Security researcher Dimitris Roussis analyzes how one wrong setting in the Smart Install feature provided by Cisco devices makes thousands of web devices vulnerable worldwide.
Smart Install enables an Internet device that integrates into a corporate network to be automatically adapted without the intervention of a network administrator (Network Administrator). Thousands of active Cisco devices are currently configured to provide Internet Install Smart Install capability.
An attacker can take advantage of this setting and gain access to web devices with the ability to remotely execute any command, such as turn off the network device making the corporate network inaccessible throughout the Organization / Company, intercept or change passwords etc.
The above are presented in the analysis presented to us below by the researcher.
Initially in the context of research are searched as a random sample of 100 web devices, among the thousands, through the shodan search engine.
Then, through an automated script, it is checked which of the network devices of the random sample are vulnerable. The script also uses code that is published on the internet.
The end result of the script is creation of a file (vulnerable_devices.txt) which includes IPs from vulnerable network devices.
In addition, the script to prove the severity of the vulnerability, connects to the network device, and downloads the entire config file to the local tftp folder.
According to the download of the config file through this vulnerability any command can be executed on the network device.
It is worth noting that among the affected network devices are several in Greece, as evidenced by the Shodan search engine.
To prevent the attack, Network Administrators must immediately disable the Smart Install feature if it is not used or restrict access to it through ACL rules that will not allow access to port 4786 from the Public network ( Internet).
Technical analysis by Dimitris Roussis: Dimitris Roussis is a member of the Information Systems Security Laboratory of the University of the Aegean.