[AusNOG] Bouncing Cisco Equipment and "Smart Install"

Paul Gear ausnog at libertysys.com.au
Wed May 9 14:46:49 EST 2018


On 09/05/18 14:21, Michael J. Carmody wrote:
> Hey All,
> 
> Just a feeler to see if anyone else is seeing this.
> 
> We have some Cisco switches we use as Layer 2/3 NTU’s to talk to client
> equipment on the far ends of fibre links.
> 
> As of yesterday morning, all of these switches started a roughly 1-2
> hour reboot outage.
> 
> All smartnet’ed, running latest recommended stable from cisco, and
> nothing in the logs other than a hard reset just occurred.
> 
> We have been additionally hardening the exposure of various interfaces
> (attacks were captured coming from resi ISP looking .mx domains), and it
> appears the one that has stopped the rot is disabling the “Smart
> Install” feature with a “no vstack” command, reload config from out
> config store and back to work…
> 
> TBH I didn’t even know this protocol existed… a non-authenticated, on by
> default protocol that allows you to configure and image deploy on
> network equipment.
> 
> Like, its our own fault, but what the hell is this doing on by default?
> 
> Anyone else with Cisco or “Smart Install” equipment seeing an uptick in
> scanning/poking activity?

Hi Michael,

This has been an ongoing attack over the last few weeks - coverage here,
among other places:

- https://www.cyberscoop.com/cisco-switches-hacked-talos-security/

- https://thehackernews.com/2018/04/hacking-cisco-smart-install.html

- https://thehackernews.com/2018/04/cisco-switches-hacking.html

-
https://www.zdnet.com/article/ciscos-warning-watch-out-for-government-hackers-targeting-your-network/

Time to check that you really are on the latest stable, get patching
your gear and banging on TAC's door about supplying better update
mechanisms, and better tools for detecting compromised firmware and
working out what release you should be running.

Regards,
Paul


More information about the AusNOG mailing list