Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5879
Views
60
Helpful
8
Replies

CSCvg76186 - Cisco Smart Install Remote Code Execution and Denial of Service Vulnerability

Go to solution
Cown
Level 1
Level 1

‎04-04-2018 10:37 PM - edited ‎03-20-2019 10:02 PM

I don't get it, does turning off vstack with

no vstack

prevent this vulnerability?

Cisco DEVNET 500 Certified.
1 person had this problem
Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Cown
Level 1
Level 1

‎04-04-2018 11:57 PM

I can hereby confirm that, disabling vstack will prevent this vulnerability. 

 

Before disabling vstack:

X@X:/mnt/c/Python$ python vstack.py -t 172.26.23.250
[*] Connecting to Smart Install Client  172.26.23.250 port 4786
[*] Send a malicious packet

After this switch crashes and reloads.

 

Then i use no vstack and try again:

X@X:/mnt/c/Python$ python vstack.py -t 172.26.23.250
[*] Connecting to Smart Install Client  172.26.23.250 port 4786
Traceback (most recent call last):
  File "vstack.py", line 32, in <module>
    con.connect((options.target, options.port))
  File "/usr/lib/python2.7/socket.py", line 224, in meth
    return getattr(self._sock,name)(*args)
socket.error: [Errno 111] Connection refused

We've implemented no vstack on 3000 switches, since we do not use Smart Install. 

Cisco DEVNET 500 Certified.

View solution in original post

8 Replies 8

Go to solution
Cown
Level 1
Level 1

‎04-04-2018 11:57 PM

I can hereby confirm that, disabling vstack will prevent this vulnerability. 

 

Before disabling vstack:

X@X:/mnt/c/Python$ python vstack.py -t 172.26.23.250
[*] Connecting to Smart Install Client  172.26.23.250 port 4786
[*] Send a malicious packet

After this switch crashes and reloads.

 

Then i use no vstack and try again:

X@X:/mnt/c/Python$ python vstack.py -t 172.26.23.250
[*] Connecting to Smart Install Client  172.26.23.250 port 4786
Traceback (most recent call last):
  File "vstack.py", line 32, in <module>
    con.connect((options.target, options.port))
  File "/usr/lib/python2.7/socket.py", line 224, in meth
    return getattr(self._sock,name)(*args)
socket.error: [Errno 111] Connection refused

We've implemented no vstack on 3000 switches, since we do not use Smart Install. 

Cisco DEVNET 500 Certified.

Go to solution
ldmccalla
Level 1
Level 1
In response to Cown

‎04-05-2018 01:28 PM

so if "no vstack" is a workarround, why doesnt cisco list this on the bugid page?

Go to solution
Cown
Level 1
Level 1
In response to ldmccalla

‎04-05-2018 10:32 PM - edited ‎04-05-2018 10:33 PM

This is exactly why i posted this in the first place. I couldn't find any information whether or not the no vstack would help anything. So i asked here and then tested it myself, because i'm impatient. :-)

Cisco DEVNET 500 Certified.

Go to solution
glendon.daigle
Level 1
Level 1
In response to Cown

‎03-20-2019 11:15 AM

Thank You for the info on "No Vstack".    I'll check it out now.

0 Helpful

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame

‎04-06-2018 08:24 PM

First of all, the command "no vstack" disabled VStack. 

Next, the information found in the Security Advisories (Cisco IOS and IOS XE Software Smart Install Remote Code Execution Vulnerability & Cisco IOS and IOS XE Software Smart Install Denial of Service Vulnerability) are more updated than the Bug IDs.  Once the Bug IDs get published it is rarely (or never) updated.  The only bit gets updated is the number of Support Cases "attached" to each Bug IDs.  

I found discrepancy even in the Security Advisories (under Exploitation and Public Announcements) where it is stated that "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."

However, Cisco's own Talos Intelligence has published in a blog, entitled "Critical Infrastructure at Risk: Advanced Actors Target Smart Install Client" and states that:  

Cisco has recently become aware of specific advanced actors targeting Cisco switches by leveraging a protocol misuse issue in the Cisco Smart Install Client. Several incidents in multiple countries, including some specifically targeting critical infrastructure, have involved the misuse of the Smart Install protocol. 

0 Helpful

Go to solution
Cown
Level 1
Level 1
In response to Leo Laohoo

‎04-07-2018 02:49 AM

Yeah i can see the advisory was updated yesterday the 6th of April 2018 to include the possibility to disable Smart Install. I read the Talos Intelligence blog and it's true they recommended turning off Smart Install if not used. I still just don't understand, why the simple information wasn't posted on the advisory in the first place. I'm happy it's updated though. :-)

Cisco DEVNET 500 Certified.

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame
In response to Cown

‎04-09-2018 03:36 PM - edited ‎04-09-2018 06:37 PM

News have started hitting (as of 09 April 2018) that some countries have been hit. It is still speculation as to what exploit was used but some media outlets are pointing at the Smart Install as the possible vector used.

Action Required to Secure the Cisco IOS and IOS XE Smart Install Feature

Go to solution
Cown
Level 1
Level 1
In response to Leo Laohoo

‎04-09-2018 10:34 PM

True, news are spreading and it looks like the vulnerability is being widely used. The Hacker News got a great article also:

 

https://thehackernews.com/2018/04/hacking-cisco-smart-install.html

 

This is also why we choose to disable Smart Install as fast as possible. 

Cisco DEVNET 500 Certified.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents