Around three hundred of Cisco’s switch models such as Cisco Catalyst 2350-48TD-S, Cisco Catalyst 2350-48TD-SD, Cisco Catalyst 2360-48TD-S, Cisco Catalyst 2918-24TC-C, Cisco Catalyst 2918-24TT-C, Cisco Catalyst 2918-48TC-C, Cisco Catalyst 2918-48TT-C amongst others, have been affected by a vulnerability the CIA were well aware of. The networking company made this announcement while analysing the leaked Vault 7 CIA documents published by WikiLeaks – over 8,000 documents detailing hacking tools and methods used by the CIA for cyber spying.
The problem in Cisco’s switch models is housed in the Cluster Management Protocol’s code that is embedded in Cisco’s operating systems: the Cisco IOS and Cisco IOS XE.
Cisco says this vulnerability may allow a hacker to gain remote access to the machine. Moreover, the hacker will be able to shut it down, restart it, install and run a malicious code on a device with administrative rights that will further give the hacker full access. The Cluster Management Protocol allows switch clusters to exchange information between each other using Secure Shell (SSH) or Telnet protocols.
The Devil is in the Details
According to the company, the problem lies within the default settings of the compromised devices. The advantage of this flaw can be taken once the Telnet sessions are being exchanged between the IPv4 or IPv6 protocols.
The company says the problem occurs in the Cluster Management Protocol because of two major problems. Firstly, the system doesn’t limit the use of Cluster Management Protocol specified to Telnet options. Rather, it inquires and executes those commands and sends it to the Telnet connected device.
Secondly is the very basic incorrect execution of abnormal Cluster Management Protocol options that allows taking control over the switch models.
Furthermore, for the hacker to use the vulnerability to their advantage, all they need to do is send a “malformed Cluster Management Protocol with specific Telnet protocol options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections,” says the company.
This particular vulnerability gives the hackers the advantage to install the malicious code in the affected devices, whenever and wherever they want.
Disable Them for Now
The flaw in the default system includes over 200 different Catalyst switches and more than fifty commercial Ethernet switches.
The company has yet to create a patch for this problem. However, Cisco is telling its customers to disable the flawed Telnet protocol and turn to the SSH protocol.
Cisco has stated that they were unable to discover any working exploits that were created to use this flaw. However, if one is to be made or discovered, then there are going to be thousands of machines and businesses around the world that will end up hanging by a thread. As soon as the updated patch comes out, Cisco will update its IOS Software Checker along with it.