Mass Attack on Cisco Equipment

Colleagues, a powerful botnet attack has begun and is still ongoing. All IP addresses are scanned for the latest vulnerability in Cisco IOS Software (CVE-2018-0171, CVSS = 9.8), allowing remote execution of commands on Cisco devices. The bot enters the device and deletes the configuration, writing its files instead. We record attempts to exploit the vulnerability from more than one hundred different addresses, from different countries, and their pool continues to expand.

Cisco developers have already released patches for the discovered vulnerability .

We recommend installing patches as soon as possible. Under the cut is the notification that Solar JSOC sends out to customers, with details of the vulnerability and recommendations for counteraction.

The problem is due to incorrect packet validation in the Cisco Smart Install Client (SMI). Using the vulnerability, an attacker could modify the settings of the TFTP server and extract configuration files via TFTP, change the general configuration file of the switch, replace the IOS image, create local accounts and allow attackers to log in to the device and execute any commands.

Cisco devices that are vulnerable to this attack:

Catalyst 4500 Supervisor Engines
Catalyst 3850 Series
Catalyst 3750 Series
Catalyst 3650 Series
Catalyst 3560 Series
Catalyst 2960 Series
Catalyst 2975 Series
IE 2000
IE 3000
IE 3010
IE 4000
IE 4010
IE 5000
SM-ES2 SKUs
SM-ES3 SKUs
NME-16ES-1G-P
SM-X-ES3 SKUs

Most often, the attack is fixed on the equipment of providers.

Recommendations:

1. Disable the SMI protocol on network devices ( instructions here ).
2. Deliver the latest updates to vulnerable network devices.