Cisco patched a critical security flaw, tracked as CVE-2017-3881, affecting its CISCO Catalyst switches that can be potentially exploited by attackers to hijack networks.
The vulnerability was disclosed in the CIA Vault 7 data leak, according to Switchzilla a remote attacker can exploit it by simply establishing a Telnet connection and sending a cluster management protocol (CMP) command to the affected network device.
“The Cluster Management Protocol utilizes Telnet internally as a signaling and command protocol between cluster members. The vulnerability is due to the combination of two factors:
” reads the Cisco security advisory published on Monday.
The vulnerability affects the default configuration of the flawed devices even when the user doesn’t have switch clusters configured, and can be exploited over either IPv4 or IPv6.
“An attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections,”
“Do you still have telnet enabled on your Catalyst switches? Think twice, here’s a proof-of-concept remote code execution exploit for Catalyst 2960 switch with latest suggested firmware. Check out the exploit code here.” wrote Kondratenko.”What follows is a detailed write-up of the exploit development process for the vulnerability leaked from CIA’s archive on March 7th 2017 and publicly disclosed by Cisco Systems on March 17th 2017. At the time of writing this post there is no patch available. Nonetheless there is a remediation – disable telnet and use SSH instead.”
Just after the disclosure of the CVE-2017-3881 flaw, CISCO confirmed that the IOS / IOS XE bug affects more than 300 of its switch models, including Cisco Catalyst, Embedded Services, and Industrial Ethernet switch models.
As mitigation measures, experts from CISCO suggested to disabled Telnet connections, SSH remains the best option to remotely access the devices.
(Security Affairs – CVE-2017-3881, Cisco Catalyst)