Cisco PSIRT – Mitigating and Detecting Potential Abuse of Cisco Smart Install Feature
Contributors: Stefano De Crescenzo, Paul Oxman
Cisco PSIRT has become aware of attackers potentially abusing the Smart Install (SMI) feature in Cisco IOS and IOS XE Software. While this is not considered a vulnerability, PSIRT published a Cisco Security Response on February 14, 2017 to inform customers about possible abuse of the Smart Install feature if it remains enabled after device installation. The Security Response also provides guidance on actions customers should consider to protect their networks against abuse of this setup feature.
New tools: The Cisco Talos group has developed a tool that customers can use to scan for devices that have the Smart Install feature enabled in their environment. Just scanning for TCP port 4786 being open is not sufficient as this port is used by other protocols as well and this might thus result in false positive. For more information, see Cisco Coverage for Smart Install Client Protocol Abuse.
Cisco has also published a new IPS signature and new Snort rules that help detect the use of Smart Install protocol messages in customer networks.
Mitigation: If customers find devices in their network that continue to have the Smart Install feature enabled, Cisco strongly recommends that they disable the Smart Install feature with the no vstack configuration command.
Otherwise, customers should apply the appropriate security controls for the Smart Install feature and their environment. The recommendations noted below and in the Security response will avoid the risk of attackers abusing this feature.
Cisco Smart Install is a legacy feature that provides zero-touch deployment for new switches, typically access layer switches. The feature has been designed for use within the local customer network and should not be exposed to un-trusted networks. Newer technology, such as the Cisco Network Plug and Play feature are recommended for more secure setup of new switches, though the Smart Install feature remains an option for platforms that do not currently support the Cisco Network Plug and Play feature.
A Smart Install network consists of one Smart Install director switch or router, also known as the integrated branch director (IBD), and one or more Smart Install client switches, also known as integrated branch clients (IBCs). Only Smart Install client switches are affected by the abuse described in this document.
The Smart Install feature is enabled by default on client switches. No configuration is needed on Smart Install client switches.
The following example shows the output of the show vstack config command in a Cisco Catalyst switch with the Smart Install client feature enabled; this is the only output that indicates that the Smart Install client feature is enabled:
switch#show vstack config | inc Role Role: Client (SmartInstall enabled)
If left enabled on IBCs, the absence of an authorization or authentication mechanism in the Smart Install (SMI) protocol used by Smart Install clients and a Smart Install director could allow an attacker to send crafted SMI protocol messages as if those messages were sent from the Smart Install director. This could allow the attacker to perform any of the following actions on a targeted system:
- Change the TFTP server address on an IBC.
- Copy arbitrary1 files from the IBC to an attacker-controlled TFTP server.
- Substitute a client’s startup-config file with a file that the attacker prepared, and force a reload of that IBC after a defined time interval.
- Load an attacker-supplied IOS Software image onto an IBC.
- Execute high-privilege configuration mode CLI commands on an IBC, including “do-exec” CLI commands. Any output of or prompt resulting from the command(s) run will appear on the IBC’s local console. This is possible only in Cisco IOS Software releases 15.2(2)E and later, and Cisco IOS XE Software releases 3.6.0E and later.
If the management IP address of a client switch is exposed to the Internet, an attacker could abuse Smart Install features remotely.
1 Any file from any file system that can be accessed via the regular copy command on the IOS or IOS XE CLI
To mitigate the risk of abuse, Cisco recommends that customers implement the security best practices discussed in the following documents:
- Cisco Security Response: Cisco Smart Install Protocol Misuse
- Cisco Smart Install Configuration Guide
There are no indicators of an attacker changing the TFTP server address or of an attacker copying files off the device using Smart Install capabilities. Cisco recommends that customers look for access from external IP addresses.
If write operations are induced via the Smart Install feature and the logging level is set to 6 (informational) or higher, messages will appear in the logs.
If the startup-config is replaced the following messages are typically seen in the logs from the affected device:
%SMI-6-UPGRD_STARTED: Device (IP address: 0.0.0.0) startup-config upgrade has started %SYS-5-CONFIG_NV_I: Nonvolatile storage configured from tftp://<ip-address>/my.conf by <username> on console %SMI-6-UPGRD_SUCCESS: Device (IP address: 0.0.0.0) startup-config has upgraded successfully
The execution of high-privileged commands in configuration mode via the Smart Install feature typically results in the following messages in the logs from the affected device:
%SMI-6-DWNLD_STARTED: Device (IP address: 0.0.0.0) post install file download has started %SMI-6-DWNLD_SUCCESS: Device (IP address: 0.0.0.0) post install file has downloaded successfully [...] %SMI-6-UPGRD_STARTED: Device (IP address: 0.0.0.0) startup-config upgrade has started
If a reload is induced via the Smart install feature and the logging level is set to 5 (notifications) or higher, one of the following messages will appear in the logs:
%SYS-5-RELOAD: Reload requested by SMI IBC Download Process. Reload reason: Switch upgraded through Smart Install %SYS-5-RELOAD: Reload requested by Delayed Reload. Reload reason: HULC SMI Scheduled Reload after Config Download %SYS-5-RELOAD: Reload requested by Delayed Reload. Reload reason: HULC SMI Scheduled Reload
In addition to local logs on client switches and logs that a client switch sends to a syslog server, customers should also look into firewall logs and NetFlow data.
Cisco has published Intrusion Prevention System (IPS) signature ID 7856-0 as well as Snort rules 41722-41725 to help detect the use of Smart Install protocol messages in customer networks. Please see the Talos blog post referenced under New Tools: above for details on the Snort rules.
To avoid false positives this signature and Snort rules should be enabled only in networks not using the Smart Install feature or at places in the network where Smart Install protocol messages are not expected to be seen.
The following best practices should also be used to provide more visibility into possible anomalies in an environment:
- Implement supplemental instrumentation focused on high-value network segments, devices, and individuals. This provides oversight of network devices and enables traffic monitoring. For more information, see Telemetry-Based Infrastructure Device Integrity Monitoring.
- Implement Cisco IOS NetFlow to gain visibility into traffic flows that emanate from each portion of the network and to evaluate actual traffic against expected traffic.
- Monitor network device event logging to identify unexpected network device-level activity.