Wikileaks’ disclosure of a CIA database of product vulnerabilities has led Cisco Systems to acknowledge a Telnet vulnerability in its IOS / IOS XE operating systems that affects more than 300 models including Catalyst and Industrial Ethernet switches.
For the time being there is no workaround – although Cisco promises there will be a software fixes — so the company is urging administrators to turn off Telnet as an allowed protocol for incoming connections to eliminate the hole and instead use. SSH. How to do that can be found on the Cisco Guide to Harden Cisco IOS Devices.
The vulnerability in the operating systems’ Cluster Management Protocol could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges, Cisco says in its critical alert. That would allow an attacker to take over the device.
The protocol utilizes Telnet internally as a signaling and command protocol between cluster members. Cisco says the vulnerability is due to the combination of two factors:
- The failure to restrict the use of CMP-specific Telnet options only to internal, local communications between cluster members and instead accept and process such options over any Telnet connection to an affected device, and
- The incorrect processing of malformed CMP-specific Telnet options.
An attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections.
Checking for the presence of the CMP subsystem is only required on devices running Cisco IOS XE Software, not Cisco IOS Software, says the company. However, checking if the device is configured to accept Telnet connections is required for devices running either operating system. Devices running a vulnerable IOS XE Software release but not including the CMP protocol subsystem are not affected.
Cisco IPS Signature 7880-0 and Snort SIDs 41909 and 41910 can detect attempts to exploit this vulnerability.
Two weeks ago WikiLeaks revealed what it says is an archive of 8,761 documents and files — but not source code, names, email addresses and external IP addresses — describing includes malware, viruses, trojans, weaponized “zero day” exploits, malware remote control systems and associated documentation that can be used by the agency for spying on a range of products using Apple’s iOS, Google’s Android and Microsoft’s Windows operating systems.
A day later WikiLeaks said it would hand over details on the vulnerabilities to vendors so they can patch their software. However, citing unnamed sources Motherboard reported on Friday that WikiLeaks is asking vendors to sign off on a series of conditions before being able to receive the actual technical details. One source said a condition is fixes be issued within 90 days.
That would appear to be assurance a vendor won’t hide the vulnerability, or give it a low priority. On the other hand it may take a vendor longer than three months to fix the bug(s). Motherboard also notes vendors may be shy about accepting anything from WikiLeaks that might be stolen property.