Cisco tries to squash Smart Install security abuse

Cisco Smart Install as a legacy feature that provides zero-touch deployment for switches, typically access layer switches

Stephen Lawson

Cisco is playing down a security issue with its Smart Install switch management software that could allow unauthenticated access to customer configuration details.

Cisco defines Smart Install as a legacy feature that provides zero-touch deployment for new switches, typically access layer switches.

+More on Network World: Cisco Jasper grows Internet of Things reach, breadth+

Cisco wrote in a blog this week that a “Smart Install network consists of one Smart Install director switch or router, also known as the integrated branch director (IBD), and one or more Smart Install client switches, also known as integrated branch clients (IBCs). Only Smart Install client switches are affected by the abuse. While there are no obvious indicators of an attacker abusing the Smart Install capabilities, Cisco recommends that customers look for any unscheduled device configuration changes, reloads, or access from external IP addresses.”

Cisco’s Talos security team wrote it “has become aware of active scanning against customer infrastructure with the intent of finding Cisco Smart Install clients. Cisco Smart Install is one component of the Cisco Smart Operations solution that facilitates the management of LAN switches. Research has indicated that malicious actors may be leveraging detailed knowledge of the Smart Install Protocol to obtain copies of customer configurations from affected devices. The attack leverages a known issue with the Smart Install protocol. Abuse of the Smart Install protocol can lead to modification of the TFTP [Trivial File Transfer Protocol] server setting, exfiltration of configuration files via TFTP, replacement of IOS image and potentially execution of IOS commands.”

Cisco Security however said that “it does not consider this a vulnerability in Cisco IOS, IOS XE, or the Smart Install feature itself but a misuse of the Smart Install protocol, which does not require authentication by design.”

Cisco says the absence of an authorization or authentication mechanism in the Smart Install protocol between the client and the director can allow a client to process crafted SMI protocol messages as if these messages were from the Smart Install director and perform actions such as:

  • Copy the IBC's startup-config file to the previously changed, attacker-controlled TFTP server
  • Substitute the client's startup-config file with a file that the attacker prepared and force a reload of the IBC after a defined time interval
  • Load an attacker-supplied IOS image onto the IBC
  • Execute high-privilege configuration mode CLI commands on an IBC, including do-exec CLI commands. Any output of or prompt resulting from the command(s) run will appear on the IBC’s local console (this is only possible in IOS 15.2(2)E and later, and IOS XE 3.6.0E and later)

There is a lot of information about this issue and Talos said it has produced a scanning utility which all users can run against their infrastructure to determine if they could be affected by abuse of the Smart Install Client Protocol. This tool can be found here.

Cisco said it has updated the Smart Install Configuration Guide to include security best practices regarding the deployment of the Cisco Smart Install feature within customer infrastructures.

+More on Network World: Cisco execs foretell key 2017 enterprise networking trends+

Cisco said customers who are seeking more than zero-touch deployment should consider deploying the Cisco Network Plug and Play solution instead.

Issues with Smart Install have been reported by Brian Martin at Tenable Network Security, Daniel Turner of Trustwave SpiderLabs, and Alexander Evstigneev and Dmitry Kuznetsov of Digital Security, Cisco stated.

Check out these other hot stories:

Cisco Jasper grows Internet of Things reach, breadth

Space X to zoom two citizen astronauts to the moon

Verizon and Cisco team to bring 5G network pilot program to the masses

IBM, Vermont Electric spawn intelligent energy software company

11 low-tech, decidedly cool cars

Ethernet 2.5GBASE-T and 5GBASE-T grows, testing on tap from UNH lab

IRS Dirty Dozen: Phishing, phone cons and identity theft lead scam list for 2017

HPE joins Cisco, Juniper with faulty clock technology problem

SD-WANs get IPv6 support from Versa

India blasts 104 satellites into orbit aboard one rocket

Juniper facing fatal clock flaw that impacts Cisco routers, switches

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2017 IDG Communications, Inc.

IT Salary Survey: The results are in