The affected plug-and-play feature is enabled by default on Cisco IOS switches and wireless devices. If not disabled, the feature can allow a remote, unauthenticated attacker to execute code or deny service. Enterprises that have not disabled Cisco’s “plug-and-play” Smart Install may be critically impacted.
Admins should apply patches or use ForeScout CounterACT® to classify assets and manage updates. Newly released CounterACT Security Policy Templates v18.0.4 extend coverage to most Cisco IOS vulnerabilities that are classified Critical and High according to Cisco’s Severity Impact Rating (SIR).
This CounterACT update extends Cisco managed device coverage beyond the Adaptive Security Appliance devices covered in the March SPT release.
What is the impact?
The Smart Install remote code execution (CVE-2018-0171) may be the most serious of the 22 vulnerabilities. With a likely severity score of 9.8 out of 10, the impact is considered “Critical.”
This attack requires crafted Smart Install protocol packets that abuse application input validation to cause buffer overflow. A successful exploit could result in total loss of data confidentiality, integrity and availability.
Impact so far has been minimized thanks to responsible disclosure by researchers at Embedi. These researchers also published proof-of-concept exploit code, so attacks are likely.
Guidance for ForeScout customers
CounterACT streamlines Cisco device classification and vulnerability detection. The CounterACT Cisco IOS/IOS XE Security Policy Templates detect vulnerable and potentially vulnerable managed Cisco IOS and IOS XE switch and wireless devices. This extends CounterACT’s asset inventory capabilities to Cisco device and network compliance. To address this vulnerability, ForeScout recommends taking the following steps:
- Customers should update their CounterACT deployments to the latest Security Policy Templates (v18.0.4) released on April 04, 2018. This integrates the Cisco IOS Security Software Checker to classify Cisco IOS devices with vulnerabilities within 24 hours of disclosure.
- CounterACT administrators can customize similar policies based on related tools and indicators. The CounterACT switch plugin and wireless plugin are required.
- The CounterACT Security Policy Templates content plugin is available to all ForeScout customers with ActiveCare Maintenance and Support contracts. Download the content plugin and documentation from updates.forescout.com.
Five Ways to Assess and Mitigate Risk
- Gain a better understanding of your risk exposure. ForeScout CounterACT can provide a complete inventory of managed Cisco switches and wireless devices. These devices can be classified by model, type, function, ownership and several other attributes to provide essential insight into your network environment.
- Follow Cisco IOS device-hardening guidance and audit for device compliance. Disable Smart Install if the feature is not used during bootup. As a best practice, turn off plug-and-play functionality when not in use.
- Patch impacted endpoints. Based on the inventory and classification of devices provided by CounterACT, you can prioritize your patching efforts. CounterACT can also help you enforce polices to enable and initiate automatic updates for certain device types in your environment.
- Unless essential, ensure that these network devices are properly firewalled from public Internet access. Follow vendor guidance on secure deployment and hardened configurations. Disable unneeded features, ports and services to reduce your attack surface.
- Use CounterACT to isolate, restrict or block non-compliant and high-risk devices. You can use CounterACT to isolate non-compliant devices and initiate remediation actions.