Remote unauthenticated OS re-install is a feature, not a bug, says Cisco

If you think bad guys could abuse the Smart Install protocol, just turn it off


Cisco's taken umbrage at accusations that its Smart Install (SMI) protocol is vulnerable to abuse.

The problem – if there is one, because “it's a feature, not a bug” – is that if netadmins are using SMI to auto-configure switches installed in branch offices they need to know it doesn't enforce authentication.

If an attacker changes the startup-config file, they can do all manner of fun things: force a reload, change the IOS image, or execute privileged commands.

As Switchzilla says in its advisory: “Cisco does not consider this a vulnerability in Cisco IOS, IOS XE, or the Smart Install feature itself but a misuse of the Smart Install protocol, which does not require authentication by design”.

Cisco's point is that SMI isn't meant for day-to-day use: it's there to support sysadmins who want to ship a switch to a branch office, and have an Integrated Branch Director (in a router) push configuration to it.

“The director provides a single management point for images and configuration of client switches. When a client switch is first installed into the network, the director automatically detects the new switch and identifies the correct Cisco IOS image and the configuration file for downloading. It can also allocate an IP address and hostname to a client.”

Obviously, if you're not using SMI, the advice is turn it off. If you're using it for zero-touch deployment, turn it off once the switch is live; and if you want to leave it enabled after install, implement access control lists and (if available) control plane policing.

Cisco notes the possibility of SMI protocol misuse were reported to it by Brian Martin at Tenable Network Security, Daniel Turner of Trustwave SpiderLabs, and Alexander Evstigneev and Dmitry Kuznetsov of Digital Security. ®

Similar topics


Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Cisco execs pledge simpler, more integrated networks
    Is this the end of Switchzilla's dashboard creep?

    Cisco Live In his first in-person Cisco Live keynote in two years, CEO Chuck Robbins didn't make any lofty claims about how AI is taking over the network or how the company's latest products would turn networking on its head. Instead, the presentation was all about working with customers to make their lives easier.

    "We need to simplify the things that we do with you. If I think back to eight or ten years ago, I think we've made progress, but we still have more to do," he said, promising to address customers' biggest complaints with the networking giant's various platforms.

    "Everything we find that is inhibiting your experience from being the best that it can be, we're going to tackle," he declared, appealing to customers to share their pain points at the show.

    Continue reading
  • If you're using older, vulnerable Cisco small biz routers, throw them out
    Severe security flaw won't be fixed – as patches released this week for other bugs

    If you thought you were over the hump with Patch Tuesday then perhaps think again: Cisco has just released fixes for a bunch of flaws, two of which are not great.

    First on the priority list should be a critical vulnerability in its enterprise security appliances, and the second concerns another critical bug in some of its outdated small business routers that it's not going to fix. In other words, junk your kit or somehow mitigate the risk.

    Both of these received a CVSS score of 9.8 out of 10 in severity. The IT giant urged customers to patch affected security appliances ASAP if possible, and upgrade to newer hardware if you're still using an end-of-life, buggy router. We note that miscreants aren't actively exploiting either of these vulnerabilities — yet.

    Continue reading

Biting the hand that feeds IT © 1998–2022