There has been a surge in malicious cyber activities exploiting the Cisco Smart Install (SMI) legacy feature. This legacy feature if enabled by default on many Cisco devices, allowing threat actors to gain unauthorized access to network devices, allowing them to exfiltrate system configuration files, distribute various malware families, and cause significant disruption. Review this Cybersecurity Threat Advisory to learn how to keep your environment secure.
What is the threat?
Security experts now recognize the SMI feature, primarily intended for automated configuration and deployment of Cisco devices, as a major security vulnerability known as CVE-2018-0171. This feature can be exploited by remote attackers when proper security is not applied. It allows attackers to execute arbitrary code or cause a denial-of-service (DoS) condition on affected devices.
To exploit this vulnerability, attackers are sending specially crafted SMI protocol messages to devices, leading the devices to respond with sensitive configuration details. Bad actors can use these details to map out the network, identify other vulnerable devices, and distribute malware.
Why is it noteworthy?
Due to the fact that the SMI feature is enabled by default, many organizations may still be susceptible without realizing it, significantly increasing their risk of cyberattacks. The ease of exploiting this flaw and the significant impact of a successful attack make it a high-priority issue for network administrators.
What is the exposure or risk?
Organizations that have not disabled the Cisco SMI feature or applied the necessary patches are at significant risk. Successful exploitation of this vulnerability can lead to unauthorized access to network infrastructure, resulting in the exfiltration of sensitive configuration data, network disruption, and the potential spread of malware across the network. In some cases, this could lead to a complete compromise of the organization’s network, allowing attackers to move laterally and escalate privileges. The potential for significant operational downtime, data loss, and reputational damage makes this a critical issue that requires immediate attention.
What are the recommendations?
Barracuda MSP recommends the following actions to keep your environment secure:
- Disable the SMI feature on all devices where it is not explicitly needed.
- Update all Cisco devices with the latest security patches and firmware updates.
- Review the NSA’s Smart Install Protocol Misuse advisory and Network Infrastructure Security Guide for further configuration guidance.
References
For more in-depth information about the recommendations, please visit the following links:
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2
- https://www.bleepingcomputer.com/news/security/cisa-warns-of-hackers-abusing-cisco-smart-install-feature/
- https://www.cisa.gov/news-events/alerts/2024/08/08/best-practices-cisco-device-configuration
If you have any questions about this Cybersecurity Threat Advisory, please contact Barracuda XDR’s Security Operations Center.