Summary

Talos has become aware of active scanning against customer infrastructure with the intent of finding Cisco Smart Install clients. Cisco Smart Install is one component of the Cisco Smart Operations solution that facilitates the management of LAN switches. Research has indicated that malicious actors may be leveraging detailed knowledge of the Smart Install Protocol to obtain copies of customer configurations from affected devices. The attack leverages a known issue with the Smart Install protocol. Cisco PSIRT has published a security response to this activity. Abuse of the Smart Install protocol can lead to modification of the TFTP server setting, exfiltration of configuration files via TFTP, replacement of IOS image and potentially execution of IOS commands.

We are aware that a tool to scan for affected systems, called the Smart Install Exploitation Tool (SIET), has been publicly released and is available here. This tool may be being used in these attacks.

Protection

To assist customers in understanding their exposure to this issue, we have released our own scanning tool as well as preliminary Snort rules which can be used to identify affected systems and detect SIET activity.

Talos Scanning Utility

Talos has produced a scanning utility which all users can run against their infrastructure to determine if they could be affected by abuse of the Smart Install Client Protocol. This tool can be found here.


Coverage

Snort Rules

Talos has created coverage for this issue in the form of sids 41722-41725. These rules are being provided immediately as part of the community rule set and can be downloaded here:

Cisco FirePOWER and Snort Subscriber Rule Set customers should ensure they are running the latest rule update in order to receive coverage.

Additionally, generic TFTP activity rules sid:518 and sid:1444 are available but these are not issue specific and must be explicitly enabled.

Further Information

Cisco PSIRT has published a blog post related to the issue here:

https://blogs.cisco.com/security/cisco-psirt-mitigating-and-detecting-potential-abuse-of-cisco-smart-install-feature

Further guidance on Smart Install security practices here:

http://www.cisco.com/c/en/us/td/docs/switches/lan/smart_install/configuration/guide/smart_install/concepts.html#23355

Additional third-party research about Smart Install is available here:

https://2016.zeronights.ru/wp-content/uploads/2016/12/CiscoSmartInstall.v3.pdf

Talos encourages all partners to quickly take steps to protect their systems in accordance with the published security guidelines.

If you have a network security emergency, contact the Cisco Technical Assistance Center (TAC) at the following phone numbers:

Inside the United States or Canada: +1 800 553-2447

Outside the United States: Worldwide Contacts

Cisco responds quickly to attacks in progress and works with your staff to develop an incident response plan that minimizes the effect of current and future attacks.