Cisco Systems has warned that a critical vulnerability has been discovered that could allow an attacker to execute arbitrary code and obtain full control on more than 300 models of Cisco switches and routers. The company said it found the exploit through the WikiLeaks' Vault 7 cache of documents that revealed details about the stockpile of exploits used by the US Central Intelligence Agency. WikiLeaks had reportedly forwarded a contract to tech companies that they have to agree to if they want access to details of security vulnerabilities that were disclosed in Vault 7.
Cisco reports bug found in WikiLeaks' Vault 7 CIA dump
"A vulnerability in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges," Cisco warned in an advisory. The company added that it found the vulnerability during the analysis of documents related to the Vault 7 disclosure.
The vulnerability in the Cisco Cluster Management Protocol (CMP) in IOS and IOS XE and is in the default configuration of affected devices and can be exploited over either IPv4 or IPv6. Tracked as CVE-2017-3881, the bug allows a remote attacker to cause affected switches to reload or execute arbitrary code with elevated privileges and gain full control of the device.
"An attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections. An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device," Cisco's advisory said.
Cisco said there is currently no patch or workaround for this critical vulnerability. The zero-day affects 264 Catalyst switches, along with 51 industrial Ethernet switches and three other devices, if they're running IOS and are configured to accept Telnet connections. Cisco advises disabling Telnet in favor of SSH, until the patch for this zero-day is made available. Some of the affected models are no longer supported. For more details, please visit the advisory.
WikiLeaks had said that it carried out thousands of redactions to prevent the release of exploit code, however, it did release some sensitive information, including IP and email addresses of targets. WikiLeaks had earlier said that only Mozilla had contacted them. Apparently, Cisco had also agreed to the terms of the whistleblowing company.
"Fortunately, WikiLeaks' Vault7 has permitted Cisco's security team to identify the vulnerability without releasing the exploit code," WikiLeaks said. "Cisco was the most proactive of the US manufacturers and its security team initiated contact with WikiLeaks last week."