Cisco Warns of Telnet Zero-Day Flaw in 300 Switch Products
Cisco has reported a serious flaw in its IOS software that could provide hackers with complete control of more than 300 vulnerable enterprise and industrial switches. The weakness was discovered following an analysis of the WikiLeaks Vault7 documents leaked earlier this month. In response to the vulnerability, Cisco is recommending that users of these affected switches disable Telnet and instead use SSH to prevent incoming connections that attempt to exploit a critical flaw in a protocol for communicating between cluster members.
“An attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections. An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device,” Cisco said in an advisory.
According to a statement issued on Friday night, Cisco explains, “The Cluster Management Protocol [CMP] utilizes Telnet internally as a signaling and command protocol between cluster members.”
The vulnerability is due to the combination of two main factors:
- The incorrect processing of malformed CMP – specific Telnet options
- The failure to restrict the use of CMP-specific Telnet options only to internal, local communications between cluster members and instead accept and process such options over any Telnet connection to an affected device.
As a total, the vulnerability affects 264 Catalyst switches, 51 Ethernet switches and three other devices. While it has been speculated that the CIA had exploited some of these vulnerabilities, there are no known exploits being used, although that could change.
Cisco encourages customers to disable incoming Telnet connections and switch to SSH. If this isn’t an option, administrators can reduce their attack surface by implementing infrastructure control lists to whitelist traffic. Cisco has provided instructions for determining whether a device is set to accept incoming Telnet connections. Additionally, it provided a complete list of affected products and instructions for checking which IOS version customers are using.