Cisco Reveals Critical Vulnerability Found in WikiLeaks’ ‘Vault 7’ Docs

Written by Aldrin Brown
March 23, 2017

The security hole - identified from a leak of secret C.I.A. cyber tools - could allow hackers to access the IOS and IOS XE software inside hundreds of models of Cisco routers and switches.

Cisco Systems said it has found a critical vulnerability affecting the IOS and IOS XE software inside hundreds of models of its routers and switches.

The security hole was discovered during an internal review by Cisco following this month’s “Vault 7” document dump by WikiLeaks, which detailed classified details of the C.I.A.’s cyber espionage toolkit.

Among the records were several hundred million lines of code that lay out the intelligence agency’s methods for hacking into computers, smart TVs, and Apple and Android smartphones.

“Based on the ‘Vault 7’ public disclosure, Cisco launched an investigation into the products that could potentially be impacted by these and similar exploits and vulnerabilities,” said a blog post by Omar Santos, a Cisco security engineer. “As part of the internal investigation of our own products and the publicly available information, Cisco security researchers found a vulnerability in the Cluster Management Protocol (CMP) code in Cisco IOS and Cisco IOS XE software that could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges.”

Click here to view a full list of affected Cisco products.

Thus far there have been no reported attacks involving the flaw.

“The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory,” the security advisory said.

The WikiLeaks’ disclosure did not include complete instructions for creating cyber espionage tools and weapons.

Days after the dump, WikiLeaks announced that it would work with manufacturers of the affected hardware and software to fix the security flaws before releasing the full code publicly.

“After considering what we think is the best way to proceed and hearing these calls from some of the manufacturers, we have decided to work with them to give them exclusive access to additional technical details we have, so that fixes can be developed and pushed out,” WikiLeaks editor Julian Assange said during a news conference. “Once this material is effectively disarmed by us, we will publish additional details about what has been occurring.”

There was no immediate word on when — or whether — Cisco would work with WikiLeaks to obtain the technical information needed to patch the flaw.

“Since none of the tools and malware referenced in the initial Vault 7 disclosure have been made available by Wikileaks, the scope of action that can be taken by Cisco is limited,” security incident manager Dario Ciccarone wrote in a March 7 Cisco blog post.

“An ongoing investigation and focused analysis of the areas of code that are alluded to in the disclosure is underway,” the post continued. “Until more information is available, there is little Cisco can do at this time from a vulnerability handling perspective.”

The Cisco problem takes advantage of the CMP’s use of Telnet internally as a “signaling and command protocol between cluster members,” Cisco’s advisory said.

The vulnerability stems from a combination of factors:

The failure to restrict the use of CMP-specific Telnet options only to internal, local communications between cluster members and instead accept and process such options over any Telnet connection to an affected device.
The incorrect processing of malformed CMP-specific Telnet options.

“An attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections,” the advisory states.

It adds that Cisco will release software updates when available, and that there are no immediate workarounds.

“In terms of mitigations to consider, disabling the Telnet protocol as an allowed protocol for incoming connections would eliminate the exploit vector,” Santos’ blog states. “Disabling Telnet and using SSH is recommended by Cisco.”

The Cisco blog offers extensive information for hardening Cisco IOS devices and implementing infrastructure protection access control lists.

Send tips and news to [email protected].