Cisco Systems said that more than 300 models of switches it sells contain a critical vulnerability that allows the CIA to use a simple command to remotely execute malicious code that takes full control of the devices. There currently is no fix.
Cisco researchers said they discovered the vulnerability as they analyzed a cache of documents that are believed to have been stolen from the CIA and published by WikiLeaks two weeks ago. The flaw, found in at least 318 switches, allows remote attackers to execute code that runs with elevated privileges, Cisco warned in an advisory published Friday. The bug resides in the Cisco Cluster Management Protocol (CMP), which uses the telnet protocol to deliver signals and commands on internal networks. It stems from a failure to restrict telnet options to local communications and the incorrect processing of malformed CMP-only telnet options.
“An attacker could exploit this vulnerability by sending malformed CMP-specific telnet options while establishing a telnet session with an affected Cisco device configured to accept telnet connections,” the advisory stated. “An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device.”
Compounding the risk, vulnerable switches will process CMP-specific telnet options by default, “even if no cluster configuration commands are present on the device configuration,” the advisory warned. The vulnerability mostly affects Cisco Catalyst switches but is also found in Industrial Ethernet switches and embedded services. Cisco plans to release a fix at an unspecified date.
While Friday’s advisory said there are “no workaround that address this vulnerability,” it did say the vulnerability was active only when buggy devices were configured to accept incoming telnet connections. Disabling telnet as a means for receiving incoming connections eliminates the threat, and Cisco has provided instructions for disabling telnet. Cisco switch users who aren’t willing to disable telnet can lower the risk of exploits by using an access control list to restrict the devices that are permitted to send and receive telnet commands.
Cisco’s advisory is among the first from a major electronics manufacturer to warn that its products are vulnerable to exploits discussed in Vault 7, the name WikiLeaks gave to thousands of pages of documents it said were leaked from the CIA. The cache appears to have come from an internal Wiki made available to CIA insiders. In it, the members discuss various exploits and the vulnerabilities they target in products from Apple, Microsoft, Samsung, Cisco, and others.
Documents published so far don’t appear to explicitly discuss technical details of the vulnerabilities or how to exploit them. Last week, WikiLeaks founder Julian Assange vowed he would privately disclose those details to manufacturers so they would have time to fix them before the vulnerabilities became widely known. According to Motherboard, WikiLeaks has yet to provide any such details and instead has made only unspecified demands.
The full list of affected Cisco switches can be found here.