ESB-2018.1122 - [Cisco] Cisco IOS and IOS XE: Multiple vulnerabilities 2018-04-12

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.1122
 Action Required to Secure the Cisco IOS and IOS XE Smart Install Feature
                               12 April 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco IOS
                   Cisco IOS XE
Publisher:         Cisco Systems
Operating System:  Cisco
Impact/Access:     Denial of Service               -- Remote/Unauthenticated
                   Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-0171 CVE-2018-0156 CVE-2016-6385
                   CVE-2016-1349 CVE-2013-1146 CVE-2012-0385
                   CVE-2011-3271  

Reference:         ESB-2018.0899.2
                   ESB-2016.2415
                   ESB-2016.2283
                   ESB-2016.0784
                   ESB-2013.0450
                   ESB-2012.0328

Original Bulletin: 
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180409-smi

- --------------------------BEGIN INCLUDED TEXT--------------------

Action Required to Secure the Cisco IOS and IOS XE Smart Install Feature

Informational

Advisory ID:
cisco-sa-20180409-smi

First Published:
2018 April 9 00:00 GMT

Last Updated: 
2018 April 11 18:10 GMT

Version 1.2:
Final

Workarounds:
No workarounds available
 
Summary

  o In recent weeks, Cisco has published several documents related to the
    Smart Install feature: one Talos blog about potential misuse of the
    feature if left enabled, and two Cisco Security Advisories that were
    included in the March 2018 release of the Cisco IOS and IOS XE Software
    Security Advisory Bundled Publication. Given the heightened awareness, we
    want to minimize any potential confusion about exploitation attempts and
    clarify the verification of the feature on customer devices. As such,
    Cisco has attempted to consolidate all information related to the
    mitigation of potential Smart Install misuse or exploit of related
    vulnerabilities into this single document, which also notes how to
    properly secure devices that may be exposed and remediate the disclosed
    vulnerabilities.


    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20180409-smi

Details

  o Smart Install Vulnerability History

    The following table lists the Advisories that identify the Smart Install
    feature (Client and/or Director) as being vulnerable and the extent that
    these respective vulnerabilities are being actively exploited:

    +-------------+-------------+----------------+--------+-----------+----------+
    |Advisory Name|CVE ID       |Description     |Client/ |Publication|Actively  |
    |             |             |                |Director|Date       |Exploited?|
    +-------------+-------------+----------------+--------+-----------+----------+
    |Cisco Smart  |N/A          |Widespread      |Client  |14-Feb-2017|Yes       |
    |Install      |             |scanning for    |Only    |           |          |
    |Protocol     |             |devices with the|        |           |          |
    |Misuse       |             |Smart Install   |        |           |          |
    |             |             |feature enabled |        |           |          |
    |             |             |and without     |        |           |          |
    |             |             |proper security |        |           |          |
    |             |             |controls        |        |           |          |
    +-------------+-------------+----------------+--------+-----------+----------+
    |Cisco IOS and|CVE-2018-0171|Reload, denial  |Client  |28-Mar-2018|No        |
    |IOS XE       |             |of service,     |Only    |           |          |
    |Software     |             |remote code     |        |           |          |
    |Smart Install|             |execution       |        |           |          |
    |Remote Code  |             |                |        |           |          |
    |Execution    |             |                |        |           |          |
    |Vulnerability|             |                |        |           |          |
    +-------------+-------------+----------------+--------+-----------+----------+
    |Cisco IOS and|CVE-2018-0156|Reload, denial  |Client  |28-Mar-2018|No        |
    |IOS XE       |             |of service      |Only    |           |          |
    |Software     |             |                |        |           |          |
    |Smart Install|             |                |        |           |          |
    |Denial of    |             |                |        |           |          |
    |Service      |             |                |        |           |          |
    |Vulnerability|             |                |        |           |          |
    +-------------+-------------+----------------+--------+-----------+----------+
    |Cisco IOS and|CVE-2016-6385|Memory leak,    |Client  |28-Sep-2016|No        |
    |IOS XE       |             |eventual denial |Only    |           |          |
    |Software     |             |of service      |        |           |          |
    |Smart Install|             |                |        |           |          |
    |Memory Leak  |             |                |        |           |          |
    |Vulnerability|             |                |        |           |          |
    +-------------+-------------+----------------+--------+-----------+----------+
    |Cisco IOS and|CVE-2016-1349|Denial of       |Client  |23-Mar-2016|No        |
    |IOS XE       |             |service         |Only    |           |          |
    |Software     |             |                |        |           |          |
    |Smart Install|             |                |        |           |          |
    |Denial of    |             |                |        |           |          |
    |Service      |             |                |        |           |          |
    |Vulnerability|             |                |        |           |          |
    +-------------+-------------+----------------+--------+-----------+----------+
    |Cisco IOS    |CVE-2013-1146|Denial of       |Client  |27-Mar-2013|No        |
    |Software     |             |service         |Only    |           |          |
    |Smart Install|             |                |        |           |          |
    |Denial of    |             |                |        |           |          |
    |Service      |             |                |        |           |          |
    |Vulnerability|             |                |        |           |          |
    +-------------+-------------+----------------+--------+-----------+----------+
    |Cisco IOS    |CVE-2012-0385|Malformed SMI   |Client &|28-Mar-2012|No        |
    |Software     |             |packet causes   |Director|           |          |
    |Smart Install|             |reload          |        |           |          |
    |Denial of    |             |                |        |           |          |
    |Service      |             |                |        |           |          |
    |Vulnerability|             |                |        |           |          |
    +-------------+-------------+----------------+--------+-----------+----------+
    |Cisco IOS    |CVE-2011-3271|Remote code     |Client &|28-Sep-2011|No        |
    |Software     |             |execution       |Director|           |          |
    |Smart Install|             |                |        |           |          |
    |Remote Code  |             |                |        |           |          |
    |Execution    |             |                |        |           |          |
    |Vulnerability|             |                |        |           |          |
    +-------------+-------------+----------------+--------+-----------+----------+

    Summary of Recommended Actions

    To ensure their network is protected against issues involving Smart
    Install, our recommendation for customers not actually using Smart Install
    is to disable the feature using the no vstack command once setup is
    complete. Customers who do use the feature - and need to leave it enabled
    - can use ACLs to block incoming traffic on TCP port 4786 (the proper
    security control). Additionally, patches for known security
    vulnerabilities should be applied as part of standard network security
    management.

    Identification & Mitigation Steps

    Customers concerned with potential exposure of their network devices to
    the Smart Install vulnerabilities should adhere to the following process:

     1. Software Affected?- Determine if the software version(s) in use are
        affected by the vulnerabilities described within the Smart Install
        Security Advisories.
     2. Feature Enabled? - For devices running affected software versions,
        these devices should be checked for the presence of the Smart Install
        Client feature.
     3. Mitigate Exposure by:
         1. Disabling Feature - On devices found to be running the Smart
            Install Client feature, customers should disable the feature or,
            where not applicable,
         2. Restrict Smart Install Access - Minimize the exposure of the
            feature by implementing ACLs and Control Plane Policing (CoPP).

    Smart Install Deployment Risk

    Cisco Smart Install is a legacy feature that provides zero-touch
    deployment for new switches, typically access layer switches, and
    incorporates no authentication by design. Newer technology, such as the
    Cisco Network Plug and Play feature, is highly recommended for more secure
    setup of new switches. If not properly disabled or secured following
    setup, Smart Install could allow for the exfiltration and modification of
    configuration files, among other things, even without the presence of a
    vulnerability.

    A Smart Install network consists of one Smart Install Director switch or
    router, also known as the Integrated Branch Director (IBD), and one or
    more Smart Install Client switches, also known as Integrated Branch
    Clients (IBCs).

    The Smart Install feature is enabled by default on client switches. No
    specific configuration is needed on Smart Install Client switches, whereas
    the Smart Install Director must be configured explicitly.

    Confirmation of Affected Versions of IOS and IOS XE

    Cisco IOS and IOS XE Software

    To help customers determine their exposure to vulnerabilities in Cisco IOS
    and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker
    , that identifies any Cisco Security Advisories that impact a specific
    software release and the earliest release that fixes the vulnerabilities
    described in each advisory ("First Fixed"). If applicable, the tool also
    returns the earliest release that fixes all the vulnerabilities described
    in all the advisories identified ("Combined First Fixed").

    Customers can use this tool to perform the following tasks:

        Initiate a search by choosing one or more releases from a drop-down
        list or uploading a file from a local system for the tool to parse
        Enter the output of the show version command for the tool to parse
        Create a custom search by including all previously published Cisco
        Security Advisories, a specific advisory, or all advisories in the
        most recent bundled publication

    To determine whether a release is affected by any published Cisco Security
    Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a
    Cisco IOS Software or Cisco IOS XE Software release--for example, 15.1(4)M2
    or 3.13.8S--in the following field:

    [                    ] [Check]

     

    Identification of Vulnerable Devices

    Verification of Device with Smart Install Client Enabled

    The following example shows the output of the show vstack config command
    in a Cisco Catalyst switch with the Smart Install Client feature enabled.
    These are the only outputs that indicates that the Smart Install Client
    feature is enabled:

        Switch1#show vstack config | include Role
        Role: Client (SmartInstall enabled)

        switch2# show vstack config
        Capability: Client
        Oper Mode: Enabled
        Role: Client

    Verification of Device Listening on TCP Port 4786

    The following example shows the output of the show tcp brief all | include
    4786 command in a Cisco Catalyst switch that is listening on the Smart
    Install Client port (TCP 4786):

        Switch#show tcp brief all | include 4786
        FFB6D31818  0.0.0.0.4786               *.*                         LISTEN
        Switch#

    The following example shows the output of the show tcp brief all | include
    4786 command in a Cisco Catalyst switch that is listening on the Smart
    Install Client port (TCP 4786) AND has a connection to a Smart Install
    Director (IP address: 10.69.12.117):

        FFA893EA50  10.66.91.126.4786          10.69.12.117.54246          CLOSEWAIT
        FFB6D31818  0.0.0.0.4786               *.*                         LISTEN
        Switch#

    Please note that this method cannot distinguish between a device running
    as a Smart Install Client and a device running as a Smart Install
    Director. As such, the show vstack config command is preferred whenever
    possible.

    Disabling Smart Install

    Issue "no vstack" Command

    Upon successful deployment of Cisco Switches, administrators should either
    utilize Smart Install or immediately disable the Smart Install Client
    feature if Smart Install is not used, as the feature will no longer be
    required for operation. The Smart Install feature can be disabled with the
    no vstack command.

    Restrict Smart Install Access

    "no vstack" Command Not Available or Smart Install Used for More Than
    Zero-Touch Deployment

    For networks where the no vstack command is not available or where Smart
    Install is used for more than just zero-touch deployment, customers should
    ensure that only the IBD has TCP connectivity to all IBCs on port 4786.
    Administrators can use the following security best practices for Cisco
    Smart Install deployments on affected devices:


        Interface access control lists (ACLs)
        Control Plane Policing (CoPP)

    An interface ACL might look like the following example, with the IP
    address of the Smart Install Director (IBD) being 10.10.10.1 and the IP
    address of the Smart Install Client (IBC) being 10.10.10.200:

            ip access-list extended SMI_HARDENING_LIST
              permit tcp host 10.10.10.1 host 10.10.10.200 eq 4786
              deny tcp any any eq 4786
              permit ip any any

    This ACL would then need to be deployed on all IP interfaces on all IBCs.
    It can be pushed via the IBD when the switches are first deployed.

    Additional Support

    Customers who require support to determine if the feature is still enabled
    or suspect their devices are being potentially exploited should contact
    their support team (Advanced Services, TAC, etc.) and provide additional
    details as requested by Cisco.

    References

    Security Advisories

    Cisco IOS Software Smart Install Remote Code Execution Vulnerability

    Cisco IOS Software Smart Install Denial of Service Vulnerability

    Cisco IOS Software Smart Install Denial of Service Vulnerability

    Cisco IOS and IOS XE Software Smart Install Denial of Service
    Vulnerability

    Cisco IOS and IOS XE Software Smart Install Memory Leak Vulnerability

    Cisco Smart Install Protocol Misuse (First Published 14-Feb-2017)

    Cisco IOS and IOS XE Software Smart Install Denial of Service
    Vulnerability (First Published 28-Mar-2018)

    Cisco IOS and IOS XE Software Smart Install Remote Code Execution
    Vulnerability (First Published 28-Mar-2018) 

    Blog Posts

    Cisco Blog Post, "Cisco PSIRT - Mitigating and Detecting Potential Abuse
    of Cisco Smart Install Feature" (published 27-Feb-2017)

    Cisco Talos Blog Post, "Cisco Coverage for Smart Install Client Protocol
    Abuse" (published 27-Feb-2017)

    Cisco Talos Blog Post, "Critical Infrastructure at Risk: Advanced Actors
    Target Smart Install Client" (published 5-Apr-2018) 

    Tools & Additional References

    Cisco IOS Software Checker

    TALOS Smart Install Detection Tool

    Smart Install Configuration Guide

    Appendix--Smart Install Feature Caveats

    Auto-Disable Smart Install

    In software releases that incorporate the changes from Cisco Bug ID
    CSCvd36820, Cisco Smart Install Client feature should auto-disable after
    boot as soon as the switch detects that zero-touch deployment is not being
    used.

    Support of "no vstack" Command

    Use of the no vstack global configuration command to disable the Smart
    Install Client feature was introduced with the fix for Cisco defect
    CSCtj75729 (Ability to shut Smart Install default service on TCP port
    4786). If a Cisco IOS or IOS XE Software release supports the Smart
    Install Client feature but the no vstack command does not exist, the
    release does not contain the fix for Cisco defect CSCtj75729.

    "no vstack" Command Does Not Persist Across Reload

    Note: The no vstack command does not persist across reload due to Cisco
    defect CSCvd99197 in the following releases of Cisco IOS and IOS XE
    Software:
        Cisco Catalyst 4500 and 4500-X Series Switches: 3.9.2E/15.2(5)E2
        Cisco Catalyst 6500 Series Switches: 15.1(2)SY11, 15.2(1)SY5, 15.2(2)
        SY3
        Cisco Industrial Ethernet 4000 Series Switches: 15.2(5)E2, 15.2(5)E2a
        Cisco ME 3400 and ME 3400E Series Ethernet Access Switches: 12.2(60)
        EZ11
    For customers running any of these releases, Cisco recommends upgrading or
    downgrading to a nonaffected release or putting automation in place to
    reconfigure the no vstack command after every reload of the device.

    Existing Smart Install (SMI) Processes

    The no vstack command does not kill any running SMI processes, but it will
    prevent any new requests. When no vstack is entered, while previously the
    client had received an SMI request to perform an action, that process will
    continue running until completion or failure. Committing no vstack to
    memory and reloading should remove these messages. This is addressed as
    part of the fix for CSCvd36820.

    Additional Smart Install Information

        The Cisco Smart Install client must send alerts to the local console
        periodically. This was added to provide awareness to customers that
        the feature is enabled. This was done via CSCvd36810.
        Make show vstack config nomenclature consistent. Prior to this fix,
        the output for the role information was slightly different and caused
        some confusion. Fixes were done via CSCvd35782.
        Make Smart Install Configuration visible in the configuration. By
        default, SMI never used to show vstack in show running or show running
        all config. Cisco added this so that if it is enabled, vstack will be
        present in the running configuration. This was done via CSCvd36799.
        The Smart Install feature was removed in more recent releases, in
        particular from 16.4.2, 16.5.1b, 16.6.2, 16.7.1, and later. This was
        done via CSCvf04861 and CSCvg90005.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy. This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

  o Subscribe

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20180409-smi

Revision History

    +---------+-------------------------------+---------+--------+---------------+
    | Version |          Description          | Section | Status |     Date      |
    +---------+-------------------------------+---------+--------+---------------+
    | 1.2     | Added appendix to list of     | Details | Final  | 2018-April-11 |
    |         | references.                   |         |        |               |
    +---------+-------------------------------+---------+--------+---------------+
    |         | Updated links, formatting,    |         |        |               |
    | 1.1     | and text in table; updated    | Details | Final  | 2018-April-10 |
    |         | text and formatting of code   |         |        |               |
    |         | examples.                     |         |        |               |
    +---------+-------------------------------+---------+--------+---------------+
    | 1.0     | Initial public release.       | --      | Final  | 2018-April-09 |
    +---------+-------------------------------+---------+--------+---------------+

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWs66NIx+lLeg9Ub1AQhPGA//RLIT7BpAKfBME/anJ7SHXIjA9gJqIpk9
PIGZxj6bv8kDaScklsH3IGwVmEGuKQ9AKQac7r5Ni/O9jrIdiLebgzPjYHHK18/T
c9fC2mTB0qR3/rF3zG0v2GhHcP9sHQgXLpqh62vAsVfW0QpaUUCAMAhhhhsGS+Aa
Ds8UfNpzaczYWO2Kf85IIeNY8hrAAzTNOoppfFJ3auf4YtoJIArQat73vIhr623N
xDG9KNUadCJDWDkhDIyjxxJveA1BMzS3enO5X9aj80LiJZcmYlxyQ5EbfVrgaR2X
xhnKcr1SAk3MMHg5DyQb4pkk5TE8u6WAGRPPhZtP1ImvbABYtEv8cxT0YmOtJOI4
uArMi0ERhKgJTCpR8bbmV03wh/d6pRj3Vq2AYqom7LafMjxd161YnbQQMNdUQObZ
8mAVwfcClJ5Yb7iZuyTy9BIqrQoq9mkn7cpoudDWmqGpkZKB3ib+BNfuUS4kacSO
AfIJS1crNJv4d93oedkRiTkA/RrJHj1/Bg2vRlu8xyZeSi3w+I9QBNRYuHGBuUXa
ZmjJbhMAF5K99mzOBX10BLeSNaJaWkaZ9xXqm7rvTCyZQQYHg3uuI4n1ua0fgPZR
ExDklWQIsJO8YCmGmn2T0CDimVZQuH9Dpo+G3VccJIBh7T8+VNAAjEXTRa9ALQta
+bVlHp+d9wo=
=RKVw
-----END PGP SIGNATURE-----

« Back to bulletins