Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2018.1122
Action Required to Secure the Cisco IOS and IOS XE Smart Install Feature
12 April 2018
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco IOS
Cisco IOS XE
Publisher: Cisco Systems
Operating System: Cisco
Impact/Access: Denial of Service -- Remote/Unauthenticated
Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2018-0171 CVE-2018-0156 CVE-2016-6385
CVE-2016-1349 CVE-2013-1146 CVE-2012-0385
CVE-2011-3271
Reference: ESB-2018.0899.2
ESB-2016.2415
ESB-2016.2283
ESB-2016.0784
ESB-2013.0450
ESB-2012.0328
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180409-smi
- --------------------------BEGIN INCLUDED TEXT--------------------
Action Required to Secure the Cisco IOS and IOS XE Smart Install Feature
Informational
Advisory ID:
cisco-sa-20180409-smi
First Published:
2018 April 9 00:00 GMT
Last Updated:
2018 April 11 18:10 GMT
Version 1.2:
Final
Workarounds:
No workarounds available
Summary
o In recent weeks, Cisco has published several documents related to the
Smart Install feature: one Talos blog about potential misuse of the
feature if left enabled, and two Cisco Security Advisories that were
included in the March 2018 release of the Cisco IOS and IOS XE Software
Security Advisory Bundled Publication. Given the heightened awareness, we
want to minimize any potential confusion about exploitation attempts and
clarify the verification of the feature on customer devices. As such,
Cisco has attempted to consolidate all information related to the
mitigation of potential Smart Install misuse or exploit of related
vulnerabilities into this single document, which also notes how to
properly secure devices that may be exposed and remediate the disclosed
vulnerabilities.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20180409-smi
Details
o Smart Install Vulnerability History
The following table lists the Advisories that identify the Smart Install
feature (Client and/or Director) as being vulnerable and the extent that
these respective vulnerabilities are being actively exploited:
+-------------+-------------+----------------+--------+-----------+----------+
|Advisory Name|CVE ID |Description |Client/ |Publication|Actively |
| | | |Director|Date |Exploited?|
+-------------+-------------+----------------+--------+-----------+----------+
|Cisco Smart |N/A |Widespread |Client |14-Feb-2017|Yes |
|Install | |scanning for |Only | | |
|Protocol | |devices with the| | | |
|Misuse | |Smart Install | | | |
| | |feature enabled | | | |
| | |and without | | | |
| | |proper security | | | |
| | |controls | | | |
+-------------+-------------+----------------+--------+-----------+----------+
|Cisco IOS and|CVE-2018-0171|Reload, denial |Client |28-Mar-2018|No |
|IOS XE | |of service, |Only | | |
|Software | |remote code | | | |
|Smart Install| |execution | | | |
|Remote Code | | | | | |
|Execution | | | | | |
|Vulnerability| | | | | |
+-------------+-------------+----------------+--------+-----------+----------+
|Cisco IOS and|CVE-2018-0156|Reload, denial |Client |28-Mar-2018|No |
|IOS XE | |of service |Only | | |
|Software | | | | | |
|Smart Install| | | | | |
|Denial of | | | | | |
|Service | | | | | |
|Vulnerability| | | | | |
+-------------+-------------+----------------+--------+-----------+----------+
|Cisco IOS and|CVE-2016-6385|Memory leak, |Client |28-Sep-2016|No |
|IOS XE | |eventual denial |Only | | |
|Software | |of service | | | |
|Smart Install| | | | | |
|Memory Leak | | | | | |
|Vulnerability| | | | | |
+-------------+-------------+----------------+--------+-----------+----------+
|Cisco IOS and|CVE-2016-1349|Denial of |Client |23-Mar-2016|No |
|IOS XE | |service |Only | | |
|Software | | | | | |
|Smart Install| | | | | |
|Denial of | | | | | |
|Service | | | | | |
|Vulnerability| | | | | |
+-------------+-------------+----------------+--------+-----------+----------+
|Cisco IOS |CVE-2013-1146|Denial of |Client |27-Mar-2013|No |
|Software | |service |Only | | |
|Smart Install| | | | | |
|Denial of | | | | | |
|Service | | | | | |
|Vulnerability| | | | | |
+-------------+-------------+----------------+--------+-----------+----------+
|Cisco IOS |CVE-2012-0385|Malformed SMI |Client &|28-Mar-2012|No |
|Software | |packet causes |Director| | |
|Smart Install| |reload | | | |
|Denial of | | | | | |
|Service | | | | | |
|Vulnerability| | | | | |
+-------------+-------------+----------------+--------+-----------+----------+
|Cisco IOS |CVE-2011-3271|Remote code |Client &|28-Sep-2011|No |
|Software | |execution |Director| | |
|Smart Install| | | | | |
|Remote Code | | | | | |
|Execution | | | | | |
|Vulnerability| | | | | |
+-------------+-------------+----------------+--------+-----------+----------+
Summary of Recommended Actions
To ensure their network is protected against issues involving Smart
Install, our recommendation for customers not actually using Smart Install
is to disable the feature using the no vstack command once setup is
complete. Customers who do use the feature - and need to leave it enabled
- can use ACLs to block incoming traffic on TCP port 4786 (the proper
security control). Additionally, patches for known security
vulnerabilities should be applied as part of standard network security
management.
Identification & Mitigation Steps
Customers concerned with potential exposure of their network devices to
the Smart Install vulnerabilities should adhere to the following process:
1. Software Affected?- Determine if the software version(s) in use are
affected by the vulnerabilities described within the Smart Install
Security Advisories.
2. Feature Enabled? - For devices running affected software versions,
these devices should be checked for the presence of the Smart Install
Client feature.
3. Mitigate Exposure by:
1. Disabling Feature - On devices found to be running the Smart
Install Client feature, customers should disable the feature or,
where not applicable,
2. Restrict Smart Install Access - Minimize the exposure of the
feature by implementing ACLs and Control Plane Policing (CoPP).
Smart Install Deployment Risk
Cisco Smart Install is a legacy feature that provides zero-touch
deployment for new switches, typically access layer switches, and
incorporates no authentication by design. Newer technology, such as the
Cisco Network Plug and Play feature, is highly recommended for more secure
setup of new switches. If not properly disabled or secured following
setup, Smart Install could allow for the exfiltration and modification of
configuration files, among other things, even without the presence of a
vulnerability.
A Smart Install network consists of one Smart Install Director switch or
router, also known as the Integrated Branch Director (IBD), and one or
more Smart Install Client switches, also known as Integrated Branch
Clients (IBCs).
The Smart Install feature is enabled by default on client switches. No
specific configuration is needed on Smart Install Client switches, whereas
the Smart Install Director must be configured explicitly.
Confirmation of Affected Versions of IOS and IOS XE
Cisco IOS and IOS XE Software
To help customers determine their exposure to vulnerabilities in Cisco IOS
and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker
, that identifies any Cisco Security Advisories that impact a specific
software release and the earliest release that fixes the vulnerabilities
described in each advisory ("First Fixed"). If applicable, the tool also
returns the earliest release that fixes all the vulnerabilities described
in all the advisories identified ("Combined First Fixed").
Customers can use this tool to perform the following tasks:
Initiate a search by choosing one or more releases from a drop-down
list or uploading a file from a local system for the tool to parse
Enter the output of the show version command for the tool to parse
Create a custom search by including all previously published Cisco
Security Advisories, a specific advisory, or all advisories in the
most recent bundled publication
To determine whether a release is affected by any published Cisco Security
Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a
Cisco IOS Software or Cisco IOS XE Software release--for example, 15.1(4)M2
or 3.13.8S--in the following field:
[ ] [Check]
Identification of Vulnerable Devices
Verification of Device with Smart Install Client Enabled
The following example shows the output of the show vstack config command
in a Cisco Catalyst switch with the Smart Install Client feature enabled.
These are the only outputs that indicates that the Smart Install Client
feature is enabled:
Switch1#show vstack config | include Role
Role: Client (SmartInstall enabled)
switch2# show vstack config
Capability: Client
Oper Mode: Enabled
Role: Client
Verification of Device Listening on TCP Port 4786
The following example shows the output of the show tcp brief all | include
4786 command in a Cisco Catalyst switch that is listening on the Smart
Install Client port (TCP 4786):
Switch#show tcp brief all | include 4786
FFB6D31818 0.0.0.0.4786 *.* LISTEN
Switch#
The following example shows the output of the show tcp brief all | include
4786 command in a Cisco Catalyst switch that is listening on the Smart
Install Client port (TCP 4786) AND has a connection to a Smart Install
Director (IP address: 10.69.12.117):
FFA893EA50 10.66.91.126.4786 10.69.12.117.54246 CLOSEWAIT
FFB6D31818 0.0.0.0.4786 *.* LISTEN
Switch#
Please note that this method cannot distinguish between a device running
as a Smart Install Client and a device running as a Smart Install
Director. As such, the show vstack config command is preferred whenever
possible.
Disabling Smart Install
Issue "no vstack" Command
Upon successful deployment of Cisco Switches, administrators should either
utilize Smart Install or immediately disable the Smart Install Client
feature if Smart Install is not used, as the feature will no longer be
required for operation. The Smart Install feature can be disabled with the
no vstack command.
Restrict Smart Install Access
"no vstack" Command Not Available or Smart Install Used for More Than
Zero-Touch Deployment
For networks where the no vstack command is not available or where Smart
Install is used for more than just zero-touch deployment, customers should
ensure that only the IBD has TCP connectivity to all IBCs on port 4786.
Administrators can use the following security best practices for Cisco
Smart Install deployments on affected devices:
Interface access control lists (ACLs)
Control Plane Policing (CoPP)
An interface ACL might look like the following example, with the IP
address of the Smart Install Director (IBD) being 10.10.10.1 and the IP
address of the Smart Install Client (IBC) being 10.10.10.200:
ip access-list extended SMI_HARDENING_LIST
permit tcp host 10.10.10.1 host 10.10.10.200 eq 4786
deny tcp any any eq 4786
permit ip any any
This ACL would then need to be deployed on all IP interfaces on all IBCs.
It can be pushed via the IBD when the switches are first deployed.
Additional Support
Customers who require support to determine if the feature is still enabled
or suspect their devices are being potentially exploited should contact
their support team (Advanced Services, TAC, etc.) and provide additional
details as requested by Cisco.
References
Security Advisories
Cisco IOS Software Smart Install Remote Code Execution Vulnerability
Cisco IOS Software Smart Install Denial of Service Vulnerability
Cisco IOS Software Smart Install Denial of Service Vulnerability
Cisco IOS and IOS XE Software Smart Install Denial of Service
Vulnerability
Cisco IOS and IOS XE Software Smart Install Memory Leak Vulnerability
Cisco Smart Install Protocol Misuse (First Published 14-Feb-2017)
Cisco IOS and IOS XE Software Smart Install Denial of Service
Vulnerability (First Published 28-Mar-2018)
Cisco IOS and IOS XE Software Smart Install Remote Code Execution
Vulnerability (First Published 28-Mar-2018)
Blog Posts
Cisco Blog Post, "Cisco PSIRT - Mitigating and Detecting Potential Abuse
of Cisco Smart Install Feature" (published 27-Feb-2017)
Cisco Talos Blog Post, "Cisco Coverage for Smart Install Client Protocol
Abuse" (published 27-Feb-2017)
Cisco Talos Blog Post, "Critical Infrastructure at Risk: Advanced Actors
Target Smart Install Client" (published 5-Apr-2018)
Tools & Additional References
Cisco IOS Software Checker
TALOS Smart Install Detection Tool
Smart Install Configuration Guide
Appendix--Smart Install Feature Caveats
Auto-Disable Smart Install
In software releases that incorporate the changes from Cisco Bug ID
CSCvd36820, Cisco Smart Install Client feature should auto-disable after
boot as soon as the switch detects that zero-touch deployment is not being
used.
Support of "no vstack" Command
Use of the no vstack global configuration command to disable the Smart
Install Client feature was introduced with the fix for Cisco defect
CSCtj75729 (Ability to shut Smart Install default service on TCP port
4786). If a Cisco IOS or IOS XE Software release supports the Smart
Install Client feature but the no vstack command does not exist, the
release does not contain the fix for Cisco defect CSCtj75729.
"no vstack" Command Does Not Persist Across Reload
Note: The no vstack command does not persist across reload due to Cisco
defect CSCvd99197 in the following releases of Cisco IOS and IOS XE
Software:
Cisco Catalyst 4500 and 4500-X Series Switches: 3.9.2E/15.2(5)E2
Cisco Catalyst 6500 Series Switches: 15.1(2)SY11, 15.2(1)SY5, 15.2(2)
SY3
Cisco Industrial Ethernet 4000 Series Switches: 15.2(5)E2, 15.2(5)E2a
Cisco ME 3400 and ME 3400E Series Ethernet Access Switches: 12.2(60)
EZ11
For customers running any of these releases, Cisco recommends upgrading or
downgrading to a nonaffected release or putting automation in place to
reconfigure the no vstack command after every reload of the device.
Existing Smart Install (SMI) Processes
The no vstack command does not kill any running SMI processes, but it will
prevent any new requests. When no vstack is entered, while previously the
client had received an SMI request to perform an action, that process will
continue running until completion or failure. Committing no vstack to
memory and reloading should remove these messages. This is addressed as
part of the fix for CSCvd36820.
Additional Smart Install Information
The Cisco Smart Install client must send alerts to the local console
periodically. This was added to provide awareness to customers that
the feature is enabled. This was done via CSCvd36810.
Make show vstack config nomenclature consistent. Prior to this fix,
the output for the role information was slightly different and caused
some confusion. Fixes were done via CSCvd35782.
Make Smart Install Configuration visible in the configuration. By
default, SMI never used to show vstack in show running or show running
all config. Cisco added this so that if it is enabled, vstack will be
present in the running configuration. This was done via CSCvd36799.
The Smart Install feature was removed in more recent releases, in
particular from 16.4.2, 16.5.1b, 16.6.2, 16.7.1, and later. This was
done via CSCvf04861 and CSCvg90005.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy. This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Subscribe to Cisco Security Notifications
o Subscribe
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20180409-smi
Revision History
+---------+-------------------------------+---------+--------+---------------+
| Version | Description | Section | Status | Date |
+---------+-------------------------------+---------+--------+---------------+
| 1.2 | Added appendix to list of | Details | Final | 2018-April-11 |
| | references. | | | |
+---------+-------------------------------+---------+--------+---------------+
| | Updated links, formatting, | | | |
| 1.1 | and text in table; updated | Details | Final | 2018-April-10 |
| | text and formatting of code | | | |
| | examples. | | | |
+---------+-------------------------------+---------+--------+---------------+
| 1.0 | Initial public release. | -- | Final | 2018-April-09 |
+---------+-------------------------------+---------+--------+---------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWs66NIx+lLeg9Ub1AQhPGA//RLIT7BpAKfBME/anJ7SHXIjA9gJqIpk9
PIGZxj6bv8kDaScklsH3IGwVmEGuKQ9AKQac7r5Ni/O9jrIdiLebgzPjYHHK18/T
c9fC2mTB0qR3/rF3zG0v2GhHcP9sHQgXLpqh62vAsVfW0QpaUUCAMAhhhhsGS+Aa
Ds8UfNpzaczYWO2Kf85IIeNY8hrAAzTNOoppfFJ3auf4YtoJIArQat73vIhr623N
xDG9KNUadCJDWDkhDIyjxxJveA1BMzS3enO5X9aj80LiJZcmYlxyQ5EbfVrgaR2X
xhnKcr1SAk3MMHg5DyQb4pkk5TE8u6WAGRPPhZtP1ImvbABYtEv8cxT0YmOtJOI4
uArMi0ERhKgJTCpR8bbmV03wh/d6pRj3Vq2AYqom7LafMjxd161YnbQQMNdUQObZ
8mAVwfcClJ5Yb7iZuyTy9BIqrQoq9mkn7cpoudDWmqGpkZKB3ib+BNfuUS4kacSO
AfIJS1crNJv4d93oedkRiTkA/RrJHj1/Bg2vRlu8xyZeSi3w+I9QBNRYuHGBuUXa
ZmjJbhMAF5K99mzOBX10BLeSNaJaWkaZ9xXqm7rvTCyZQQYHg3uuI4n1ua0fgPZR
ExDklWQIsJO8YCmGmn2T0CDimVZQuH9Dpo+G3VccJIBh7T8+VNAAjEXTRa9ALQta
+bVlHp+d9wo=
=RKVw
-----END PGP SIGNATURE-----