Attackers Exploit Cisco Switch Issue as Vendor Warns of Yet Another Critical Flaw

Cisco says companies fixing previously known protocol issue should also patch against critical remote-code execution issue.

Network Computing logo

Cisco is urging organizations to immediately address a critical flaw in its network switches running IOS and IOS XE software amid reports of widespread attacks against the devices in several countries.

The company on Monday published a security advisory on the remote code execution flaw (CVE-2018-0171) in the Smart Install function in Cisco IOS and IOS XE software.

Cisco described the flaw — first disclosed March 29 by Embedi — as an issue that could allow an unauthenticated remote attacker to trigger a denial-of-service condition or to execute code of their choice on an affected device. Emedi on March 29 claimed it had found some 250,000 network devices that were vulnerable to the issue.

The RCE flaw is separate from a protocol misuse issue also related to the Smart Install function that Cisco first issued an advisory about on Feb 14, 2017 and has updated a couple of times. It is apparently the protocol misuse issue that attackers have been exploiting in the recent attacks,  not the RCE flaw.

However, Cisco has urged organizations to address both issues immediately, citing widespread and ongoing attacks against its switches in multiple countries. "While we have only observed attacks leveraging the protocol misuse issue, recently, another vulnerability in the Cisco Smart Install Client was disclosed and patched," the company said in a blog. "While mitigating the protocol misuse issue, customers should also address this vulnerability."

'Don't mess with our elections'

Reuters over the weekend reported that some 200,000 Cisco switches had been compromised in attacks in multiple countries. Among those impacted were data centers and ISPs in Iran and Russia where the attackers displayed a US flag on the screens of compromised systems with the message, "Don't mess with our elections."

IRNA, Iran's official news agency said the attacks impacted at least 3,500 routers in the country. The agency quoted cybersecurity officials within the country as saying that attackers had tampered with configuration settings on the devices to cause systems to become unavailable.

Read the rest of this article on Dark Reading.

About the Author(s)

Jai Vijayan, Contributing Writer, Dark Reading

Freelance writerJai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics including Big Data, Hadoop, Internet of Things, E-voting and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, IL.

SUBSCRIBE TO OUR NEWSLETTER
Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like


More Insights