Due to the number of highly critical vulnerabilities in some of its products, Cisco has been the center of attention in the cybercrime world. The latest news regarding the company involves a new hacking group, JHT, which successfully hijacked a range of Cisco devices. The devices belong to organizations in Russia and Iran.
Pelo visto, the JHT hackers left a message on the hacked devices with the following text – “Do not mess with our elections”. The message also had an American flag in ASCII art style. According to the Iranian Communication and Information Technology Minister, MJ Azari Jahromi, alguns 3,500 network switches in the country were affected. The good news is that most of them have already been brought back to normal.
Was CVE-2018-0171 Used in the JHT Hacking Group Attacks?
In these latest attacks, a Cisco Smart Install Client has been targeted. Smart Install é um recurso de configuração plug-and-play e de gerenciamento de imagem que fornece implantação zero-touch para novos switches. Graças a esta configuração, um interruptor pode ser transportado e colocado na rede, sem necessidade de qualquer configuração no dispositivo, Cisco explica.
This feature which is designed to help administrators configure and deploy Cisco devices remotely, is enabled by default on Cisco IOS and Cisco IOS XE switches running on TCP port 4786.
No início, researchers thought that the CVE-2018-0171 vulnerability has been leveraged in these attacks, or the recently disclosed remote code execution bug in Cisco Smart Install Client.
A vulnerabilidade é resultado de uma validação imprópria de dados packer no Smart Client Instalar. Smart Install é um recurso de configuração plug-and-play e de gerenciamento de imagem que fornece implantação zero-touch para novos switches, Cisco explica. Graças a esta configuração, um interruptor pode ser transportado e colocado na rede, sem necessidade de qualquer configuração no dispositivo.
“A vulnerability in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, atacante remoto para acionar uma recarga de um dispositivo afetado, resultando em uma negação de serviço (DoS) condição, or to execute arbitrary code on an affected device”, researchers recently relatado.
Cisco Smart Install Client Misused
Contudo, it turns out that the attacks involved the mere misuse of the targeted devices, not a vulnerability exploit. Cisco says that the misuse is the most possible outline because the hacked devices were reset and made unavailable. The way the attack was carried out by overwriting the device configuration exhibits the possibility of a misuse of the Smart Install protocol.
Pelo visto, this protocol can be abused to modify the TFTP server setting, exfiltrate configuration files via TFTP, modify the configuration file, replace the IOS image, and set up accounts, allowing for the execution of IOS commands, Cisco says in an consultivo.
além disso, researchers from Qihoo 360 Netlab also believe that the JHT hacking attacks were not meant to leverage a particular vulnerability but were triggered by the lack of authentication in the Smart Install protocol.
Shodan statistics reveal that over 165,000 systems are exposed running the Smart Install Client over TCP port 4786. Since the feature is enabled by default, admins should make sure to limit its access via Interface access control lists. If the feature is not needed at all, it is better that it is generally disabled via the “no vstack” configuration command.
E por fim, even though the JHT hacks didn’t involve the use of the CVE-2018-0171 bug, admins are still urged to apply the patch immediately.