Cisco finds switch ‘vulnerability’ in Wikileaks’ Vault 7 disclosure

It’s the dream of many operators to have a property that is running fully in-synch, but persistent data breaches may be reason enough to question which devices on property are working in tandem.
The Cisco vulnerability affects more than 300 Cisco products including its Cisco Catalyst Blade Switch hardware used in Dell, IBM and HP Enterprise equipment.

Cisco Systems warned that hundreds of models of its switches, mainly sold to enterprise users, can be remotely hacked, potentially allowing malicious users to “cause a reload of an affected device or remotely execute code with elevated privileges.”

Cisco said it found the vulnerability “during the analysis of documents related to the Vault 7 disclosure.” Released earlier this month by Wikileaks, Vault 7 has been described as software tools used by the CIA to spy on people through phones, TVs and other gadgets. Federal officials are investigating the leak, which included roughly 8,000 documents.

As Threatpost noted, the Cisco vulnerability affects more than 300 Cisco products including its Cisco Catalyst Blade Switch hardware used in Dell, IBM and HP Enterprise equipment.

Cisco noted the vulnerability leverages its Cisco Cluster Management Protocol (CMP) processing code in its Cisco IOS and Cisco IOS XE software, using the Telnet protocol internally as a signaling and command protocol between cluster members.

“An attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections. An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device,” Cisco wrote on its security advisory site. “Cisco will release software updates that address this vulnerability. There are no workarounds that address this vulnerability.”

In a separate post, Cisco noted that Wikileaks hasn’t yet released any of the actual tools or exploits associated with Vault 7, thus allowing those who are affected a chance to plug vulnerabilities.

Nonetheless, the threat remains.

“Since cyberattackers can easily scan the internet for exposed Cisco servers using open source tools, we could see (adversaries) exploiting this newly discovered vulnerability either to create massive DDoS botnets or to snoop on traffic after gaining full control of the router,” Phil Neray, VP of industrial cybersecurity at CyberX, told Threatpost.

The news from Cisco, while by itself relatively minor in the wider topic of cybersecurity, still stands as another example of the kinds of threats that telco vendors and operators face. Indeed, the SVP of cyber engineering and technology services with CenturyLink, Bill Bradley, recently told FierceTelecom that tackling cybersecurity threats will require collaboration across multiple domains, including service providers as well as vendors and government agencies.

“I think you have to think about cybersecurity as a continuous process that would be analogous to accounting," Bradley said. “You have accounting efforts underway every day, and you have oversight, and that’s the ongoing process we have to apply to cybersecurity in order to protect a company.”