The company identified this highest level of vulnerability in its product while analyzing "Vault 7" — a roughly 8,761 documents and files leaked by Wikileaks last week, claiming to detail hacking tools and tactics of the Central Intelligence Agency (CIA).
The vulnerability resides in the Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software.
If exploited, the flaw (CVE-2017-3881) could allow an unauthenticated, remote attacker to cause a reboot of an affected device or remotely execute malicious code on the device with elevated privileges to take full control of the device, Cisco says in its advisory.
The CMP protocol has been designed to pass around information about switch clusters between cluster members using Telnet or SSH.
The vulnerability is in the default configuration of affected Cisco devices, even if the user doesn't configure any cluster configuration commands. The flaw can be exploited during Telnet session negotiation over either IPv4 or IPv6.
According to the Cisco researchers, this bug occurs in Telnet connections within the CMP, due to two factors:
- The protocol doesn't restrict the use of CMP-specific Telnet options only to internal, local communications between cluster members; instead, it accepts and processes commands over any Telnet connection to an affected device.
- The incorrect processing of malformed CMP-specific Telnet options.
So, in order to exploit this vulnerability, an attacker can send "malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections," researchers say.
This exploitation could allow the attacker to remotely execute malicious code and obtain full control of the affected device or cause a reload of the affected device.
Disable Telnet On Vulnerable Models — Patch is not Available Yet!
The vulnerability affects 264 Catalyst switches, 51 industrial Ethernet switches, and 3 other devices, which includes Catalyst switches, Embedded Service 2020 switches, Enhanced Layer 2/3 EtherSwitch Service Module, Enhanced Layer 2 EtherSwitch Service Module, ME 4924-10GE switch, IE Industrial Ethernet switches, RF Gateway 10, SM-X Layer 2/3 EtherSwitch Service Module, and Gigabit Ethernet Switch Module (CGESM) for HP. (check complete list here)
Currently, this vulnerability is unpatched, and until patches are available, Cisco recommends its users to disable the Telnet connection to the switch devices in favor of SSH.
The company's advisory doesn't talk about any working exploit using this flaw, but if there's one, tens of thousands, if not hundreds of thousands, of devices installed around the world look to have been at great risk for an unknown period — Thanks to the CIA for holding the flaw.
Cisco will update its IOS Software Checker tool immediately as soon as the patches come out.