Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.1122 Action Required to Secure the Cisco IOS and IOS XE Smart Install Feature 12 April 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco IOS Cisco IOS XE Publisher: Cisco Systems Operating System: Cisco Impact/Access: Denial of Service -- Remote/Unauthenticated Execute Arbitrary Code/Commands -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2018-0171 CVE-2018-0156 CVE-2016-6385 CVE-2016-1349 CVE-2013-1146 CVE-2012-0385 CVE-2011-3271 Reference: ESB-2018.0899.2 ESB-2016.2415 ESB-2016.2283 ESB-2016.0784 ESB-2013.0450 ESB-2012.0328 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180409-smi - --------------------------BEGIN INCLUDED TEXT-------------------- Action Required to Secure the Cisco IOS and IOS XE Smart Install Feature Informational Advisory ID: cisco-sa-20180409-smi First Published: 2018 April 9 00:00 GMT Last Updated: 2018 April 11 18:10 GMT Version 1.2: Final Workarounds: No workarounds available Summary o In recent weeks, Cisco has published several documents related to the Smart Install feature: one Talos blog about potential misuse of the feature if left enabled, and two Cisco Security Advisories that were included in the March 2018 release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication. Given the heightened awareness, we want to minimize any potential confusion about exploitation attempts and clarify the verification of the feature on customer devices. As such, Cisco has attempted to consolidate all information related to the mitigation of potential Smart Install misuse or exploit of related vulnerabilities into this single document, which also notes how to properly secure devices that may be exposed and remediate the disclosed vulnerabilities. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20180409-smi Details o Smart Install Vulnerability History The following table lists the Advisories that identify the Smart Install feature (Client and/or Director) as being vulnerable and the extent that these respective vulnerabilities are being actively exploited: +-------------+-------------+----------------+--------+-----------+----------+ |Advisory Name|CVE ID |Description |Client/ |Publication|Actively | | | | |Director|Date |Exploited?| +-------------+-------------+----------------+--------+-----------+----------+ |Cisco Smart |N/A |Widespread |Client |14-Feb-2017|Yes | |Install | |scanning for |Only | | | |Protocol | |devices with the| | | | |Misuse | |Smart Install | | | | | | |feature enabled | | | | | | |and without | | | | | | |proper security | | | | | | |controls | | | | +-------------+-------------+----------------+--------+-----------+----------+ |Cisco IOS and|CVE-2018-0171|Reload, denial |Client |28-Mar-2018|No | |IOS XE | |of service, |Only | | | |Software | |remote code | | | | |Smart Install| |execution | | | | |Remote Code | | | | | | |Execution | | | | | | |Vulnerability| | | | | | +-------------+-------------+----------------+--------+-----------+----------+ |Cisco IOS and|CVE-2018-0156|Reload, denial |Client |28-Mar-2018|No | |IOS XE | |of service |Only | | | |Software | | | | | | |Smart Install| | | | | | |Denial of | | | | | | |Service | | | | | | |Vulnerability| | | | | | +-------------+-------------+----------------+--------+-----------+----------+ |Cisco IOS and|CVE-2016-6385|Memory leak, |Client |28-Sep-2016|No | |IOS XE | |eventual denial |Only | | | |Software | |of service | | | | |Smart Install| | | | | | |Memory Leak | | | | | | |Vulnerability| | | | | | +-------------+-------------+----------------+--------+-----------+----------+ |Cisco IOS and|CVE-2016-1349|Denial of |Client |23-Mar-2016|No | |IOS XE | |service |Only | | | |Software | | | | | | |Smart Install| | | | | | |Denial of | | | | | | |Service | | | | | | |Vulnerability| | | | | | +-------------+-------------+----------------+--------+-----------+----------+ |Cisco IOS |CVE-2013-1146|Denial of |Client |27-Mar-2013|No | |Software | |service |Only | | | |Smart Install| | | | | | |Denial of | | | | | | |Service | | | | | | |Vulnerability| | | | | | +-------------+-------------+----------------+--------+-----------+----------+ |Cisco IOS |CVE-2012-0385|Malformed SMI |Client &|28-Mar-2012|No | |Software | |packet causes |Director| | | |Smart Install| |reload | | | | |Denial of | | | | | | |Service | | | | | | |Vulnerability| | | | | | +-------------+-------------+----------------+--------+-----------+----------+ |Cisco IOS |CVE-2011-3271|Remote code |Client &|28-Sep-2011|No | |Software | |execution |Director| | | |Smart Install| | | | | | |Remote Code | | | | | | |Execution | | | | | | |Vulnerability| | | | | | +-------------+-------------+----------------+--------+-----------+----------+ Summary of Recommended Actions To ensure their network is protected against issues involving Smart Install, our recommendation for customers not actually using Smart Install is to disable the feature using the no vstack command once setup is complete. Customers who do use the feature - and need to leave it enabled - can use ACLs to block incoming traffic on TCP port 4786 (the proper security control). Additionally, patches for known security vulnerabilities should be applied as part of standard network security management. Identification & Mitigation Steps Customers concerned with potential exposure of their network devices to the Smart Install vulnerabilities should adhere to the following process: 1. Software Affected?- Determine if the software version(s) in use are affected by the vulnerabilities described within the Smart Install Security Advisories. 2. Feature Enabled? - For devices running affected software versions, these devices should be checked for the presence of the Smart Install Client feature. 3. Mitigate Exposure by: 1. Disabling Feature - On devices found to be running the Smart Install Client feature, customers should disable the feature or, where not applicable, 2. Restrict Smart Install Access - Minimize the exposure of the feature by implementing ACLs and Control Plane Policing (CoPP). Smart Install Deployment Risk Cisco Smart Install is a legacy feature that provides zero-touch deployment for new switches, typically access layer switches, and incorporates no authentication by design. Newer technology, such as the Cisco Network Plug and Play feature, is highly recommended for more secure setup of new switches. If not properly disabled or secured following setup, Smart Install could allow for the exfiltration and modification of configuration files, among other things, even without the presence of a vulnerability. A Smart Install network consists of one Smart Install Director switch or router, also known as the Integrated Branch Director (IBD), and one or more Smart Install Client switches, also known as Integrated Branch Clients (IBCs). The Smart Install feature is enabled by default on client switches. No specific configuration is needed on Smart Install Client switches, whereas the Smart Install Director must be configured explicitly. Confirmation of Affected Versions of IOS and IOS XE Cisco IOS and IOS XE Software To help customers determine their exposure to vulnerabilities in Cisco IOS and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker , that identifies any Cisco Security Advisories that impact a specific software release and the earliest release that fixes the vulnerabilities described in each advisory ("First Fixed"). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities described in all the advisories identified ("Combined First Fixed"). Customers can use this tool to perform the following tasks: Initiate a search by choosing one or more releases from a drop-down list or uploading a file from a local system for the tool to parse Enter the output of the show version command for the tool to parse Create a custom search by including all previously published Cisco Security Advisories, a specific advisory, or all advisories in the most recent bundled publication To determine whether a release is affected by any published Cisco Security Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a Cisco IOS Software or Cisco IOS XE Software release--for example, 15.1(4)M2 or 3.13.8S--in the following field: [ ] [Check] Identification of Vulnerable Devices Verification of Device with Smart Install Client Enabled The following example shows the output of the show vstack config command in a Cisco Catalyst switch with the Smart Install Client feature enabled. These are the only outputs that indicates that the Smart Install Client feature is enabled: Switch1#show vstack config | include Role Role: Client (SmartInstall enabled) switch2# show vstack config Capability: Client Oper Mode: Enabled Role: Client Verification of Device Listening on TCP Port 4786 The following example shows the output of the show tcp brief all | include 4786 command in a Cisco Catalyst switch that is listening on the Smart Install Client port (TCP 4786): Switch#show tcp brief all | include 4786 FFB6D31818 0.0.0.0.4786 *.* LISTEN Switch# The following example shows the output of the show tcp brief all | include 4786 command in a Cisco Catalyst switch that is listening on the Smart Install Client port (TCP 4786) AND has a connection to a Smart Install Director (IP address: 10.69.12.117): FFA893EA50 10.66.91.126.4786 10.69.12.117.54246 CLOSEWAIT FFB6D31818 0.0.0.0.4786 *.* LISTEN Switch# Please note that this method cannot distinguish between a device running as a Smart Install Client and a device running as a Smart Install Director. As such, the show vstack config command is preferred whenever possible. Disabling Smart Install Issue "no vstack" Command Upon successful deployment of Cisco Switches, administrators should either utilize Smart Install or immediately disable the Smart Install Client feature if Smart Install is not used, as the feature will no longer be required for operation. The Smart Install feature can be disabled with the no vstack command. Restrict Smart Install Access "no vstack" Command Not Available or Smart Install Used for More Than Zero-Touch Deployment For networks where the no vstack command is not available or where Smart Install is used for more than just zero-touch deployment, customers should ensure that only the IBD has TCP connectivity to all IBCs on port 4786. Administrators can use the following security best practices for Cisco Smart Install deployments on affected devices: Interface access control lists (ACLs) Control Plane Policing (CoPP) An interface ACL might look like the following example, with the IP address of the Smart Install Director (IBD) being 10.10.10.1 and the IP address of the Smart Install Client (IBC) being 10.10.10.200: ip access-list extended SMI_HARDENING_LIST permit tcp host 10.10.10.1 host 10.10.10.200 eq 4786 deny tcp any any eq 4786 permit ip any any This ACL would then need to be deployed on all IP interfaces on all IBCs. It can be pushed via the IBD when the switches are first deployed. Additional Support Customers who require support to determine if the feature is still enabled or suspect their devices are being potentially exploited should contact their support team (Advanced Services, TAC, etc.) and provide additional details as requested by Cisco. References Security Advisories Cisco IOS Software Smart Install Remote Code Execution Vulnerability Cisco IOS Software Smart Install Denial of Service Vulnerability Cisco IOS Software Smart Install Denial of Service Vulnerability Cisco IOS and IOS XE Software Smart Install Denial of Service Vulnerability Cisco IOS and IOS XE Software Smart Install Memory Leak Vulnerability Cisco Smart Install Protocol Misuse (First Published 14-Feb-2017) Cisco IOS and IOS XE Software Smart Install Denial of Service Vulnerability (First Published 28-Mar-2018) Cisco IOS and IOS XE Software Smart Install Remote Code Execution Vulnerability (First Published 28-Mar-2018) Blog Posts Cisco Blog Post, "Cisco PSIRT - Mitigating and Detecting Potential Abuse of Cisco Smart Install Feature" (published 27-Feb-2017) Cisco Talos Blog Post, "Cisco Coverage for Smart Install Client Protocol Abuse" (published 27-Feb-2017) Cisco Talos Blog Post, "Critical Infrastructure at Risk: Advanced Actors Target Smart Install Client" (published 5-Apr-2018) Tools & Additional References Cisco IOS Software Checker TALOS Smart Install Detection Tool Smart Install Configuration Guide Appendix--Smart Install Feature Caveats Auto-Disable Smart Install In software releases that incorporate the changes from Cisco Bug ID CSCvd36820, Cisco Smart Install Client feature should auto-disable after boot as soon as the switch detects that zero-touch deployment is not being used. Support of "no vstack" Command Use of the no vstack global configuration command to disable the Smart Install Client feature was introduced with the fix for Cisco defect CSCtj75729 (Ability to shut Smart Install default service on TCP port 4786). If a Cisco IOS or IOS XE Software release supports the Smart Install Client feature but the no vstack command does not exist, the release does not contain the fix for Cisco defect CSCtj75729. "no vstack" Command Does Not Persist Across Reload Note: The no vstack command does not persist across reload due to Cisco defect CSCvd99197 in the following releases of Cisco IOS and IOS XE Software: Cisco Catalyst 4500 and 4500-X Series Switches: 3.9.2E/15.2(5)E2 Cisco Catalyst 6500 Series Switches: 15.1(2)SY11, 15.2(1)SY5, 15.2(2) SY3 Cisco Industrial Ethernet 4000 Series Switches: 15.2(5)E2, 15.2(5)E2a Cisco ME 3400 and ME 3400E Series Ethernet Access Switches: 12.2(60) EZ11 For customers running any of these releases, Cisco recommends upgrading or downgrading to a nonaffected release or putting automation in place to reconfigure the no vstack command after every reload of the device. Existing Smart Install (SMI) Processes The no vstack command does not kill any running SMI processes, but it will prevent any new requests. When no vstack is entered, while previously the client had received an SMI request to perform an action, that process will continue running until completion or failure. Committing no vstack to memory and reloading should remove these messages. This is addressed as part of the fix for CSCvd36820. Additional Smart Install Information The Cisco Smart Install client must send alerts to the local console periodically. This was added to provide awareness to customers that the feature is enabled. This was done via CSCvd36810. Make show vstack config nomenclature consistent. Prior to this fix, the output for the role information was slightly different and caused some confusion. Fixes were done via CSCvd35782. Make Smart Install Configuration visible in the configuration. By default, SMI never used to show vstack in show running or show running all config. Cisco added this so that if it is enabled, vstack will be present in the running configuration. This was done via CSCvd36799. The Smart Install feature was removed in more recent releases, in particular from 16.4.2, 16.5.1b, 16.6.2, 16.7.1, and later. This was done via CSCvf04861 and CSCvg90005. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Subscribe to Cisco Security Notifications o Subscribe URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20180409-smi Revision History +---------+-------------------------------+---------+--------+---------------+ | Version | Description | Section | Status | Date | +---------+-------------------------------+---------+--------+---------------+ | 1.2 | Added appendix to list of | Details | Final | 2018-April-11 | | | references. | | | | +---------+-------------------------------+---------+--------+---------------+ | | Updated links, formatting, | | | | | 1.1 | and text in table; updated | Details | Final | 2018-April-10 | | | text and formatting of code | | | | | | examples. | | | | +---------+-------------------------------+---------+--------+---------------+ | 1.0 | Initial public release. | -- | Final | 2018-April-09 | +---------+-------------------------------+---------+--------+---------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWs66NIx+lLeg9Ub1AQhPGA//RLIT7BpAKfBME/anJ7SHXIjA9gJqIpk9 PIGZxj6bv8kDaScklsH3IGwVmEGuKQ9AKQac7r5Ni/O9jrIdiLebgzPjYHHK18/T c9fC2mTB0qR3/rF3zG0v2GhHcP9sHQgXLpqh62vAsVfW0QpaUUCAMAhhhhsGS+Aa Ds8UfNpzaczYWO2Kf85IIeNY8hrAAzTNOoppfFJ3auf4YtoJIArQat73vIhr623N xDG9KNUadCJDWDkhDIyjxxJveA1BMzS3enO5X9aj80LiJZcmYlxyQ5EbfVrgaR2X xhnKcr1SAk3MMHg5DyQb4pkk5TE8u6WAGRPPhZtP1ImvbABYtEv8cxT0YmOtJOI4 uArMi0ERhKgJTCpR8bbmV03wh/d6pRj3Vq2AYqom7LafMjxd161YnbQQMNdUQObZ 8mAVwfcClJ5Yb7iZuyTy9BIqrQoq9mkn7cpoudDWmqGpkZKB3ib+BNfuUS4kacSO AfIJS1crNJv4d93oedkRiTkA/RrJHj1/Bg2vRlu8xyZeSi3w+I9QBNRYuHGBuUXa ZmjJbhMAF5K99mzOBX10BLeSNaJaWkaZ9xXqm7rvTCyZQQYHg3uuI4n1ua0fgPZR ExDklWQIsJO8YCmGmn2T0CDimVZQuH9Dpo+G3VccJIBh7T8+VNAAjEXTRa9ALQta +bVlHp+d9wo= =RKVw -----END PGP SIGNATURE-----