04-17-2018 08:33 AM - edited 03-08-2019 02:41 PM
Hi,
I have only just got up to speed with an exploit regarding smart install. Its something I have never used so not fully aware of how it works, however if your device doesn't have an IP but its present on the internet, how can this be exploited? Lets say we have a Cisco 3850, with no Layer 3 IP addresses, purely l2 vlans, no management, no SVI, only console access. It has Smart install switched on(by default), I`m presuming this cannot be exploited? Some clarification would be appreciated.
Lee.
04-17-2018 08:53 AM
- It could always be exploited , let alone from the local vlans it would be serving (e.g.) ; better is to have a complete and managed switch-setup which will also let you enable good security practices such as acl's for logon and snmp access. Keeping it dark on the network, will also keep you dark, if some threat is launched agains it (be it layer2 only).
M.
04-17-2018 08:59 AM
Hi,
thanks for the reply, my initial message is an example setup for me to understand how the Smart Install works and thus how it can be exploited without any internet L3 presence, from a machine or device in another country. My initial view is if I have a 3850 switch with 1 vlan(not van1) with a Router and Firewall deployed in the traditional sense, even with Smart Install switched on, it cannot be exploited using the SMI Protocol..... or can it...
Lee.
04-17-2018 03:30 PM - edited 04-20-2018 07:09 PM
Smart Install is enabled by default. When a switch is fresh from the factory, Smart Install is already enabled. It is enabled because it was meant to help network engineers build up switch(es) fast (as in very, very fast).
Smart Install supported started with IOS versions from 12.2(55)SE until the latest. For IOS-XE, it starts from 3.X.X and extends all the way up to 16.X.X.
The only way to disable Smart Install is to use the command "no vstack" (switches) or "no vstack config" (routers).
NOTE: Not all routers support Smart Install.
Regardless whether the router or switch can act as a Director or as a Client, if no one is using Smart Install, DISABLE IT.
WARNING: Please see further response to this exploit below.
04-17-2018 08:58 PM
I must have told about 4 of my customers exactly the same thing.
04-18-2018 01:02 AM
04-18-2018 01:30 AM
@Lee Smitherman wrote:
just a firewall and router in that vlan and smart install is on. I`m trying to understand the process of how a hacker can exploit this when there is no layer 3 to exploit...
Hacker jumps into your router. The router is the centre of it all because not only does the router support Smart Install but the router can only be the Director. The switch can then become the Client.
The router becomes the Director and a configuration file is transfered to the router. Smart Install configured on the router instructing the switch to pull the config from the router. The switch is then forced to reboot. Done.
04-20-2018 07:07 PM
(Switch models as old as 2940/2950/2955, 3550 and EARLIER are not covered by this response. I am not yet sure how the new Catalyst 9K behaves.)
I got some good news and some bad news.
The GOOD news
The list of routers & switches that support Smart Install can be found HERE. What is missing in the list are the 3650/3850 and 4500/6500 Supervisor cards. This list is important.
IF you have appliances found in this list, this means the only way to disable Smart Install is to use the command "no vstack" or "no vstack config".
The BAD news (a really bad one)
If you have appliances (routers &/or Catalyst switches) not in this list, the ACL must be applied. Emphasis on the word "must".
06-18-2019 07:53 AM
Is this for sure true with the 3650 & 3850? They are later platforms yet they don't appear to be in the list but they are definitely running the versions of IOS XE that are supposed to be compatible. Still the command doesn't appear to work on them & when I do a sh run | i vstack the output is nothing. I do not want to add ACLs to every vlan interface for those switches.
06-19-2019 01:16 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: