Cisco's advisory is among the first from a major electronics manufacturer to warn that its products are vulnerable to exploits discussed in Vault 7, the name WikiLeaks gave to thousands of pages of documents it said were leaked from the Central Intelligence Agency.
The devices affected by the vulnerability discovered in the Central Intelligence Agency cache include 264 Catalyst switches, more than 50 Industrial Ethernet switches, Embedded Service 2020 switches, Cisco RF Gateway, and the SM-X Layer 2/3 EtherSwitch Service Module. Beyond the technical issues, the find has serious implications as WikiLeaks had previously said the cache contained no working code.
The full list of affected Cisco switches can be found here. The company is scrambling to release a patch but there's now no word on when it will be available. Such is probably the case with CVE-2017-3881, a vulnerability Cisco discovered in its IOS and IOS XE software which could allow an attacker to reload an affected device or remotely execute code with elevated privileges.
It's a two-fold bug: first, the protocol doesn't restrict CMP-specific Telnet to local communications, instead processing commands over "any Telnet connection to an affected device"; and second, malformed CMP-specific Telnet options are incorrectly processed. "An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device". Since Cisco's products are world-renowned and used by major companies and organisations, the potential impact of a large attack could be enormous.
"Customers unable or unwilling to disable the Telnet protocol can reduce the attack surface by implementing infrastructure access control lists (iACLs)", Cisco noted.
Seizing control of switches could enable hackers to wreak havoc on a company's networking infrastructure.
The American technology conglomerate has combed WikiLeaks' Vault 7 itself and found that there's a bug on the IOS or Internetwork Operating system and IOS XE in over 300 of the switch models, The Register reported.
"An attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections". Cisco plans to release a fix at an unspecified data.
Cisco wrote in a blog that since none of the tools and malware referenced in the initial Vault 7 disclosure have been made available by WikiLeaks, the scope of action that can be taken by Cisco is limited.