cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

CSCvg76186 - Cisco Smart Install Remote Code Execution and Denial of Service Vulnerability

Cown
Beginner
Beginner

I don't get it, does turning off vstack with

no vstack

prevent this vulnerability?

Cisco DEVNET 500 Certified.
1 ACCEPTED SOLUTION

Accepted Solutions

Cown
Beginner
Beginner

I can hereby confirm that, disabling vstack will prevent this vulnerability. 

 

Before disabling vstack:

X@X:/mnt/c/Python$ python vstack.py -t 172.26.23.250
[*] Connecting to Smart Install Client  172.26.23.250 port 4786
[*] Send a malicious packet

After this switch crashes and reloads.

 

Then i use no vstack and try again:

X@X:/mnt/c/Python$ python vstack.py -t 172.26.23.250
[*] Connecting to Smart Install Client  172.26.23.250 port 4786
Traceback (most recent call last):
  File "vstack.py", line 32, in <module>
    con.connect((options.target, options.port))
  File "/usr/lib/python2.7/socket.py", line 224, in meth
    return getattr(self._sock,name)(*args)
socket.error: [Errno 111] Connection refused

We've implemented no vstack on 3000 switches, since we do not use Smart Install. 

Cisco DEVNET 500 Certified.

View solution in original post

8 REPLIES 8

Cown
Beginner
Beginner

I can hereby confirm that, disabling vstack will prevent this vulnerability. 

 

Before disabling vstack:

X@X:/mnt/c/Python$ python vstack.py -t 172.26.23.250
[*] Connecting to Smart Install Client  172.26.23.250 port 4786
[*] Send a malicious packet

After this switch crashes and reloads.

 

Then i use no vstack and try again:

X@X:/mnt/c/Python$ python vstack.py -t 172.26.23.250
[*] Connecting to Smart Install Client  172.26.23.250 port 4786
Traceback (most recent call last):
  File "vstack.py", line 32, in <module>
    con.connect((options.target, options.port))
  File "/usr/lib/python2.7/socket.py", line 224, in meth
    return getattr(self._sock,name)(*args)
socket.error: [Errno 111] Connection refused

We've implemented no vstack on 3000 switches, since we do not use Smart Install. 

Cisco DEVNET 500 Certified.

so if "no vstack" is a workarround, why doesnt cisco list this on the bugid page?

This is exactly why i posted this in the first place. I couldn't find any information whether or not the no vstack would help anything. So i asked here and then tested it myself, because i'm impatient. :-)

Cisco DEVNET 500 Certified.

Thank You for the info on "No Vstack".    I'll check it out now.

Leo Laohoo
VIP Community Legend VIP Community Legend
VIP Community Legend

First of all, the command "no vstack" disabled VStack. 

Next, the information found in the Security Advisories (Cisco IOS and IOS XE Software Smart Install Remote Code Execution Vulnerability & Cisco IOS and IOS XE Software Smart Install Denial of Service Vulnerability) are more updated than the Bug IDs.  Once the Bug IDs get published it is rarely (or never) updated.  The only bit gets updated is the number of Support Cases "attached" to each Bug IDs.  

I found discrepancy even in the Security Advisories (under Exploitation and Public Announcements) where it is stated that "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."

However, Cisco's own Talos Intelligence has published in a blog, entitled "Critical Infrastructure at Risk: Advanced Actors Target Smart Install Client" and states that:  

Cisco has recently become aware of specific advanced actors targeting Cisco switches by leveraging a protocol misuse issue in the Cisco Smart Install Client. Several incidents in multiple countries, including some specifically targeting critical infrastructure, have involved the misuse of the Smart Install protocol. 

Yeah i can see the advisory was updated yesterday the 6th of April 2018 to include the possibility to disable Smart Install. I read the Talos Intelligence blog and it's true they recommended turning off Smart Install if not used. I still just don't understand, why the simple information wasn't posted on the advisory in the first place. I'm happy it's updated though. :-)

Cisco DEVNET 500 Certified.

Leo Laohoo
VIP Community Legend VIP Community Legend
VIP Community Legend

News have started hitting (as of 09 April 2018) that some countries have been hit. It is still speculation as to what exploit was used but some media outlets are pointing at the Smart Install as the possible vector used.

Action Required to Secure the Cisco IOS and IOS XE Smart Install Feature

True, news are spreading and it looks like the vulnerability is being widely used. The Hacker News got a great article also:

 

https://thehackernews.com/2018/04/hacking-cisco-smart-install.html

 

This is also why we choose to disable Smart Install as fast as possible. 

Cisco DEVNET 500 Certified.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: