Ironically Positive Fallout from Vault-7 : Cisco Vault-7 CVE-2017-3881

A vulnerability affecting more than 300 different Cisco router SKU’s was discovered by Cisco in the WikileaksVault-7 dump of classified CIA hacking tools and tactics utilized to gain unauthorized access to iPhone, Android devices, multiple web browsers, operating systems, vehicles, etc. etc. Wikileaks had initially released the first full part of the series dubbed “Year Zero” on March 7th 2017 in a press release that included their own analysis on their website. The Vault-7 analysis by Wikileaks included multiple examples of attack methodologies and tools to be used in a variety of scenarios, but the examples included no mention of Cisco.

It was actually Cisco’s own security researchers who analyzed the content of the Vault-7 documents and came across the critical vulnerability that when exploited could lead to unauthenticated remote code execution.  Cisco released an advisory for the critical vulnerability on March 17th with a list of the 318 products affected. 

The Vulnerability

The vulnerability itself affects Cisco Management Protocol (CMP) in both Cisco IOS and Cisco IOS XE software. Essentially, Cisco Management Protocol communicates internally by using telnet services. The vulnerability is triggered due to a combination of two issues. First off, malformed CMP related telnet options aren’t processed correctly and secondly, there’s a failure to restrict the use of these CMP related options to internal/local communications within the cluster. This means Cisco will accept and process telnet related options from any telnet connection to a vulnerable device assuming one is able to access it.

Patch Status at Posting

As of March 21st, Cisco has no update available, but Cisco has released two modifications you can make to mitigate or reduce the attack surface. One method consists of fully disabling telnet and switching to SSH, which mitigates the vulnerability fully. If switching to SSH isn’t possible Cisco recommends implementing iACLs to help reduce the attack surface.

The exploitation of this bug would require some kind of access to the internal network services whether by misconfiguration or by a compromise of web services to gain access to access an affected device. Still, the fact that an unauthenticated remote attacker could force a reload of the device and escalate privileges, gaining code execution over hundreds of affected Cisco products should be enough to get any Network Admin’s (using Cisco devices) attention. 

Exploit Update

At the moment, there is no exploit code in the wild available for the attack, but that doesn’t mean an attack like this could never happen. A skilled attacker could easily use an already compromised website’s telnet client to breach the router and move laterally through the network with the know how and the details already available for the attack. 

Mitigation Recommendations for Customers

Customers should ensure their Cisco device management network is not exposed to the public Internet, and access via unencrypted telnet should be disabled or not exposed on a public interface – a standard security best practice.

Alert Logic Coverage

Alert Logic vulnerability scanning already reports any exposed telnet to the customer in the normal course of the service.

About the Author

Joseph Hitchcock - Technical Security Evangelist

Joseph Hitchcock

Joe Hitchcock is passionate when it comes to system and network security. Initially self-taught, he started working as an independent contractor for small businesses doing malware removal and perimeter security. He started at Alert Logic in 2011 as a Network Security Analyst analyzing threat traffic and other attacks. Afterwards, he worked in Security Research and eventually became one of the first Analysts to work on the Web Security team supporting Web Security Manager WAF. He was eventually promoted to a Senior Web Security Analyst where his job included building custom security policies, researching new web attacks and adding custom signatures to better WSM detection.

Email Me | More Posts by Joseph Hitchcock