CIA apparently knew and used zero-day Telnet vulnerability affecting up to 300 switches.
Cisco has warned customers that the Vault 7 files obtained by WikiLeaks contains critical device-affecting data on a vulnerability that could be affecting up to 300 of the company’s switches. As a result, users have been advised to disable Telnet immediately until a patch is available.
The Vault 7 leak released by WikiLeaks earlier this month details how the CIA hacks and exploits security deficiencies across a range of hardware devices and software. Initial investigations by tech companies were widely dismissive of the leaked data contained in the Vault 7 files, and were quick to point out the fact that many of the vulnerabilities were patched several years ago.
What that means however, is that the vulnerability found in some Cisco switches, could also be very old, and as such raises questions about the company’s security auditing processes. As such, the incident could be interpreted as a major embarrassment for the tech firm.
While the CIA has probably exploited the flaw, there is currently no known exploit being used in the ‘wild.’ Of course, now that the information is out there, that could change very quickly.
The problem resides in the Cluster Management Protocol in the Cisco IOS, the operating system software that runs the devices. The exploit uncovered in the Vault 7 leak, is essentially a workaround that bypasses Cisco security measures that should enable users to restrict the use of Telnet.
“The Cluster Management Protocol [CMP] utilises Telnet internally as a signalling and command protocol between cluster members,” says the advisory released by Cisco. “This vulnerability was found during the analysis of documents related to the Vault 7 disclosure…The failure to restrict the use of CMP-specific Telnet options only to internal, local communications between cluster members and instead accept and process such options over any Telnet connection to an affected device; and the incorrect processing of malformed CMP-specific Telnet options…An attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections. An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device.”
Cisco do not currently have a patch for the vulnerability yet. Users are instead advised to completely disable Telnet, and use SSH instead. While this temporary solution does stop the exploit from being, well, exploited, it is as my friend who works in IT said, “annoying, time consuming, and a real f****** pain.”
In total, the vulnerability affects 264 Catalyst switches, 51 Ethernet switches and three other devices.