Cisco uncovers Telnet zero-day flaw in WikiLeaks' Vault 7 Central Intelligence Agency dump

Regolare Commento Stampare

It's a two-fold bug: first, the protocol doesn't restrict CMP-specific Telnet to local communications, instead processing commands over "any Telnet connection to an affected device"; and second, malformed CMP-specific Telnet options are incorrectly processed. But the security flaw wasn't included in the problems highlighted by WikiLeaks-Cisco's security team discovered the problem themselves while digging through the "Vault 7" document trove. It also does not prevent malformed CMP-specific Telnet options from being processed. Cisco provided a list of 318 products affected by the vulnerability; you can find the full list in the company's advisory.

The company said in a security advisory that the vulnerability could "allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges".

While Friday's advisory said there are "no workaround that address this vulnerability", it did say the vulnerability was active only when buggy devices were configured to accept incoming telnet connections. But it did advise customers to switch from the Telnet protocol to SSH because "disabling the Telnet protocol as an allowed protocol for incoming connections would eliminate the exploit vector". Cisco said at the time that "the Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory".

The devices affected by the vulnerability discovered in the Central Intelligence Agency cache include 264 Catalyst switches, more than 50 Industrial Ethernet switches, Embedded Service 2020 switches, Cisco RF Gateway, and the SM-X Layer 2/3 EtherSwitch Service Module. The release includes a lot of information on attack techniques and targeted devices and software, and technology vendors whose products are detailed in the documents have been working back to determine whether there are still vulnerabilities in their products.

Cisco wrote in a blog that since none of the tools and malware referenced in the initial Vault 7 disclosure have been made available by WikiLeaks, the scope of action that can be taken by Cisco is limited.

Documents published so far don't appear to explicitly discuss technical details of the vulnerabilities or how to exploit them. According to Cisco, the problem with the switches could be exploited with a few simplistic commands.