Cisco working to plug switch vulnerability revealed by WikiLeaks

By on
Cisco working to plug switch vulnerability revealed by WikiLeaks

Cisco Systems partners are already advising customers on how to bypass a critical security vulnerability affecting more than 300 routers and switches discovered after WikiLeaks exposed CIA documents.

On 17 March, Cisco disclosed that it had discovered hundreds of Cisco devices were vulnerable after WikiLeaks made public a set of CIA documents referred to as the "Vault 7 leak."

Cisco's Catalyst switching models were affected most, including many of the 2960, 3560 and 3750 series as well as Cisco's IE 2000 and 4000 Industrial Ethernet switching series.

There is currently no fix or workarounds available; however, disabling the Telnet protocol as an allowed protocol for incoming connections would eliminate the vulnerability, said Omar Santos, Cisco Product Security Incident Response Team (PSIRT) Security Research and Operations, in a blog post.

Cisco said it will release software updates that address the vulnerability, although the company did not specify when the software will be made available.

"Since none of the tools and malware referenced in the initial Vault 7 disclosure have been made available by WikiLeaks, the scope of action that can be taken by Cisco is limited," said Santos in the blog post. 

"An ongoing investigation and focused analysis of the areas of code that are alluded to in the disclosure is under way... What we can do, have been doing, and will continue to do, is to actively analyse the documents that were already disclosed."

Cisco said an attacker could exploit the vulnerability by sending malformed Cluster Management Protocol (CMP)-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections, according to Cisco's security warning. An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device, said Cisco.

The company is a prime target for hackers because of its dominant share in the networking market, said partners.

Cisco's security business is the vendor's fastest-growing market segment.

For its most recent second fiscal quarter, the company reported 14 percent growth in security year over year to US$528 million. It was Cisco's fifth consecutive quarter of double-digit growth in security.

Cisco security researchers found the vulnerability in its CMP code in Cisco IOS and Cisco IOS XE Software that could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges.

The CMP uses Telnet internally as a signaling and command protocol between cluster members, according to a critical warning advisory Cisco published 17 March. Customers who are unable or unwilling to disable the Telnet protocol can reduce the attack by implementing infrastructure access control lists (iACLs), according to Santos.

This article originally appeared at

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © 2018 The Channel Company, LLC. All rights reserved.

Most Read Articles

Log In

Username / Email:
  |  Forgot your password?