Remote Code Execution Vulnerability Affecting 318 Cisco Switches

Following the WikiLeaks massive Vault 7 data leak, a new critical remote code vulnerability affecting 318 Cisco Systems switches has been revealed. While the data leak allegedly comes from the CIA, the vulnerability is very real, and Cisco has already issued an advisory for it.

The vulnerability involves the Cisco Cluster Management Protocol (CMP) that uses the Telnet protocol to accept and process malformed CMP-specific Telnet options. Consequently, an attacker could remotely dial into those switches and either cause a reload of the device or execute code running with elevated privileges.

“An attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections,” reads the Cisco Advisory. “An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device.”

Although the vulnerability is reportedly only active when the device is configured to accept any incoming Telnet connections – instead of only from internal cluster members – Cisco does mention that changing or disabling this setting could reduce the risk of compromise. However, the CVE-2017-3881 advisory reads that there are currently “no workarounds available” and that any Telnet session triggered over IPv4 or IPv6 can be exploited.

“The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory,” according to the same advisory.

While no patch is yet available for the vulnerability, the full list of 318 potentially affected devices can be found here.