Posted by Zarathustra 1:52 PM (CDT)
Monday March 20, 2017
Whenever governments or companies release documentation late in the day on a Friday, you can be pretty sure it's something they hope people won't notice. Such is probably the case with CVE-2017-3881, a vulnerability Cisco discovered in its IOS and IOS XE software which could allow an attacker to reload an affected device or remotely execute code with elevated privileges.
This find demonstrates the value in digging deep into the details. While this vulnerability was documented in Wikileaks Vault 7 CIA dump, it was not one of the methods identified in summary documents. Cisco has not yet released a software update to fix this issue, but state that it can be identified using Cisco IPS Signature 7880-0 and Snort SIDs 41909 and 41910.
I'm not an expert in the field of enterprise network security products, but it seems unusual to me for a company to announce their own vulnerability before they have patched it. Maybe this is because the fix is relatively simple. Don't use Telnet for clusters. Using Telnet for pretty much anything in 2017 knowing what we know today about security seems like a bad idea.
Disabling the Telnet protocol as an allowed protocol for incoming connections would eliminate the exploit vector. Disabling Telnet and using SSH is recommended by Cisco. Information on how to do both can be found on the Cisco Guide to Harden Cisco IOS Devices.
Customers unable or unwilling to disable the Telnet protocol can reduce the attack surface by implementing infrastructure access control lists (iACLs). Information on iACLs can be found on the following document: Protecting Your Core: Infrastructure Protection Access Control Lists