it out now.
04-06-2018 08:24 PM
First of all, the command "no vstack" disabled VStack.
Next, the information found in the Security Advisories (Cisco IOS and IOS XE Software Smart Install Remote Code Execution Vulnerability & Cisco IOS and IOS XE Software Smart Install Denial of Service Vulnerability) are more updated than the Bug IDs. Once the Bug IDs get published it is rarely (or never) updated. The only bit gets updated is the number of Support Cases "attached" to each Bug IDs.
I found discrepancy even in the Security Advisories (under Exploitation and Public Announcements) where it is stated that "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."
However, Cisco's own Talos Intelligence has published in a blog, entitled "Critical Infrastructure at Risk: Advanced Actors Target Smart Install Client" and states that:
Cisco has recently become aware of specific advanced actors targeting Cisco switches by leveraging a protocol misuse issue in the Cisco Smart Install Client. Several incidents in multiple countries, including some specifically targeting critical infrastructure, have involved the misuse of the Smart Install protocol.
04-07-2018 02:49 AM
Yeah i can see the advisory was updated yesterday the 6th of April 2018 to include the possibility to disable Smart Install. I read the Talos Intelligence blog and it's true they recommended turning off Smart Install if not used. I still just don't understand, why the simple information wasn't posted on the advisory in the first place. I'm happy it's updated though. :-)
04-09-2018 03:36 PM - edited 04-09-2018 06:37 PM
News have started hitting (as of 09 April 2018) that some countries have been hit. It is still speculation as to what exploit was used but some media outlets are pointing at the Smart Install as the possible vector used.
Action Required to Secure the Cisco IOS and IOS XE Smart Install Feature
04-09-2018 10:34 PM
True, news are spreading and it looks like the vulnerability is being widely used. The Hacker News got a great article also:
https://thehackernews.com/2018/04/hacking-cisco-smart-install.html
This is also why we choose to disable Smart Install as fast as possible.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide