Cisco mess from 2017 becomes tool for state-sponsored infrastructure attacks and defacements

Sigh. 160,000 un-patched boxen await p0wnage

Cisco's Smart Install software has become the vector for a series of infrastructure attacks and politically-motivated defacements.

Cisco's own Talos security limb reports that bad actors, some likely state-supported, have been scanning Switchzilla devices to see if they run Smart Install. The tool is insecure-by design because its purpose is to allow deployment of brand-new switches to remote sites. Those switches are therefore insecure as they await proper configuration.

Or improper configurations: Cisco has previously explained that potential attacks reached all the way up to replacing the IOS operating system image (if the attacker had the resources to create their own IOS-like image).

Because of those dangers and because many users forgot to turn Smart Install off, Cisco last year released a tool to shut it down. But Talos says about 160,000 devices still run the software and some are under attack.

Traffic probing for Smart Install - Talos

Talos is seeing increasing probes for the Smart Install client

Kaspersky Lab thinks it's found evidence of those attacks. The company has reported that parties are replacing Cisco switches firmware so they boot up with the message "Do not mess with our elections” and an ASCII art United States flag. The attack also bricks the device.

Talos has reminded users how to see if a switch is running Smart Install:

switch#show vstack config | inc Role
Role: Client (SmartInstall enabled)

Talos has also advised that you can switch off Smart Install with the no vstack command or by using an access control list to limit access to Smart Install. Or you could use Cisco's patch from 2017, which it seems a remarkable number of people did not deploy! ®

Similar topics

Narrower topics

Other stories you might like

Biting the hand that feeds IT © 1998–2022