Cisco mess from 2017 becomes tool for state-sponsored infrastructure attacks and defacements

Sigh. 160,000 un-patched boxen await p0wnage


Cisco's Smart Install software has become the vector for a series of infrastructure attacks and politically-motivated defacements.

Cisco's own Talos security limb reports that bad actors, some likely state-supported, have been scanning Switchzilla devices to see if they run Smart Install. The tool is insecure-by design because its purpose is to allow deployment of brand-new switches to remote sites. Those switches are therefore insecure as they await proper configuration.

Or improper configurations: Cisco has previously explained that potential attacks reached all the way up to replacing the IOS operating system image (if the attacker had the resources to create their own IOS-like image).

Because of those dangers and because many users forgot to turn Smart Install off, Cisco last year released a tool to shut it down. But Talos says about 160,000 devices still run the software and some are under attack.

Traffic probing for Smart Install - Talos

Talos is seeing increasing probes for the Smart Install client

Kaspersky Lab thinks it's found evidence of those attacks. The company has reported that parties are replacing Cisco switches firmware so they boot up with the message "Do not mess with our elections” and an ASCII art United States flag. The attack also bricks the device.

Talos has reminded users how to see if a switch is running Smart Install:

switch#show vstack config | inc Role
Role: Client (SmartInstall enabled)

Talos has also advised that you can switch off Smart Install with the no vstack command or by using an access control list to limit access to Smart Install. Or you could use Cisco's patch from 2017, which it seems a remarkable number of people did not deploy! ®

Similar topics

Narrower topics


Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Cisco compresses Catalyst switches to compact size
    Fanless fun for the whole family (if the supply chain functions)

    Cisco has shrunk its Catalyst 9200 switches into three compact models.

    Switchzilla reckons they exercise the newfound freedom to undertake remote work by letting organizations squeeze a proper enterprise switch into a wider variety of smaller and more exotic places.

    The smallest of the models measures 4.4cm x 26.9cm x 16.5cm, and the other two add a little depth to emerge at 4.4cm x 26.9cm x 24.4cm. All are fanless, leading Cisco to suggest you bolt them under desks, nail them to walls, or even slide one into a home office.

    Continue reading
  • Cisco execs pledge simpler, more integrated networks
    Is this the end of Switchzilla's dashboard creep?

    Cisco Live In his first in-person Cisco Live keynote in two years, CEO Chuck Robbins didn't make any lofty claims about how AI is taking over the network or how the company's latest products would turn networking on its head. Instead, the presentation was all about working with customers to make their lives easier.

    "We need to simplify the things that we do with you. If I think back to eight or ten years ago, I think we've made progress, but we still have more to do," he said, promising to address customers' biggest complaints with the networking giant's various platforms.

    "Everything we find that is inhibiting your experience from being the best that it can be, we're going to tackle," he declared, appealing to customers to share their pain points at the show.

    Continue reading

Biting the hand that feeds IT © 1998–2022