UPDATED 04:46 EST / MARCH 21 2017

INFRA

Cisco discloses 300+ switches vulnerable to CIA hack, with no patch available

In a damaging public disclosure, Cisco Systems Inc. has admitted that more than 300 of the switches it sells contain a critical vulnerability that allows the Central Intelligence Agency to take full control of the devices, but there is currently no patch available to fix the critical vulnerability.

The revelation follows WikiLeaks’ disclosure of the CIA’s hacking tools two weeks ago that included details of tools the agency uses to access smartphones, routers and even smart television sets.

Cisco issued a security advisory detailing the vulnerability, describing it as an issue in the Cisco Cluster Management Protocol processing code in Cisco IOS and Cisco IOS XE Software that could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges.

“An attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections,” the company noted. “An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device.”

Cisco listed Catalyst switches as being affected the most by the problem, but also Industrial Ethernet switches and embedded services.

While there is currently no way to patch the switch firmware to prevent an attack, all hope is not lost. Cisco said disabling telnet as a means for receiving incoming connections eliminates the threat. Users who aren’t willing to disable telnet can lower the risk of the CIA or others gaining access by using an access control list to restrict the devices that are allowed to send and receive telnet commands.

Cisco added that it was working on a fix for the vulnerability, but at this stage there is no set date as to when it might be available.

Photo: Ben Franske/Wikimedia Commons

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU