Due to the number of highly critical vulnerabilities in some of its products, Cisco has been the center of attention in the cybercrime world. The latest news regarding the company involves a new hacking group, JHT, which successfully hijacked a range of Cisco devices. The devices belong to organizations in Russia and Iran.
Apparently, the JHT hackers left a message on the hacked devices with the following text – “Do not mess with our elections”. The message also had an American flag in ASCII art style. According to the Iranian Communication and Information Technology Minister, MJ Azari Jahromi, some 3,500 network switches in the country were affected. The good news is that most of them have already been brought back to normal.
Was CVE-2018-0171 Used in the JHT Hacking Group Attacks?
In these latest attacks, the Cisco Smart Install Client has been targeted. Smart Install is a plug-and-play configuration and image-management feature that provides zero-touch deployment for new switches. Thanks to this configuration, a switch can be shipped and placed in the network, without needing any configuration on the device, Cisco explains.
This feature which is designed to help administrators configure and deploy Cisco devices remotely, is enabled by default on Cisco IOS and Cisco IOS XE switches running on TCP port 4786.
At first, researchers thought that the CVE-2018-0171 vulnerability has been leveraged in these attacks, or the recently disclosed remote code execution bug in Cisco Smart Install Client.
The vulnerability is a result of an improper validation of packer data in the Smart Install Client. Smart Install is a plug-and-play configuration and image-management feature that provides zero-touch deployment for new switches, Cisco explains. Thanks to this configuration, a switch can be shipped and placed in the network, without needing any configuration on the device.
“A vulnerability in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition, or to execute arbitrary code on an affected device”, researchers recently reported.
Cisco Smart Install Client Misused
However, it turns out that the attacks involved the mere misuse of the targeted devices, not a vulnerability exploit. Cisco says that the misuse is the most possible outline because the hacked devices were reset and made unavailable. The way the attack was carried out by overwriting the device configuration exhibits the possibility of a misuse of the Smart Install protocol.
Apparently, this protocol can be abused to modify the TFTP server setting, exfiltrate configuration files via TFTP, modify the configuration file, replace the IOS image, and set up accounts, allowing for the execution of IOS commands, Cisco says in an advisory.
Furthermore, researchers from Qihoo 360 Netlab also believe that the JHT hacking attacks were not meant to leverage a particular vulnerability but were triggered by the lack of authentication in the Smart Install protocol.
Shodan statistics reveal that over 165,000 systems are exposed running the Smart Install Client over TCP port 4786. Since the feature is enabled by default, admins should make sure to limit its access via Interface access control lists. If the feature is not needed at all, it is better that it is generally disabled via the “no vstack” configuration command.
And lastly, even though the JHT hacks didn’t involve the use of the CVE-2018-0171 bug, admins are still urged to apply the patch immediately.