[AusNOG] Bouncing Cisco Equipment and "Smart Install"

Laurence Bullivant laurence at bullivant.co.nz
Thu May 10 06:49:57 EST 2018 

Guys,

Disabling Cisco smart install has been recommend by Cisco as part of their
hardening for a long time. (
Https://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html)

It's just like turning off telnet and open RW snmp. And limiting access to
the management IPs.

I would highly suggest you also sigh up for the Cisco critical
vulnerability notifications. It's a goldmine of stuff to patch.

Laurence
-Sent from a small screen with an imagery keyboard.

On Tue, May 8, 2018, 23:56 Mark Foster, <blakjak at blakjak.net> wrote:

> You don't specifically mention
> https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi
> which I assume you're aware of?
>
> On 9 May 2018 4:21:20 PM NZST, "Michael J. Carmody" <michael at opusv.com.au>
> wrote:
>>
>> Hey All,
>>
>>
>>
>> Just a feeler to see if anyone else is seeing this.
>>
>>
>>
>> We have some Cisco switches we use as Layer 2/3 NTU’s to talk to client
>> equipment on the far ends of fibre links.
>>
>>
>>
>> As of yesterday morning, all of these switches started a roughly 1-2 hour
>> reboot outage.
>>
>>
>>
>> All smartnet’ed, running latest recommended stable from cisco, and
>> nothing in the logs other than a hard reset just occurred.
>>
>>
>>
>> We have been additionally hardening the exposure of various interfaces
>> (attacks were captured coming from resi ISP looking .mx domains), and it
>> appears the one that has stopped the rot is disabling the “Smart Install”
>> feature with a “no vstack” command, reload config from out config store and
>> back to work…
>>
>>
>>
>> TBH I didn’t even know this protocol existed… a non-authenticated, on by
>> default protocol that allows you to configure and image deploy on network
>> equipment.
>>
>>
>>
>> Like, its our own fault, but what the hell is this doing on by default?
>>
>>
>>
>> Anyone else with Cisco or “Smart Install” equipment seeing an uptick in
>> scanning/poking activity?
>>
>>
>>
>> -Michael Carmody
>>
>>
>>
>> (Ref:
>> https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170214-smi
>> )
>>
>
> --
> Sent from my Android device with K-9 Mail. Please excuse my brevity.
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20180509/3e40e4c1/attachment.html>

More information about the AusNOG mailing list