In recent weeks, Cisco has published several documents related to the Smart Install feature: one Talos blog about potential misuse of the feature if left enabled, and two Cisco Security Advisories that were included in the March 2018 release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication. Given the heightened awareness, we want to minimize any potential confusion about exploitation attempts and clarify the verification of the feature on customer devices. As such, Cisco has attempted to consolidate all information related to the mitigation of potential Smart Install misuse or exploit of related vulnerabilities into this single document, which also notes how to properly secure devices that may be exposed and remediate the disclosed vulnerabilities. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180409-smi
In recent weeks, Cisco has published several documents related to the Smart Install feature: one Talos blog about potential misuse of the feature if left enabled, and two Cisco Security Advisories that were included in the March 2018 release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication. Given the heightened awareness, we want to minimize any potential confusion about exploitation attempts and clarify the verification of the feature on customer devices. As such, Cisco has attempted to consolidate all information related to the mitigation of potential Smart Install misuse or exploit of related vulnerabilities into this single document, which also notes how to properly secure devices that may be exposed and remediate the disclosed vulnerabilities.
The following table lists the Advisories that identify the Smart Install feature (Client and/or Director) as being vulnerable and the extent that these respective vulnerabilities are being actively exploited:
Advisory Name |
CVE ID |
Description |
Client/Director |
Publication Date |
Actively Exploited? |
N/A |
Widespread scanning for devices with the Smart Install feature enabled and without proper security controls |
Client Only |
14-Feb-2017 |
Yes |
|
Cisco IOS and IOS XE Software Smart Install Remote Code Execution Vulnerability |
CVE-2018-0171 |
Reload, denial of service, remote code execution |
Client Only |
28-Mar-2018 |
No |
Cisco IOS and IOS XE Software Smart Install Denial of Service Vulnerability |
CVE-2018-0156 |
Reload, denial of service |
Client Only |
28-Mar-2018 |
No |
Cisco IOS and IOS XE Software Smart Install Memory Leak Vulnerability |
CVE-2016-6385 |
Memory leak, eventual denial of service |
Client Only |
28-Sep-2016 |
No |
Cisco IOS and IOS XE Software Smart Install Denial of Service Vulnerability |
CVE-2016-1349 |
Denial of service |
Client Only |
23-Mar-2016 |
No |
Cisco IOS Software Smart Install Denial of Service Vulnerability |
CVE-2013-1146 |
Denial of service |
Client Only |
27-Mar-2013 |
No |
Cisco IOS Software Smart Install Denial of Service Vulnerability |
CVE-2012-0385 |
Malformed SMI packet causes reload |
Client & Director |
28-Mar-2012 |
No |
Cisco IOS Software Smart Install Remote Code Execution Vulnerability |
CVE-2011-3271 |
Remote code execution |
Client & Director |
28-Sep-2011 |
No |
To ensure their network is protected against issues involving Smart Install, our recommendation for customers not actually using Smart Install is to disable the feature using the no vstack command once setup is complete. Customers who do use the feature - and need to leave it enabled - can use ACLs to block incoming traffic on TCP port 4786 (the proper security control). Additionally, patches for known security vulnerabilities should be applied as part of standard network security management.
Customers concerned with potential exposure of their network devices to the Smart Install vulnerabilities should adhere to the following process:
Cisco Smart Install is a legacy feature that provides zero-touch deployment for new switches, typically access layer switches, and incorporates no authentication by design. Newer technology, such as the Cisco Network Plug and Play feature, is highly recommended for more secure setup of new switches. If not properly disabled or secured following setup, Smart Install could allow for the exfiltration and modification of configuration files, among other things, even without the presence of a vulnerability.
A Smart Install network consists of one Smart Install Director switch or router, also known as the Integrated Branch Director (IBD), and one or more Smart Install Client switches, also known as Integrated Branch Clients (IBCs).
The Smart Install feature is enabled by default on client switches. No specific configuration is needed on Smart Install Client switches, whereas the Smart Install Director must be configured explicitly.
To help customers determine their exposure to vulnerabilities in Cisco IOS and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker, that identifies any Cisco Security Advisories that impact a specific software release and the earliest release that fixes the vulnerabilities described in each advisory (“First Fixed”). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities described in all the advisories identified (“Combined First Fixed”).
Customers can use this tool to perform the following tasks:
To determine whether a release is affected by any published Cisco Security Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a Cisco IOS Software or Cisco IOS XE Software release-for example, 15.1(4)M2 or 3.13.8S-in the following field:
The following example shows the output of the show vstack config command in a Cisco Catalyst switch with the Smart Install Client feature enabled. These are the only outputs that indicates that the Smart Install Client feature is enabled:
Switch4#show vstack config | include Role
Role: Client (SmartInstall enabled)
switch4# show vstack config
Capability: Client
Oper Mode: Enabled
Role: Client
The following example shows the output of the show tcp brief all | include 4786 command in a Cisco Catalyst switch that is listening on the Smart Install Client port (TCP 4786):
Switch#show tcp brief all | include 4786
FFB6D31818 0.0.0.0.4786 *.* LISTEN
Switch#
The following example shows the output of the show tcp brief all | include 4786 command in a Cisco Catalyst switch that is listening on the Smart Install Client port (TCP 4786) AND has a connection to a Smart Install Director (IP address: 10.69.12.117):
FFA893EA50 10.66.91.126.4786 10.69.12.117.54246 CLOSEWAIT
FFB6D31818 0.0.0.0.4786 *.* LISTEN
Switch#
Please note that this method cannot distinguish between a device running as a Smart Install Client and a device running as a Smart Install Director. As such, the show vstack config command is preferred whenever possible.
Upon successful deployment of Cisco Switches, administrators should either utilize Smart Install or immediately disable the Smart Install Client feature if Smart Install is not used, as the feature will no longer be required for operation. The Smart Install feature can be disabled with the no vstack command.
For networks where the no vstack command is not available or where Smart Install is used for more than just zero-touch deployment, customers should ensure that only the IBD has TCP connectivity to all IBCs on port 4786. Administrators can use the following security best practices for Cisco Smart Install deployments on affected devices:
An interface ACL might look like the following example, with the IP address of the Smart Install Director (IBD) being 10.10.10.1 and the IP address of the Smart Install Client (IBC) being 10.10.10.200:
This ACL would then need to be deployed on all IP interfaces on all IBCs. It can be pushed via the IBD when the switches are first deployed.ip access-list extended SMI_HARDENING_LIST
permit tcp host 10.10.10.1 host 10.10.10.200 eq 4786
deny tcp any any eq 4786
permit ip any any
Cisco IOS Software Smart Install Remote Code Execution Vulnerability
Cisco IOS Software Smart Install Denial of Service Vulnerability
Cisco IOS Software Smart Install Denial of Service Vulnerability
Cisco IOS and IOS XE Software Smart Install Denial of Service Vulnerability
Cisco IOS and IOS XE Software Smart Install Memory Leak Vulnerability
Cisco Smart Install Protocol Misuse (First Published 14-Feb-2017)
TALOS Smart Install Detection Tool
Smart Install Configuration Guide
In software releases that incorporate the changes from Cisco Bug ID CSCvd36820, Cisco Smart Install Client feature should auto-disable after boot as soon as the switch detects that zero-touch deployment is not being used.
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
Version | Description | Section | Status | Date |
---|---|---|---|---|
1.2 | Added appendix to list of references. | Details | Final | 2018-April-11 |
1.1 | Updated links, formatting, and text in table; updated text and formatting of code examples. | Details | Final | 2018-April-10 |
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.