Cisco found a critical vulnerability affecting over 300 of its switches and one gateway.
They found the vulnerability via the Vault 7 data release.
The flaw is in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software.
The Cluster Management Protocol utilizes Telnet internally as a signaling and command protocol between cluster members. The vulnerability is due to the combination of two factors:
• The failure to restrict the use of CMP-specific Telnet options only to internal, local communications between cluster members and instead accept and process such options over any Telnet connection to an affected device
• The incorrect processing of malformed CMP-specific Telnet options
“An attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections. An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device,” Cisco officials said in a post.
The complete list of affected devices is in the security advisory.
Cisco said it is not aware of any attackers leveraging the vulnerability, and they will provide free software updates to address the issue.
Users can mitigate the risk by disabling the Telnet protocol and switching to using SSH. If that’s not possible, they can reduce the attack surface by implementing infrastructure access control lists.
The security advisory provides instructions on how to discover whether your device uses the CMP subsystem, if it can accept Telnet connections, and which Cisco IOS and IOS XE Software release it is running.
It also includes indicators of compromise that can end up used to detect exploitation attempts.