Email
Password
Remember meForgot password?
    Log in with Twitter

article image'Critical' flaw in 300 Cisco switches lets the CIA take control

By James Walker     Mar 20, 2017 in Technology
Networking equipment vendor Cisco has announced a "critical" vulnerability in over 300 of its most popular products. The vulnerability was found in documents stolen from the CIA and published by WikiLeaks two weeks ago. It allows remote code execution.
In an advisory published late last week, Cisco warned there "are no workarounds" to restrict the impact of the flaw. In total, 318 Cisco network switches running its IOS software are known to be affected. They are the latest set of devices which the CIA could be actively using to gain control of IT systems.
The flaw was discovered by Cisco researchers inspecting the documents leaked by WikiLeaks. Beyond the technical issues, the find has serious implications as WikiLeaks had previously said the cache contained no working code. According to Cisco, the problem with the switches could be exploited with a few simplistic commands. The company is scrambling to release a patch but there's currently no word on when it will be available.
The flaw lies in Cisco's Cluster Management Protocol (CMP), a protocol built atop Telnet that is used to send commands across internal networks. CMP doesn't properly restrict Telnet's scope, enabling it to reach out of the local network and into the host device. The result is the attacker could gain control of the switch, causing it to reboot or run specified code. This could be used as an entrypoint to a much larger network attack.
READ MORE: Fog computing could be the next big step forward in powerful technology
"An attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections," said Cisco. "An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device."
Since Cisco's products are world-renowned and used by major companies and organisations, the potential impact of a large attack could be enormous. Cisco hasn't said whether it's aware of any successful in-the-wild exploits.
The majority of affected devices are products in the company's Cisco Catalyst range of switches. The list also includes network switches manufactured for companies including Dell and HP, Industrial Ethernet Switches and network Supervisor Engines.
Cisco's announcement is one of the first from a tech company in the wake of WikiLeaks' "Vault7" document dump on the CIA's elite offensive cyberattack unit. The details on the Cisco switches were reportedly found inside a file made available to CIA workers that detailed vulnerabilities and exploit techniques for Apple, Cisco, Microsoft and Samsung products.
Cisco said the only way to prevent hackers exploiting the flaw is to blacklist the Telnet protocol for incoming connections. This isn't a full workaround as it requires network-level intervention and in many cases won't be possible for the customer. The company said software updates will be made available for all affected products through its usual distribution channels. There is no word on when the patches will be made available.
More about Cisco, Cybersecurity, Privacy, Cia, Wikileaks