Smart Install Remote Command Execution Vulnerability: A Self-Examination Guide
On March 28, 2018, Cisco issued a security advisory regarding multiple remote code execution vulnerabilities in their IOS and IOS XE software, including a critical vulnerability in the Smart Install feature, identified as CVE-2018-0171. This vulnerability allows an attacker to cause a denial of service condition or remote code execution by reloading the equipment without authorization.
Self-Examination Methods
To determine if your equipment is affected by this vulnerability, you can use one of the following methods:
Method 1: Utilize the Mingjian Remote Security Assessment System
You can purchase the Mingjian Remote Security Assessment System and use it to scan and self-examine your product for vulnerabilities.
Method 2: Contact Hengxin for Free Checking and Vulnerability Detection
Alternatively, you can contact Hengxin’s official website customer service to obtain a free checking and vulnerability detection tool. This tool will not only identify if your device is affected but also allow you to perform penetration testing to ensure the feature is properly configured.
Method 3: Utilize Cisco’s Security Checker
You can also use Cisco’s Security Checker tool to submit your IOS and IOS XE software version number and check for any existing loopholes or required security updates. This tool is available at: https://tools.cisco.com/security/center/softwarechecker.x
Vulnerability Fix
To mitigate this vulnerability, you can use one of the following methods:
Method 1: Patch
Although a patch has not been officially provided by Cisco, you can temporarily disable the Smart Install feature using the following command:
switch1 # conf t
switch1 (config) # no vstack
switch1 (config) # do wr
This will disable the Smart Install feature, and you can verify the status by running the following command:
switch # show vstack config
Role: Client (SmartInstall disabled)
Vstack Director IP address: 0.0.0.0
Display disabled that is disabled.
Method 2: Temporarily Disable Smart Install
As a temporary measure, you can disable the Smart Install feature using the no vstack command.
Method 3: Configure ACLs
When the Smart Install feature is required, you can configure ACLs to define a white list of accessible devices on port 4786 using the following commands:
ip access-list extended yunxu-smi
permit tcp host 10.10.10.1 host 10.10.10.200 eq 4786
deny tcp any any eq 4786
permit ip any any
Method 4: Configure Firewall ACLs
Alternatively, you can configure firewall ACLs to deny any IP access to the device on port 4786 or 4786, or allow specific IP access using the following commands:
ip access-list extended yunxu-smi
permit ip host 10.10.10.1 host 10.10.10.200 eq 4786
deny ip any any eq 4786
permit ip any any
By following these self-examination and mitigation methods, you can ensure the security of your equipment and prevent potential attacks.