Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1230
Views
5
Helpful
9
Replies

Cisco Smart Install Exploit

Lee Smitherman
Level 1
Level 1

‎04-17-2018 08:33 AM - edited ‎03-08-2019 02:41 PM

Hi,

 

I have only just got up to speed with an exploit regarding smart install.  Its something I have never used so not fully aware of how it works, however  if your device doesn't have an IP but its present on the internet, how can this be exploited?  Lets say we have a Cisco 3850,  with no Layer 3 IP addresses,  purely l2 vlans, no management, no SVI, only console access.  It has Smart install switched on(by default), I`m presuming this cannot be exploited?  Some clarification would be appreciated.

 

Lee.

 

Labels:
0 Helpful
9 Replies 9

marce1000
VIP
VIP

‎04-17-2018 08:53 AM

 

 - It could always be exploited , let alone from the local vlans it would be serving (e.g.) ; better is to have a complete and managed switch-setup which will also let you enable good security practices such as acl's for logon and snmp access. Keeping it dark on the network, will also keep you dark, if some threat is launched agains it (be it layer2 only).

M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful

Lee Smitherman
Level 1
Level 1
In response to marce1000

‎04-17-2018 08:59 AM

Hi,

 

thanks for the reply,  my initial message is an example setup for me to understand how the Smart Install works and thus how it can be exploited without any internet L3 presence, from a machine or device in another country.  My initial view is if I have a 3850 switch with 1 vlan(not van1) with a Router and Firewall deployed in the traditional sense,  even with Smart Install switched on, it cannot be exploited using the SMI Protocol..... or can it...

 

Lee.

 

0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame

‎04-17-2018 03:30 PM - edited ‎04-20-2018 07:09 PM

Smart Install is enabled by default. When a switch is fresh from the factory, Smart Install is already enabled. It is enabled because it was meant to help network engineers build up switch(es) fast (as in very, very fast).
Smart Install supported started with IOS versions from 12.2(55)SE until the latest. For IOS-XE, it starts from 3.X.X and extends all the way up to 16.X.X.
The only way to disable Smart Install is to use the command "no vstack" (switches) or "no vstack config" (routers).
NOTE: Not all routers support Smart Install.
Regardless whether the router or switch can act as a Director or as a Client, if no one is using Smart Install, DISABLE IT.
WARNING:  Please see further response to this exploit below.  

Dennis Mink
VIP Alumni
VIP Alumni
In response to Leo Laohoo

‎04-17-2018 08:58 PM

I must have told about 4 of my customers exactly the same thing.

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

Lee Smitherman
Level 1
Level 1
In response to Dennis Mink

‎04-18-2018 01:02 AM

Thanks all, I do understand, and have disabled it across our switch estate. I like to understand these issues rather than just following advice blindly. Im trying to understand the scope of the issue. If my switch only has one vlan on the internet, no SVI, just a firewall and router in that vlan and smart install is on. I`m trying to understand the process of how a hacker can exploit this when there is no layer 3 to exploit...
0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame
In response to Lee Smitherman

‎04-18-2018 01:30 AM

@Lee Smitherman wrote:
just a firewall and router in that vlan and smart install is on. I`m trying to understand the process of how a hacker can exploit this when there is no layer 3 to exploit...

Hacker jumps into your router.  The router is the centre of it all because not only does the router support Smart Install but the router can only be the Director.  The switch can then become the Client.  

The router becomes the Director and a configuration file is transfered to the router.  Smart Install configured on the router instructing the switch to pull the config from the router.  The switch is then forced to reboot.  Done. 

0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame

‎04-20-2018 07:07 PM

(Switch models as old as 2940/2950/2955, 3550 and EARLIER are not covered by this response.  I am not yet sure how the new Catalyst 9K behaves.)

I got some good news and some bad news.  

The GOOD news

The list of routers & switches that support Smart Install can be found HERE.  What is missing in the list are the 3650/3850 and 4500/6500 Supervisor cards.  This list is important.  

IF you have appliances found in this list, this means the only way to disable Smart Install is to use the command "no vstack" or "no vstack config".  

The BAD news (a really bad one)

If you have appliances (routers &/or Catalyst switches) not in this list, the ACL must be applied.  Emphasis on the word "must".

0 Helpful

scc_cisco
Level 1
Level 1
In response to Leo Laohoo

‎06-18-2019 07:53 AM

Is this for sure true with the 3650 & 3850?  They are later platforms yet they don't appear to be in the list but they are definitely running the versions of IOS XE that are supposed to be compatible.  Still the command doesn't appear to work on them & when I do a sh run | i vstack the output is nothing.  I do not want to add ACLs to every vlan interface for those switches.

0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame
In response to scc_cisco

‎06-19-2019 01:16 AM

3650/3850 support Smart Install. I was able to try it myself.
Any IOS/IOS-XE published after June 2018 will have Smart Install permanently disabled.
If the IOS/IOS-XE was published before June 2018, the command "no vstack" will disable Smart Install.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card