Cisco Systems said that more than 300 models of switches it sells
contain a critical vulnerability that allows the CIA to use a simple
command to remotely execute malicious code that takes full control of
the devices. There currently is no fix.
Cisco researchers said they discovered the vulnerability as they
analyzed a cache of documents that are believed to have been stolen from
the CIA and published by WikiLeaks two weeks ago. The flaw, found in at
least 318 switches, allows remote attackers to execute code that runs
with elevated privileges, Cisco warned in an advisory published Friday.
The bug resides in the Cisco Cluster Management Protocol (CMP), which
uses the telnet protocol to deliver signals and commands on internal
networks. It stems from a failure to restrict telnet options to local
communications and the incorrect processing of malformed CMP-only telnet
“An attacker could exploit this vulnerability by sending malformed
CMP-specific telnet options while establishing a telnet session with an
affected Cisco device configured to accept telnet connections,” the
advisory stated. “An exploit could allow an attacker to execute
arbitrary code and obtain full control of the device or cause a reload
of the affected device.”
Compounding the risk, vulnerable switches will process CMP-specific
telnet options by default, “even if no cluster configuration commands
are present on the device configuration,” the advisory warned. The
vulnerability mostly affects Cisco Catalyst switches but is also found
in Industrial Ethernet switches and embedded services. Cisco plans to
release a fix at an unspecified date.
While Friday’s advisory said there are “no workaround that
address this vulnerability,” it did say the vulnerability was active
only when buggy devices were configured to accept incoming telnet
connections. Disabling telnet as a means for receiving incoming connections eliminates the threat,
and Cisco has provided instructions for disabling telnet. Cisco switch
users who aren’t willing to disable telnet can lower the risk of
exploits by using an access control list to restrict the devices that
are permitted to send and receive telnet commands.