Massive attack on Cisco
Today (Friday) in the evening twice received a notification of an attack on Cisco routers. A successful attack removes the configuration.
I hope this information from the IX mailing list will be useful:
As previously written, the vulnerability received the identifier CVE-2018-0171 and 9.8 points on the CVSS scale. The problem is based on incorrect packet validation in the SMI client (Cisco Smart Install). The problem was published on March 28, Cisco developers have already released patches for the detected bug, after which the researchers published a proof-of-concept exploit.
It seems that on Friday evening, some “funny guys” decided to use their botnet to scan ports in search of open TCP 4786 and further attacks on discovered devices.
Earlier they wrote about 8.5 million devices found with an open port and 250 thousand without patches. Tomorrow morning we find out what their percentage in RuNet.
PS: Since I do not consider myself a Cisco security specialist, any add-ons are welcome in the comments. I hope they also help administrators avoid the attack.
PPS: The infrastructure of the Zadarma cloud was not affected, but it was at this time that we noticed problems with some telephone operators in Moscow, maybe they were related to the attack.
I hope this information from the IX mailing list will be useful:
We are forced to draw your attention to the fact that at the moment the botnet, which infects Cisco devices, is particularly active on the network.When re-reporting, after an hour, they added information about their willingness to help the affected participants to quickly get a console to the routers (which means their number is not 0 and not 1).
According to our data, as a result of the action of this virus, the configuration of the network device is completely deleted and reconfiguration via the remote console is necessary.
Exploited Vulnerability CVE-2018-0171 .
Please note that the virus scans the network for open TCP port 4786.
The network infrastructure of MSK-IX is not affected.
As security measures, it is possible to block the port using access lists or disable vstack (command 'no vstack')
As previously written, the vulnerability received the identifier CVE-2018-0171 and 9.8 points on the CVSS scale. The problem is based on incorrect packet validation in the SMI client (Cisco Smart Install). The problem was published on March 28, Cisco developers have already released patches for the detected bug, after which the researchers published a proof-of-concept exploit.
It seems that on Friday evening, some “funny guys” decided to use their botnet to scan ports in search of open TCP 4786 and further attacks on discovered devices.
Earlier they wrote about 8.5 million devices found with an open port and 250 thousand without patches. Tomorrow morning we find out what their percentage in RuNet.
PS: Since I do not consider myself a Cisco security specialist, any add-ons are welcome in the comments. I hope they also help administrators avoid the attack.
PPS: The infrastructure of the Zadarma cloud was not affected, but it was at this time that we noticed problems with some telephone operators in Moscow, maybe they were related to the attack.