Cisco Reveals Critical Vulnerability Found in WikiLeaks’ ‘Vault 7’ Docs

The security hole - identified from a leak of secret C.I.A. cyber tools - could allow hackers to access the IOS and IOS XE software inside hundreds of models of Cisco routers and switches.

Aldrin Brown, Editor-in-Chief

March 24, 2017

3 Min Read
Cisco Reveals Critical Vulnerability Found in WikiLeaks’ ‘Vault 7’ Docs

Brought to you by MSPmentor

Cisco Systems said it has found a critical vulnerability affecting the IOS and IOS XE software inside hundreds of models of its routers and switches.

The security hole was discovered during an internal review by Cisco following this month’s “Vault 7” document dump by WikiLeaks, which detailed classified details of the C.I.A.’s cyber espionage toolkit. 

Among the records were several hundred million lines of code that lay out the intelligence agency’s methods for hacking into computers, smart TVs, and Apple and Android smartphones.

“Based on the ‘Vault 7’ public disclosure, Cisco launched an investigation into the products that could potentially be impacted by these and similar exploits and vulnerabilities,” said a blog post by Omar Santos, a Cisco security engineer. “As part of the internal investigation of our own products and the publicly available information, Cisco security researchers found a vulnerability in the Cluster Management Protocol (CMP) code in Cisco IOS and Cisco IOS XE software that could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges.”

Thus far there have been no reported attacks involving the flaw.

“The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory,” the security advisory said.

The WikiLeaks’ disclosure did not include complete instructions for creating cyber espionage tools and weapons.

Days after the dump, WikiLeaks announced that it would work with manufacturers of the affected hardware and software to fix the security flaws before releasing the full code publicly.

“After considering what we think is the best way to proceed and hearing these calls from some of the manufacturers, we have decided to work with them to give them exclusive access to additional technical details we have, so that fixes can be developed and pushed out,” WikiLeaks editor Julian Assange said during a news conference. “Once this material is effectively disarmed by us, we will publish additional details about what has been occurring.”

There was no immediate word on when — or whether — Cisco would work with WikiLeaks to obtain the technical information needed to patch the flaw.

“Since none of the tools and malware referenced in the initial Vault 7 disclosure have been made available by Wikileaks, the scope of action that can be taken by Cisco is limited,” security incident manager Dario Ciccarone wrote in a March 7 Cisco blog post

“An ongoing investigation and focused analysis of the areas of code that are alluded to in the disclosure is underway,” the post continued. “Until more information is available, there is little Cisco can do at this time from a vulnerability handling perspective.”

The Cisco problem takes advantage of the CMP’s use of Telnet internally as a “signaling and command protocol between cluster members,” Cisco’s advisory said.

The vulnerability stems from a combination of factors:

  • The failure to restrict the use of CMP-specific Telnet options only to internal, local communications between cluster members and instead accept and process such options over any Telnet connection to an affected device.

  • The incorrect processing of malformed CMP-specific Telnet options.

“An attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections,” the advisory states.

It adds that Cisco will release software updates when available, and that there are no immediate workarounds.

“In terms of mitigations to consider, disabling the Telnet protocol as an allowed protocol for incoming connections would eliminate the exploit vector,” Santos’ blog states. “Disabling Telnet and using SSH is recommended by Cisco.”

The Cisco blog offers extensive information for hardening Cisco IOS devices and implementing infrastructure protection access control lists.   

Read more about:


About the Author(s)

Aldrin Brown

Editor-in-Chief, Penton

Veteran journalist Aldrin Brown comes to Penton Technology from Empire Digital Strategies, a business-to-business consulting firm that he founded that provides e-commerce, content and social media solutions to businesses, nonprofits and other organizations seeking to create or grow their digital presence.

Previously, Brown served as the Desert Bureau Chief for City News Service in Southern California and Regional Editor for Patch, AOL's network of local news sites. At Patch, he managed a staff of journalists and more than 30 hyper-local and business news and information websites throughout California. In addition to his work in technology and business, Brown was the city editor for The Sun, a daily newspaper based in San Bernardino, CA; the college sports editor at The Tennessean, Nashville, TN; and an investigative reporter at the Orange County Register, Santa Ana, CA.


Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like