Remote Code Execution Vulnerability Found in Cisco

By

More than 8.5 million devices are affected

Embedi, a security research firm, disclosed a critical vulnerability in Cisco software that enables an attacker to remotely execute arbitrary code without authentication. Researchers at Embedi found a stack-based buffer overflow vulnerability in Cisco’s Smart Install Client code.

"Smart Install is a plug-and-play configuration and image-management feature that provides zero-touch deployment for new switches. It automates the process of initial configuration and the loading of the current operating system image for a new network switch," wrote Embedi in a blog post.

The feature makes it easier to ship a switch without any config or administrator required at the site. In addition to ease of use, Smart Install also offers backup of the configuration in case of replacement.

Once the vulnerability was discovered, Embedi ran a short scan of the Internet and found over 8.5 million devices that have a vulnerable port open.

"Probably, this happens because on Smart Install clients the port TCP(4786) is opened by default and network administrators do not notice this somehow," explained Embedi.

In a security advisory, Cisco said that the vulnerability is due to improper validation of packet data. An attacker could exploit this vulnerability by sending a crafted Smart Install message to an affected device on TCP port 4786.

"A successful exploit could allow the attacker to cause a buffer overflow on the affected device, which could have the following impacts: Triggering a reload of the device; Allowing the attacker to execute arbitrary code on the device; and Causing an indefinite loop on the affected device that triggers a watchdog crash."

Cisco has already released a patch to fix the vulnerability. Embedi has published an advisory to help users in checking their equipment for vulnerabilities and fix them.

04/09/2018
comments powered by Disqus