[German]If you administrate Cisco switches in your corporate environment, it’ time for an update. There is a vulnerability in several Cisco switch models that makes the devices vulnerable to remote attacks.
Embedi security researchers have discovered a critical vulnerability in Cisco IOS software and Cisco IOS XE software that could allow an unauthenticated remote attacker to execute arbitrary code. This includes the ability to take full control of vulnerable network devices and intercept traffic.
Remote Code Execution vulnerability (CVE-2018-0171)
The stack overflow vulnerability (CVE-2018-0171) is caused by improper validation of package data in the Smart Install Client. This is a plug-and-play configuration and image management feature that helps administrators easily deploy (client) network switches.
Embedi published technical details and proof-of-concept (PoC) code after Cisco released updates. To exploit this vulnerability, an attacker must send a configured Smart Install message to an affected device on TCP port 4786, which is open by default. The following video shows such an attack.
Researchers found a total of 8.5 million open-port devices on the Internet, making about 250,000 unpatched devices accessible to hackers. This Remote Code Execution vulnerability is evaluated in the Common Vulnerability Scoring System (CVSS) value of 9.8 (critical).
his vulnerability affects the Cisco switches listed below:
- Catalyst 4500 Supervisor Engines
- Catalyst 3850 Series
- Catalyst 3750 Series
- Catalyst 3650 Series
- Catalyst 3560 Series
- Catalyst 2960 Series
- Catalyst 2975 Series
- IE 2000
- IE 3000
- IE 3010
- IE 4000
- IE 4010
- IE 5000
- SM-ES2 SKUs
- SM-ES3 SKUs
- SM-X-ES3 SKUs