Full Report
Jordan Drysdale// tl;dr Both Cisco and Nessus have escalated the Smart Install Client Service feature/vulnerability. Nessus is now reporting the Smart Install RCE as critical. High five!!! Cisco has also […] The post Cisco Smart Install Escalation and Update! appeared first on Black Hills Information Security, Inc..
Analysis Summary
As a vulnerability research specialist, here is the summary of the Cisco Smart Install vulnerability information provided:
# Vulnerability: Cisco Smart Install Escalation and Update
## CVE Details
* **CVE ID:** Not explicitly detailed in the provided text for a single CVE, but the discussion points to multiple associated bugs/vulnerabilities escalated by Cisco and Nessus, including a Smart Install Remote Code Execution (RCE).
* **CVSS Score:** Nessus is reporting the Smart Install RCE as **Critical**.
* **CWE:** Not specified.
## Affected Systems
* **Products:** Cisco devices utilizing the **Smart Install Client Service** feature.
* **Versions:** Specific vulnerable versions are not listed, but the context implies various IOS/firmware versions running this service.
* **Configurations:** Systems where the Smart Install Client Service is enabled and exposed.
## Vulnerability Description
The vulnerability relates to the Cisco Smart Install (SMI) Client Service, which has been escalated in severity by both the vendor (Cisco) and vulnerability scanners (Nessus). The core issue appears to be an exploitable Remote Code Execution (RCE) vulnerability associated with this service. Cisco has packaged fixes for this and other associated bugs into updates.
## Exploitation
* **Status:** Nessus is reporting this as an RCE, suggesting a proof-of-concept or active exploitation scenario is highly likely or confirmed by scanners. The article implies the functionality is known to be dangerous.
* **Complexity:** Implied to be accessible if the service is active. RCE vulnerabilities are generally considered high risk.
* **Attack Vector:** Likely **Network** access is sufficient to target susceptible devices running the SMI service improperly configured or left exposed.
## Impact
* **Confidentiality:** Likely High (due to RCE possibility).
* **Integrity:** Likely High (due to RCE/ability to modify system state).
* **Availability:** Likely High (due to RCE/potential to disrupt service).
## Remediation
### Patches
* Patches and updated firmware/IOS are available from Cisco.
* **Requirement Note:** Access to download updated software/firmware/IOS requires an **active SmartNet or equivalent support contract**.
* The advisory referenced for reference is: `https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2`
### Workarounds
* The best practice configuration recommendation cited suggests that the service should **not be left "lying around,"** implying that disabling or removing the service is the recommended mitigation if patching is not immediately possible.
## Detection
* **Indicators of Compromise:** Not explicitly detailed, but successful exploitation via RCE would likely involve unauthorized command execution or configuration changes.
* **Detection Methods and Tools:** Vulnerability scanners like **Nessus** are actively flagging this as critical, indicating checks exist for this specific service exposure.
## References
* Cisco Security Advisory: `https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2`
* Bug Reference: `https://quickview.cloudapps.cisco.com/quickview/bug/CSCvd36820`