Cisco issues warning over Telnet zero-day flaw in 300 switch products

Cisco issues warning over Telnet zero-day flaw in 300 switch products

The American technology conglomerate has combed WikiLeaks' Vault 7 itself and found that there's a bug on the IOS or Internetwork Operating system and IOS XE in over 300 of the switch models, The Register reported.

Specifically, the vulnerability is contained in the Cluster Management Protocol which uses Telnet as a signaling and command protocol between cluster members.

Cisco is warning that the software used in hundreds of its products are vulnerable to a "critical"-rated security flaw, which can be easily and remotely exploited with a simple command". But it did advise customers to switch from the Telnet protocol to SSH because "disabling the Telnet protocol as an allowed protocol for incoming connections would eliminate the exploit vector".

"Based on the "Vault 7" public disclosure, Cisco launched an investigation into the products that could potentially be impacted by these and similar exploits and vulnerabilities". The Central Intelligence Agency is aware that the bug allows a remote attacker to execute codes or to reload a targeted device.

The bug is in the default configuration of affected devices, even if the user doesn't have switch clusters configured, and can be exploited over either IPv4 or IPv6.

The first is failure to restrict CMP-specific Telnet options to "local communications between cluster members and instead accept and process such options over any Telnet connection to an affected device".

However, a patch for the vulnerability is not available yet, and users have therefore been advised to completely disable Telnet, regardless of the inconvenience this may cause IT departments.

"This vulnerability can only be exploited through a Telnet session established to the device - sending the malformed options on Telnet sessions through the device will not trigger the vulnerability", Cisco explained.

"Customers unable or unwilling to disable the Telnet protocol can reduce the attack surface by implementing infrastructure access control lists (iACLs)", it added. Information on iACLs is available here. The vulnerability mostly affects Cisco Catalyst switches but is also found in Industrial Ethernet switches and embedded services.

Cisco too was stung by a separate release of classified hacking tools, said to have been developed by the National Security Agency, which left the company scrambling for a fix.

The malware, once installed on a Cisco device, seem to provide a range of capabilities: data collection, data exfiltration, command execution with administrative privileges (and without any logging of such commands ever been executed), HTML traffic redirection, manipulation and modification (insertion of HTML code on web pages), DNS poisoning, covert tunneling and others.