Mass Attack on Cisco Equipment

    Colleagues, a powerful botnet attack has begun and is still ongoing. All IP addresses are scanned for the latest vulnerability in Cisco IOS Software (CVE-2018-0171, CVSS = 9.8), allowing remote execution of commands on Cisco devices. The bot enters the device and deletes the configuration, writing its files instead. We record attempts to exploit the vulnerability from more than one hundred different addresses, from different countries, and their pool continues to expand.

    Cisco developers have already released patches for the discovered vulnerability .

    We recommend installing patches as soon as possible. Under the cut is the notification that Solar JSOC sends out to customers, with details of the vulnerability and recommendations for counteraction.

    The problem is due to incorrect packet validation in the Cisco Smart Install Client (SMI). Using the vulnerability, an attacker could modify the settings of the TFTP server and extract configuration files via TFTP, change the general configuration file of the switch, replace the IOS image, create local accounts and allow attackers to log in to the device and execute any commands.
    Cisco devices that are vulnerable to this attack:

    Catalyst 4500 Supervisor Engines
    Catalyst 3850 Series
    Catalyst 3750 Series
    Catalyst 3650 Series
    Catalyst 3560 Series
    Catalyst 2960 Series
    Catalyst 2975 Series
    IE 2000
    IE 3000
    IE 3010
    IE 4000
    IE 4010
    IE 5000
    SM-ES2 SKUs
    SM-ES3 SKUs
    SM-X-ES3 SKUs
    Most often, the attack is fixed on the equipment of providers.


    1. Disable the SMI protocol on network devices ( instructions here ).
    2. Deliver the latest updates to vulnerable network devices.

    Also popular now: