Dive Brief:
- Federal authorities and security researchers warn malicious hackers are targeting legacy Cisco Smart Install features to steal system configuration files and compromise enterprise networks.
- The Cybersecurity and Infrastructure Security Agency advised organizations to disable the Smart Install feature and said it continues to see enterprises using weak passwords on Cisco network devices, in an advisory released Thursday. Weak passwords can leave a user vulnerable to password cracking attacks, according to CISA.
- Shadowserver on Friday said it sees more than 6,000 IPs with the Cisco Smart Install feature still exposed to the internet. This figure is down from more than 14,000 instances about two years ago.
Dive Insight:
Abuse of Cisco Smart Install has been a known issue for more than five years. Cisco Talos issued a blog about it in 2017, and Cisco released an advisory in 2018.
Researchers from Cisco Talos said they are aware of the CISA advisory and advised users to disable the legacy Smart Install feature, a spokesperson said via email.
Cisco on Friday said customers need to make sure their network switches are properly protected against this abuse, through a spokesperson.
Cisco Talos also has a scanning utility to help customers determine if they are vulnerable to this type of abuse.
CISA recommends the use of type 8 password protection for Cisco devices. Type 8 password protection is a more secure form of password for Cisco that is hashed with password-based key derivation function version 2.
The agency also encouraged users to review a July 2019 advisory from the National Security Agency about Smart Install abuse.
Cisco in July separately released an advisory about a critical vulnerability in the authentication system of Cisco Smart Software Manager On-Prem.
The vulnerability, listed as CVE-2024-20419 and with a severity score of 10, could allow an unauthenticated, remote attacker to change the password of any user, including administrators. The vulnerability is due to improper implementation of the password change process, according to Cisco.
Cisco said it released updates for the vulnerability, however noted there were no workarounds.