Cisco Partners Swoop In To Remediate WikiLeaks Switch Vulnerability Affecting Hundreds Of Devices
Cisco Systems partners are already advising customers on how to bypass a critical security vulnerability affecting more than 300 routers and switches discovered after WikiLeaks exposed CIA documents.
Future Tech, No. 167 on the 2016 CRN Solution Provider 500, is in the process of advising its top customers on how to remediate the vulnerability, which affects numerous Cisco switches, said Future Tech CEO Bob Venero.
"I have a call with one of our top customers in a few minutes and it will be the first topic of conversation," said Venero. "This is a vulnerability that puts some of the biggest corporations and government agencies at risk."
On March 17, Cisco disclosed that it had discovered hundreds of Cisco devices were vulnerable after WikiLeaks made public a set of CIA documents referred to as the "Vault 7 leak."
Cisco's Catalyst switching models were affected most, including many of the 2960, 3560 and 3750 series as well as Cisco's IE 2000 and 4000 Industrial Ethernet switching series.
There is currently no fix or workarounds available; however, disabling the Telnet protocol as an allowed protocol for incoming connections would eliminate the vulnerability, said Omar Santos, Cisco Product Security Incident Response Team (PSIRT) Security Research and Operations, in a blog post.
Cisco said it will release software updates that address the vulnerability, although the company did not specify when the software will be made available.
"Since none of the tools and malware referenced in the initial Vault 7 disclosure have been made available by WikiLeaks, the scope of action that can be taken by Cisco is limited," said Santos in the blog post. "An ongoing investigation and focused analysis of the areas of code that are alluded to in the disclosure is under way. … What we can do, have been doing, and will continue to do, is to actively analyze the documents that were already disclosed."
Cisco said an attacker could exploit the vulnerability by sending malformed Cluster Management Protocol (CMP)-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections, according to Cisco's security warning. An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device, said Cisco.
The San Jose, Calif.-based company is a prime target for hackers because of its dominant share in the networking market, said partners.
"Cisco is a main target for hackers because they basically own most of the network – it's really that simple," said one top executive from a solution provider and longtime Cisco partner, who did not wish to be named. "This is a big fire to put out – 300 products -- but they seem to be handling it well enough right now."
The executive said his company will be contacting customers who have affected products but does not believe it will be a issue that will drain resources.
"This is why [channel] partners are here to help when problems sprout out from nowhere, especially security problems like this," said the executive. "It's a lot of switches here. We'll handle it on a case-by-case basis. … Security is a huge priority."
Cisco's security business is the vendor's fastest-growing market segment.
For its most recent second fiscal quarter, the company reported 14 percent growth in security year over year to $528 million. It was Cisco's fifth consecutive quarter of double-digit growth in security.
Cisco security researchers found the vulnerability in its CMP code in Cisco IOS and Cisco IOS XE Software that could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges.
The CMP uses Telnet internally as a signaling and command protocol between cluster members, according to a critical warning advisory Cisco published March 17. Customers who are unable or unwilling to disable the Telnet protocol can reduce the attack by implementing infrastructure access control lists (iACLs), according to Santos.
A top executive for one of Cisco's largest enterprise partners applauded the company for its quick response to the breach highlighted by WikiLeaks.
"Cisco is all over this," said the executive, who declined to be named. "They have a threat intelligence group called Talos that is second to none. Talos is solving problems like this every day."
The top executive said his company has already been in contact with customers regarding the breach.
"We've flagged customers with the switches and will work with them to help solve the problem," he said. "You need to have someone like us to stay on top of these vulnerabilities and fix any and all of them. And you can bet there is another one right around the corner."