Talos flags a security issue on Cisco's Smart Install clients

Cisco Talos warned its users about attackers who use publicly available tool to have unauthenticated access to customer configuration details in Cisco' s Smart Install. The team at Talos fears that the attackers use an app which goes by the name Smart Install Exploitation Tool, a tool available on Github, for scanning the clients.

Also, Talos believes that the attackers may possess good knowledge of Smart Install Protocol which helps them to fish out customer configurations from affected devices.

Cisco Smart Install is a component of the Cisco Smart Operations solution that helps manage LAN switches.

The attack leverages a known issue with the Smart Install protocol. Cisco PSIRT has published a security response to this activity. Abuse of the Smart Install protocol can lead to modification of the TFTP server setting, exfiltration of configuration files via TFTP, replacement of IOS image and potentially execution of IOS commands,” Talos reported.

Although, cisco does not consider the issue as an actual vulnerability, it is seen as a misuse of the Smart Install protocol, which does not require authentication by design and the company has updated the Smart Install Configuration Guide to include best security practices.

Tag : Cisco Packet Tracer
FAQ
Q
What Can I Do for the identify vulnerable systems?
A
To Identify vulnerable systems in your environment and patch them as soon as possible. If you have any SMI endpoints indirectly connected to the internet, you should disable SMI as soon as possible and leave it disabled.

Metasploit users can identify Smart Install endpoints with the auxiliary/scanner/misc/cisco_smart_install module.
Q
What’s Impacted?
A
This vulnerability affects Cisco devices that are running a vulnerable release of Cisco IOS or IOS XE Software and have the Smart Install client feature enabled.

Only Smart Install client switches are affected by the vulnerability that is described in this advisory. Cisco devices that are configured as a Smart Install director are not affected by this vulnerability.
Q
What is a security issue on the Cisco smart install?
A
The attack leverages a known issue with the Smart Install protocol. Cisco PSIRT has published a security response to this activity. Abuse of the Smart Install protocol can lead to modification of the TFTP server setting, exfiltration of configuration files via TFTP, replacement of IOS image and potentially execution of IOS commands,&rdquo Talos reported.
Q
What is Cisco Talos?
A
Cisco Talos warned its users about attackers who use publicly available tool to have unauthenticated access to customer configuration details in Cisco' s Smart Install. The team at Talos fears that the attackers use an app which goes by the name Smart Install Exploitation Tool, a tool available on Github, for scanning the clients.
Cisco Smart Install is a component of the Cisco Smart Operations solution that helps manage LAN switches.
Q
What is the Smart Install Deployment Risk?
A
Cisco Smart Install is a legacy feature that provides zero-touch deployment for new switches, typically access layer switches, and incorporates no authentication by design. Newer technology, such as the Cisco Network Plug and Play feature, is highly recommended for more secure setup of new switches.
A Smart Install network consists of one Smart Install Director switch or router, also known as the Integrated Branch Director (IBD), and one or more Smart Install Client switches, also known as Integrated Branch Clients (IBCs).