Number: IN18-001
Date: 14 April 2018
Purpose
The purpose of this Information Note is to bring attention to an Advisory released by Cisco regarding the Cisco IOS and IOS XE Smart Install feature.
Assessment
Cisco has released an Advisory that provides consolidated information on the Cisco Smart Install feature, how to properly secure devices that may be exposed as well as mitigates the disclosed vulnerabilities.
The following table lists published Cisco Advisories that identify the Smart Install feature as being vulnerable and whether each vulnerability is being actively exploited:
| Advisory Name | CVE ID | Description | Client/Director | Publication Date | Actively Exploited? |
|---|---|---|---|---|---|
| Cisco Smart Install Protocol Misuse | N/A | Widespread scanning for devices with the Smart Install feature enabled and without proper security controls | N/A | 14-Feb-17 | Yes |
| Cisco IOS and IOS XE Software Smart Install Remote Code Execution Vulnerability | CVE-2018-0171 | Reload, denial of service, remote code execution | Client Only | 28-Mar-18 | No |
| Cisco IOS and IOS XE Software Smart Install Denial of Service Vulnerability | CVE-2018-0156 | Reload, denial of service | Client Only | 28-Mar-18 | No |
| Cisco IOS and IOS XE Software Smart Install Memory Leak Vulnerability | CVE-2016-6385 | Memory leak, eventual denial of service | Client Only | 28-Sep-16 | No |
| Cisco IOS and IOS XE Software Smart Install Denial of Service Vulnerability | CVE-2016-1349 | Denial of service | Client Only | 23-Mar-16 | No |
| Cisco IOS Software Smart Install Denial of Service Vulnerability | CVE-2013-1146 | Denial of service | Client Only | 11-Apr-13 | No |
| Cisco IOS Software Smart Install Denial of Service Vulnerability | CVE-2012-0385 | Malformed SMI packet causes reload | Client & Director | 28-Mar-12 | No |
| Cisco IOS Software Smart Install Remote Code Execution Vulnerability | CVE-2011-3271 | Remote code execution | Client & Director | 28-Sep-11 | No |
Suggested Action
CCIRC encourages organizations to review the CISCO Advisory and system administrators test and deploy the vendor-released updates to affected applications accordingly. Cisco recommends that customers who are not actively using Smart Install disable the feature. For those who do use the feature – and need to leave it enabled – use ACLs to block incoming traffic on TCP port 4786 (the proper security control). Additionally, patches for known security vulnerabilities should be applied as part of standard network security management.
References:
Action Required to Secure the Cisco IOS and IOS XE Smart Install Feature
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180409-smi
Cisco Security Updates
https://www.publicsafety.gc.ca/cnt/rsrcs/cybr-ctr/2018/av18-052-en.aspx