Full Report
Jordan Drysdale // tl;dr Cisco Smart Install is awesome (on by default)…for hackers… not sysadmins. So, you Nessus too? Criticals and highs are all that matter! Right??? Until this beauty […] The post Cisco Smart Installs and Why They’re Not “Informational” appeared first on Black Hills Information Security, Inc..
Analysis Summary
# Vulnerability: Cisco Smart Install Misconfiguration Leading to Configuration Disclosure and Execution
## CVE Details
*Note: The provided article references the discovery and impact of the Cisco Smart Install feature being enabled by default, leading to security issues, and points to a specific Cisco Security Advisory. Since a specific CVE ID for the 'default on' issue discussed isn't explicitly stated, the context points heavily toward the advisory found.*
- CVE ID: **Information not explicitly provided in article, but referenced advisory suggests CVE-2018-0099 context.** (*The vendor advisory link points to Cisco Security Advisory cisco-sa-20180409-smi which covers multiple issues related to Smart Install.*)
- CVSS Score: **Not explicitly provided.** (The article strongly implies high risk due to configuration download/upload/command execution capabilities.)
- CWE: **CWE-264 (Permissions, Privileges, and Access Controls)** is likely applicable, relating to insecure default configurations.
## Affected Systems
- Products: Cisco Network Devices supporting the Smart Install feature (e.g., switches, routers).
- Versions: Devices with Cisco Smart Install feature enabled by default. *(Specific versions are not listed in the summary, refer to the vendor advisory linked in the references for exact version details).*
- Configurations: Devices where the Smart Install protocol (over TCP port 4786) is active and unauthenticated.
## Vulnerability Description
The Cisco Smart Install (SMI) feature, often enabled by default on certain Cisco devices, allows for automated software image and configuration deployment. When active and unauthenticated, an attacker can leverage this protocol to:
1. Download the running configuration file.
2. Upload and install a new configuration file.
3. Execute arbitrary commands on the device via the configuration management operations.
Furthermore, the article highlights that stored passwords (Cisco Type 7 encryption) are easily reversible, and Type 5 passwords (MD5-based) are crackable, exposing credentials even if configuration files are downloaded.
## Exploitation
- Status: **PoC available** (Tools like SIET are mentioned for exploitation/configuration gathering).
- Complexity: **Low** (Scanning for port 4786 is trivial, and tools exist to automate interaction).
- Attack Vector: **Network** (Requires network access to devices exposing TCP port 4786).
## Impact
- Confidentiality: **High** (Configuration files containing sensitive network details and encrypted passwords can be exfiltrated).
- Integrity: **High** (External configuration files can be uploaded, potentially leading to device compromise or takeover).
- Availability: **High** (Commands can be executed to disrupt device operation).
## Remediation
### Patches
- Refer to Cisco Security Advisory **cisco-sa-20180409-smi** for specific patched versions corresponding to the identified vulnerability vectors.
### Workarounds
- **Disable the Smart Install feature** on all network devices where it is not strictly required for operations.
- Command to disable: `no vstack`
## Detection
- Indicators of Compromise:
- Unexpected configuration changes detected on network devices.
- Discovery of TCP port **4786** being open on network devices.
- Detection methods and tools:
- Port scanning for service listening on TCP/4786 (e.g., `nmap -p4786`).
- Using tools like SIET (`./siet.py -i [IP] -g`) to actively test for the ability to download a configuration.
- Monitoring network traffic for SMI protocol interaction.
## References
- Vendor Advisory: cisco-sa-20180409-smi (Defanged: hXXps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180409-smi)
- Smart Install Concepts: hXXps://www.cisco.com/c/en/us/td/docs/switches/lan/smart_install/configuration/guide/smart_install/concepts.html
- Exploitation Tool Example: hXXps://github.com/Sab0tag3d/SIET