Hundreds of models of Cisco switches are vulnerable to a remote-code execution bug in the company’s IOS software that can be exploited with a simple Telnet command. The vulnerability was uncovered by company researchers in the CIA hacking tool dump known as Vault 7.
The bug is a critical one and an attacker who is able to exploit it would be able to get complete control of a target device. The flaw lies in the Cluster Management Protocol (CMP) that’s used in IOS, and Cisco said it’s caused by the incorrect processing of CMP-specific Telnet options, as well as accepting and processing these commands from any Telnet connection.
“An attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections. An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device,” the Cisco advisory says.
Cisco did not say in its advisory when it would issue a patch for the CMP vulnerability.
“CMP-specific Telnet options are processed by default, even if no cluster configuration commands are present on the device configuration. This vulnerability can be exploited during Telnet session negotiation over either IPv4 or IPv6. This vulnerability can only be exploited through a Telnet session established to the device—sending the malformed options on Telnet sessions through the device will not trigger the vulnerability.”
Cisco said that while there’s no patch available yet, disabling Telnet will eliminate the exploit vector. The vulnerability affects mainly Cisco Catalyst switches, but also some Industrial Ethernet switches and others. The company recommends that customers disable Telnet and enable SSH on affected switches.
In its advisory, Cisco said that the vulnerability was identified “during the analysis of documents related to the Vault 7 disclosure.” The documents known as Vault 7 were published two weeks ago and included thousands of pages of information related to tools and techniques used by CIA for offensive hacking operations. The release includes a lot of information on attack techniques and targeted devices and software, and technology vendors whose products are detailed in the documents have been working back to determine whether there are still vulnerabilities in their products.
Few vendors have said anything publicly about the documents, although Apple released a statement shortly after the Vault 7 dump, saying that most of the bugs in its products mentioned in the documents had already been patched. Cisco did not say in its advisory when it would issue a patch for the CMP vulnerability.