Cisco's WikiLeaks Security Vulnerability Exposure: 10 Things Partners Need To Know
Cisco's Security Vulnerability
Cisco's security team has discovered that hundreds of its networking devices contain a vulnerability that could allow attackers to remotely executive malicious code and take control of the affected device.
"We are committed to responsible disclosure, protecting our customers, and building the strongest security architecture and products that are designed through our Trustworthy Systems initiatives," said a Cisco spokesperson in an email to CRN regarding the vulnerability.
Some channel partners of the San Jose, Calif.-based networking giant are already advising customers on how to bypass the critical security flaw. Here are 10 important items that Cisco channel partners should know about the security vulnerability.
WikiLeaks Vault 7
The networking giant initially discovered the security vulnerably after WikiLeaks made public a set of CIA documents referred to as the "Vault 7" leaks on March 7. Vault 7 consists of thousands of pages on CIA software tools and techniques used to hack into technology devices. The New York Times said Vault 7 appears to be the largest leak of CIA documents in history.
No Fix, But Disable Telnet
There are currently no fixes or workarounds available. Cisco said disabling the Telnet protocol as an allowed protocol for incoming connections would eliminate the vulnerability.
Customers who are unable to disable the Telnet protocol can reduce the attack surface by implementing infrastructure access control lists.
Cisco Catalyst Switches Hit Hardest
Cisco's Catalyst switching models were affected most, including many of the 2960, 3560 and 3750 series as well as Cisco's IE 2000 and 4000 Industrial Ethernet switches. Other affected products include its Embedded Service 2020 switches and Cisco's Enhanced Layer 2/3 EtherSwitch Service Module.
Attackers Can Exploit Cisco's CMP
Cisco said an attacker could exploit the vulnerability by sending malformed Cluster Management Protocol (CMP)-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections. An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device.
Cisco Prohibits Any Unauthorized Access Of Products
When questioned whether Cisco is taking steps to make sure government agencies cannot exploit its products in the future or if it has made any changes to its security policy or procedures to better enable it to keep out government agencies, the Cisco spokesperson said, "Cisco's product development practices specifically prohibit any intentional behaviors or product features that allow unauthorized device or network access, exposure of sensitive device information, or a bypass of security features or restriction."
"Cisco's Secure Development Lifecycle is a repeatable companywide methodology for secure product development to mitigate the risk of vulnerabilities and increase product resiliency," the spokesperson said.
Software Fix Coming
Cisco said it will release software updates that address the vulnerability, although the company did not specify when the software will be made available.
"Cisco engineers are developing fixes, and will begin publishing fixed software for affected versions as they become available," said the Cisco spokesperson.
Vulnerability Due To Two Factors
The CMP utilizes Telnet internally as a signaling and command protocol between cluster members. Cisco said the vulnerability is due to the combination of two factors, including the failure to restrict the use of CMP-specific Telnet options only to internal, local communications between cluster members and instead accept and process such options over any Telnet connection to an affected device. The other factor is the incorrect processing of malformed CMP-specific Telnet options.
Prime Target For Hackers
Partners said the networking giant is a prime target for hackers because of the company's dominant market share. "Cisco is a main target for hackers because they basically own most of the network – it's really that simple," said one top executive from a solution provider and longtime Cisco partner, who did not wish to be named.
Partners Applaud Cisco For Quick Notification
Partners commended Cisco for its quick action in making the channel aware of the security vulnerability. On March 17, Cisco sent out a security advisory saying that it had discovered the vulnerability.
"They were pretty prompt about addressing it right away," said Kent MacDonald, vice president of business development at Long View Systems, a Calgary, Alberta-based Cisco Gold partner. "They found it and responded – so it's kind of a non-event for us."
"Cisco remains steadfast in the position that we should be notified of all vulnerabilities if they are found, so we can fix them and notify customers," said the Cisco spokesperson.
Cisco Touts Security Commitment
The company touts its Cisco Secure Development Lifecycle, Cisco Common Crypto models, and Product Security Incident Response Team and Vulnerability Disclosure policies as industry-leading examples of its security commitment to customers.
"Cisco remains committed to avoiding security issues in our products, and handling issues professionally when they arise," said the spokesperson. "This is central to how we earn and maintain trust."