Cisco patched a critical vulnerability this week that affected more than 300 models of its switches.
The flaw was disclosed as part of the WikiLeaks Vault 7 dump of alleged CIA hacking tools in March. The Cisco vulnerability -- rated a critical 9.8 out of 10 by the Common Vulnerability Scoring System -- is in the Cluster Management Protocol, or CMP, in Cisco's IOS and IOS XE software. The vulnerability could allow a remote, unauthenticated attacker to reload devices or execute code with elevated privileges.
The CMP uses Telnet "as a signaling and command protocol between cluster members," Cisco explained in an advisory. And for the Cisco vulnerability to work, two conditions have to be met: The first is the CMP subsystem must be present on the device; the second is "the device is configured to accept incoming Telnet connections."
"An attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections," according to Cisco. "An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device."
The advisory about the Cisco vulnerability provides a long list of affected products and explains that "CMP-specific Telnet options are processed by default, even if no cluster configuration commands are present on the device configuration. This vulnerability can be exploited during Telnet session negotiation over either IPv4 or IPv6. This vulnerability can only be exploited through a Telnet session established to the device -- sending the malformed options on Telnet sessions through the device will not trigger the vulnerability."
Despite having an initial advisory out on March 17, Cisco did not issue the patch for this vulnerability until May 8, 2017. A security researcher posted a proof-of-concept exploit for this particular Cisco vulnerability on April 10, 2017. However, Cisco said its product security incident response team isn't aware of any malicious exploits of this vulnerability.
The Cisco vulnerability was part of the Vault 7 WikiLeaks dump of over 8,000 documents that allegedly contained CIA hacking tools. Since the Vault 7 dump, Cisco has been advising its customers to disable Telnet and use SSH connections instead, which it reiterated in this week's advisory.
In other news:
- Five months after its debut, Google's fuzzing tool, OSS-Fuzz, has found over 1,000 bugs, 264 of which are potential security vulnerabilities, according to a blog post from Google. The bot is used across the open source community and has found bugs of different types, including heap buffer overflow, timeouts and data leaks. Some of the bugs already uncovered were found in open source projects such as Wireshark and OpenSSL. Google hopes to get OSS-Fuzz rolled out to more projects. "We believe that user and internet security as a whole can benefit greatly if more open source projects include fuzzing in their development process," according to the blog post. "To this end, we'd like to encourage more projects to participate and adopt the ideal integration guidelines that we've established." In an effort to expand use of OSS-Fuzz, Google adopted a reward program where eligible projects can receive between $1,000 and $20,000 for "ideal integration." If the project donates the reward money to charity, Google will double it.
- President Donald Trump dismissed FBI Director James Comey on May 9, following a request from the U.S. Department of Justice. Comey had a controversial tenure as FBI director due to investigations into Russian hacking of the Democratic National Committee and the Trump presidential campaign, as well as the encryption "going dark" debate highlighted by the San Bernardino, Calif., case last year. After a public legal battle with Apple to get access to an encrypted iPhone owned by the San Bernardino shooter, the FBI and Apple reached a stalemate until the FBI eventually found a way to break the encryption without Apple's help. Comey, despite later proclaiming his "love" for encryption, was an outspoken supporter of encryption backdoors for intelligence agencies during and after the case.
- The U.S. Social Security Administration is rolling out two-factor authentication for online user accounts for the second time. The first attempt in July 2016 involved sending one-time passwords via SMS and was met with immediate dissatisfaction, since senior citizens are the primary users of Social Security and many don't own cellphones. The revised plan will be implemented on June 10, and it will instead send a one-time password to the user's email account. While this method increases accessibility, it raises security concerns. The main concern is, if the user has the same password for their "my Social Security" account and their email account, a hacker who compromised a Social Security account already has access to the email account.
Read about another recent Cisco vulnerability
Find out how the Cisco CloudCenter Orchestrator vulnerability works
Learn more about the confusion surrounding the CIA hacking tools release