Aussie businesses targeted in router, switch exploit

The Australian Cyber Security Centre (ACSC) has warned Australian businesses to be on the lookout for “cyber adversaries” attempting to extract configuration files from their routers and switches.

While the Australian Government cyber security agency said it had no evidence at this stage to suggest that home users were directly impacted by the threat, a number of local businesses have been hit.

According to the ACSC, switches with Cisco Smart Install that are accessible via the internet, and routers or switches with Simple Network Management Protocol (SNMP) enabled and exposed to the internet, are vulnerable to this activity.

The local activity comes several months after Cisco moved to respond to reports of security issues with its Smart Install switch management software.

“Extracted configuration files may contain sensitive information, such as device administrative credentials, and could be used to compromise the router/switch and enable targeting of other devices on the network,” The ACSC said in a statement. “Access to the device may facilitate malicious cyber adversaries gaining access to the information that flows through the device.”

The ACSC said that administrators of devices that can be directly managed from the internet should review logs for unusual activity, including configurations or command output obtained by external sources via Trivial File Transfer Protocol (TFTP), SNMP queries from unexpected sources and the configuration of unexpected GRE tunnels.

Additionally, the agency said that businesses wanting to minimise the potential threat should disable SNMP Read/Write if not strictly required. If SNMP Read/Write is required, the ACSC said, organisations should either ensure the SNMP service cannot be connected to untrusted sources, or simply upgrade to SNMPv3 and change all community strings.

Additionally, the agency recommended businesses implement Access Control Lists (ACL) to restrict SNMP access to network management platforms and configure anti-spoofing at the edge of the network.

Finally, the ACSC said that organisations should disable Cisco Smart Install if not strictly required.

Cisco piped up about reports of Smart Install misuse in February, saying that it had updated its Smart Install Configuration Guide to include security best practices regarding the deployment of the Cisco Smart Install feature within customer infrastructures.

“Several researchers have reported on the use of Smart Install (SMI) protocol messages toward Smart Install clients, also known as integrated branch clients (IBC), allowing an unauthenticated, remote attacker to change the startup-config file and force a reload of the device, load a new IOS image on the device, and execute high-privilege CLI commands on switches running Cisco IOS and IOS XE Software,” the vendor said earlier this year.

“Cisco does not consider this a vulnerability in Cisco IOS, IOS XE, or the Smart Install feature itself but a misuse of the Smart Install protocol, which does not require authentication by design. Customers who are seeking more than zero-touch deployment should consider deploying the Cisco Network Plug and Play solution instead,” it said.