CISCO’S TALOS INTELLIGENCE GROUP has admitted to finding a “protocol misuse” issue in the firm’s Smart Install Client, which attackers are exploiting to gain entry to critical infrastructure providers.
The researchers said the attackers in question are linked to Russian government nation-state hackers, a group which security firm Symantec refers to as “Dragonfly”.
The group has apparently already launched a variety of attacks on US agencies and organisations in the aviation, critical manufacturing, energy, nuclear and water sectors.
Cisco said the bug found in its Smart Install Client, a tool used for deploying new switches, arrived just a week after it released a patch for a critical remote code execution flaw affecting the software.
The alert concerns an advisory Cisco issued in February 2017 after discovering a surge in internet scans for Smart Install instances that had been set up without proper security controls.
“The Cisco Smart Install protocol can be abused to modify the TFTP server setting, exfiltrate configuration files via TFTP, modify the configuration file, replace the IOS image, and set up accounts, allowing for the execution of IOS commands,” said Talos researcher Nick Biasini in a company post on Thursday.
“Although this is not a vulnerability in the classic sense, the misuse of this protocol is an attack vector that should be mitigated immediately. Throughout the end of 2017 and early 2018, Talos has observed attackers trying to scan clients using this vulnerability.
“Recent information has increased the urgency of this issue.”
Despite there not being proof that this attack vector has yet been exploited, the Cisco security researcher advised Cisco customers to apply last week’s Smart Install security update as a precaution against the vulnerability.
“While we have only observed attacks leveraging the protocol misuse issue, recently another vulnerability in the Cisco Smart Install Client was disclosed and patched,” he added. “This vulnerability has been discussed publicly, and proof-of-concept code has been released. While mitigating the protocol misuse issue, customers should also address this vulnerability.”
Martin Jartelius, CSO at security company Outpost24, advised Cisco customers to remove any switches they are not using to help mitigation against such attacks in future.
“Not a single of these breaches would have been possible if even basic hardening had been applied to the devices, or a vulnerability management program had been in place to detect exposed services,” he said.
“In this case, simply turning of this service will mitigate this risk, but without a process to do this for any unused or unnecessary service, soon there is a next mitigation, and a next, and a next. You can only win this battle by preventive measures.” µ
Save this article