If the startup-config is replaced the following messages are typically seen in the logs from the affected device: %SMI-6-UPGRD_STARTED: Device (IP address: 0.0.0.0) startup-config upgrade has started
#Cisco no vstack install
If write operations are induced via the Smart Install feature and the logging level is set to 6 ( informational) or higher, messages will appear in the logs. Cisco recommends that customers look for access from external IP addresses. There are no indicators of an attacker changing the TFTP server address or of an attacker copying files off the device using Smart Install capabilities.
#Cisco no vstack software
This is possible only in Cisco IOS Software releases 15.2(2)E and later, and Cisco IOS XE Software releases 3.6.0E and later. Any output of or prompt resulting from the command(s) run will appear on the IBC’s local console.
Load an attacker-supplied IOS Software image onto an IBC.Substitute a client’s startup-config file with a file that the attacker prepared, and force a reload of that IBC after a defined time interval.Copy arbitrary 1 files from the IBC to an attacker-controlled TFTP server.Change the TFTP server address on an IBC.This could allow the attacker to perform any of the following actions on a targeted system:
If left enabled on IBCs, the absence of an authorization or authentication mechanism in the Smart Install (SMI) protocol used by Smart Install clients and a Smart Install director could allow an attacker to send crafted SMI protocol messages as if those messages were sent from the Smart Install director. The following example shows the output of the show vstack config command in a Cisco Catalyst switch with the Smart Install client feature enabled this is the only output that indicates that the Smart Install client feature is enabled: switch#show vstack config | inc Role No configuration is needed on Smart Install client switches. The Smart Install feature is enabled by default on client switches. Only Smart Install client switches are affected by the abuse described in this document. Newer technology, such as the Cisco Network Plug and Play feature are recommended for more secure setup of new switches, though the Smart Install feature remains an option for platforms that do not currently support the Cisco Network Plug and Play feature.Ī Smart Install network consists of one Smart Install director switch or router, also known as the integrated branch director (IBD), and one or more Smart Install client switches, also known as integrated branch clients (IBCs). The feature has been designed for use within the local customer network and should not be exposed to un-trusted networks. DetailsĬisco Smart Install is a legacy feature that provides zero-touch deployment for new switches, typically access layer switches. The recommendations noted below and in the Security response will avoid the risk of attackers abusing this feature. Otherwise, customers should apply the appropriate security controls for the Smart Install feature and their environment. Mitigation: If customers find devices in their network that continue to have the Smart Install feature enabled, Cisco strongly recommends that they disable the Smart Install feature with the no vstack configuration command.
For more information, see Cisco Coverage for Smart Install Client Protocol Abuse.Ĭisco has also published a new IPS signature and new Snort rules that help detect the use of Smart Install protocol messages in customer networks. Just scanning for TCP port 4786 being open is not sufficient as this port is used by other protocols as well and this might thus result in false positive. New tools: The Cisco Talos group has developed a tool that customers can use to scan for devices that have the Smart Install feature enabled in their environment. The Security Response also provides guidance on actions customers should consider to protect their networks against abuse of this setup feature. While this is not considered a vulnerability, PSIRT published a Cisco Security Response on Februto inform customers about possible abuse of the Smart Install feature if it remains enabled after device installation. Cisco PSIRT has become aware of attackers potentially abusing the Smart Install (SMI) feature in Cisco IOS and IOS XE Software.
0 kommentar(er)
