Scanning the entire internet reveal that, 250,000 vulnerable devices have been presented and 8.5 million devices that have a vulnerable port open.
Researchers Found stack-based buffer overflow vulnerability was found in Cisco Switches Smart Install Client code that allows an attacker to remotely execute arbitrary code without any further authentication.
Smart Install is a Cisco switches new future that provides plug-and-play configuration and image-management.
This Future help to ship a switch to a location, place it in the network and power it on with no configuration on the device required and without an administrator and its also provide a backup configuration.
Also, Director act as common single point manager for images and configuration of client switches and client make both direct and indirect connection to the director.
A discovered critical vulnerability presented in the code of the Cisco Switches Smart Install Client.
Vulnerability Description in Cisco Switches
According to embedi, The SMI IBC Server Process process contains a Smart Install Client implementation code. The Smart Install Client starts a server on the TCP(4786) port (opened by default) to interact with the Smart Install Director.
In this case, a stack-based buffer overflow occurs when server processing this ibd_init_discovery_msg specially crafted malicious message and the buffer overflow takes and abuse the function smi_ibc_handle_ibd_init_discovery_msg.
Two Attack Conditions
1.Reset or change the
enable password to enter privileged EXEC mode:
2.Intercept traffic between other devices connected to the switch and the Internet:
Check the equipment for vulnerability
Users can check the vulnerability by performing simple network scan using Nmap with Cisco network equipment with an open port
nmap -p T:4786 192.168.1.0/24
Aslo To check whether the network equipment is of a
Smart Install Client type, enter the following commands:
switch>show vstack config Role: Client (SmartInstall enabled) Vstack Director IP address: 0.0.0.0 switch>show tcp brief all TCB Local Address Foreign Address (state) 0344B794 *.4786 *.* LISTEN 0350A018 *.443 *.* LISTEN 03293634 *.443 *.* LISTEN 03292D9C *.80 *.* LISTEN 03292504 *.80 *.* LISTEN
Affected Cisco Switches
- Catalyst 4500 Supervisor Engines
- Catalyst 3850 Series
- Catalyst 3750 Series
- Catalyst 3650 Series
- Catalyst 3560 Series
- Catalyst 2960 Series
- Catalyst 2975 Series
- IE 2000
- IE 3000
- IE 3010
- IE 4000
- IE 4010
- IE 5000
- SM-ES2 SKUs
- SM-ES3 SKUs
- SM-X-ES3 SKUs
This Flaw has been fixed by Cisco and released the patch CVE : CVE-2018-0171