HomeinvestigationsCisco Smart Install: Makes thousands of web devices vulnerable worldwide

Cisco Smart Install: Makes thousands of web devices vulnerable worldwide

Security researcher Dimitris Roussis analyzes how one wrong setting in the Smart Install feature provided by Cisco devices makes thousands of web devices vulnerable worldwide.

Smart Install enables an Internet device that integrates into a corporate network to be automatically adapted without the intervention of a network administrator (Network Administrator). Thousands of active Cisco devices are currently configured to provide Internet Install Smart Install capability.

See also: Identity Theft Scams - What Is It And How To Protect Yourself?

Cisco Smart Install: Makes thousands of network devices vulnerable worldwide
Cisco Smart Install web devices vulnerability

An attacker can take advantage of this setting and gain access to web devices with the ability to remotely execute any command, such as turn off the network device making the corporate network inaccessible throughout the Organization / Company, intercept or change passwords etc.

The above are presented in the analysis presented to us below by the researcher.

See also: Malicious KMSpico installers are used to steal crypto wallets

Initially in the context of research are searched as a random sample of 100 web devices, among the thousands, through the shodan search engine.

Then, through an automated script, it is checked which of the network devices of the random sample are vulnerable. The script also uses code that is published on the internet.

The end result of the script is creation of a file (vulnerable_devices.txt) which includes IPs from vulnerable network devices.

See also: Thieves use AirTags to steal your car

In addition, the script to prove the severity of the vulnerability, connects to the network device, and downloads the entire config file to the local tftp folder.

Cisco Smart Install: Makes thousands of web devices vulnerable worldwide

According to the download of the config file through this vulnerability any command can be executed on the network device.

It is worth noting that among the affected network devices are several in Greece, as evidenced by the Shodan search engine.

See Also: Phishing campaign uses fake Office 365 notifications to steal credentials

To prevent the attack, Network Administrators must immediately disable the Smart Install feature if it is not used or restrict access to it through ACL rules that will not allow access to port 4786 from the Public network ( Internet).

Technical analysis by Dimitris Roussis: Dimitris Roussis is a member of the Information Systems Security Laboratory of the University of the Aegean.