Avatar

UPDATE: March 17, 2017

Based on the “Vault 7” public disclosure, Cisco launched an investigation into the products that could potentially be impacted by these and similar exploits and vulnerabilities. As part of the internal investigation of our own products and the publicly available information, Cisco security researchers found a vulnerability in the Cluster Management Protocol code in Cisco IOS and Cisco IOS XE Software that could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges.

The Cisco PSIRT has disclosed this vulnerability in the following security advisory:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp

In terms of mitigations to consider, disabling the Telnet protocol as an allowed protocol for incoming connections would eliminate the exploit vector. Disabling Telnet and using SSH is recommended by Cisco. Information on how to do both can be found on the Cisco Guide to Harden Cisco IOS Devices.

Customers unable or unwilling to disable the Telnet protocol can reduce the attack surface by implementing infrastructure access control lists (iACLs). Information on iACLs can be found on the following document: Protecting Your Core: Infrastructure Protection Access Control Lists

Cisco IPS Signature 7880-0 and Snort SIDs 41909 and 41910 can detect attempts to exploit this vulnerability.

 

 


Blog authored by Dario Ciccarone

On March 7th, 2017, Wikileaks made public a set of documents that is being referred to as the “Vault 7 leak”.  The set contains a large collection of documents purported to belong to the United States Central Intelligence Agency (CIA) Center for Cyber Intelligence. According to Wikileaks, this disclosure is the first one – and additional disclosures will be coming the near future.

At the time of the initial release, Wikileaks has not released any of the tools or exploits associated with the disclosure. Quoting from the Wikileaks Vault 7 release announcement:

Wikileaks has carefully reviewed the “Year Zero” disclosure and published substantive CIA documentation while avoiding the distribution of ‘armed’ cyber weapons until a consensus emerges on the technical and political nature of the CIA’s program and how such ‘weapons’ should analyzed, disarmed and published.

Since none of the tools and malware referenced in the initial Vault 7 disclosure have been made available by Wikileaks, the scope of action that can be taken by Cisco is limited.  An ongoing investigation and focused analysis of the areas of code that are alluded to in the disclosure is underway. Until more information is available, there is little Cisco can do at this time from a vulnerability handling perspective.

What we can do, have been doing, and will continue to do is to actively analyze the documents that were already disclosed. Based on our preliminary analysis of the disclosed documents:

  • Malware exists that seems to target different types and families of Cisco devices, including multiple router and switches families.
  • The malware, once installed on a Cisco device, seem to provide a range of capabilities: data collection, data exfiltration, command execution with administrative privileges (and without any logging of such commands ever been executed), HTML traffic redirection, manipulation and modification (insertion of HTML code on web pages), DNS poisoning, covert tunneling and others.
  • The authors have spent a significant amount of time making sure the tools, once installed, attempt to remain hidden from detection and forensic analysis on the device itself.
  • It would also seem the malware author spends a significant amount of resources on quality assurance testing – in order, it seems, to make sure that once installed the malware will not cause the device to crash or misbehave.

As mentioned above, no actual binaries or technical details of any malware has been released at this time, hence limiting the analysis to the test results/quality assurance testing logs from the disclosure. Cisco Product Security Incident Response Team (PSIRT) assumes that the associated malware will eventually be released by Wikileaks – at that time, Cisco PSIRT will proceed to analyze it and determine if the malware tries to exploit any vulnerability on a Cisco product or service. If that was to be the case, then we would make sure it is fixed and our customers are appropriately notified, by following our established security vulnerability policy.

 



Authors

Omar Santos

Distinguished Engineer

Cisco Product Security Incident Response Team (PSIRT) Security Research and Operations