lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-id: <201702141504.6.smi@psirt.cisco.com>
Date: Tue, 14 Feb 2017 15:04:43 -0500
From: Cisco Systems Product Security Incident Response Team <psirt@...co.com>
To: bugtraq@...urityfocus.com
Cc: psirt@...co.com
Subject: Cisco Security Response: Cisco Smart Install Protocol Misuse 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cisco Security Response: Cisco Smart Install Protocol Misuse

Response ID: cisco-sr-20170214-smi

Revision 1.0

For Public Release 2017 February 14 16:00  UTC (GMT)

+---------------------------------------------------------------------

Summary
=======

Several researchers have reported on the use of Smart Install (SMI) protocol messages 
toward Smart Install clients, also known as integrated branch clients (IBC), allowing an 
unauthenticated, remote attacker to change the startup-config file and force a reload of the 
device, upgrade the IOS image on the device, and execute high-privilege CLI commands on 
switches running Cisco IOS and IOS XE Software.

Cisco does not consider this a vulnerability in Cisco IOS, IOS XE, or the Smart Install 
feature itself but a misuse of the Smart Install protocol that by design does not require 
authentication. Customers who seek more than zero-touch deployment should consider deploying 
the Cisco Network Plug and Play solution instead.

Cisco has updated the Smart Install Configuration Guide to include security best practices 
regarding the deployment of the Cisco Smart Install feature within customer infrastructures:
http://www.cisco.com/c/en/us/td/docs/switches/lan/smart_install/configuration/guide/smart_install/concepts.html#23355

This response is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi

-----BEGIN PGP SIGNATURE-----

iQIVAwUBWKMqP689gD3EAJB5AQIhmg//bOM1Zdt3KCjzNpQ2dCyOVDA8l1yM6h4w
MJMUE8kqxUHKtKP9dCqDNKJt18XEWX1hOBNitiUqCIksaLDntRDjlkuA9dAayAHE
s7zvlrjV0OWJ9gNjUAc7Kb8fhwQVf3FIBiuRciy14y+8WBeTBGejYZgdK6vax0BQ
/uP16dlViu+dUSmS3+K79lZ+7oJUKJWEcniA1dmvT6Rn5V5asj7sy9W6CA+X9ehm
kahOFeZJibnynFX6cDH1V7gvnWbo62PtgZ+NPkRFscXIlJhAYUOxFLOdF227GBRo
sTvjfitx64uWVd2u3HFDPmFAw1V2dX86AlNm8P8Bp6S2+jvJ3SprZZ1j3+vt1AEn
j5L5sc7IJpjCjj/JLxFI3iQOBZBnXQXU4XHxvdorMt067CijcwQbPYSM52oAdG8d
Bemos1BvBt5q/yIUV/tkYchdFMNsUrPBEjma4xf3l4RQQsrYvDhbJRTVi/z4Tjhw
fT6I3NHax2rxIc936l3zMXsPSPCbpjKYMWPA0xraIfceCi6Ujkm/0aX5Lxx/rAa7
Utcg/pMDFNpl+LWyPhJ1egTvRjNm8XDnIsDmybmUdssxjp0RtJHAUDyKlu+OKK4g
X3/8i+Ke0XrYFj2aag809ykRhwydveIJ3BFoUp7HiiAA5lOslR0g7hs30WgTW5UK
rsLWNm4W6vw=
=4PAE
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ