Remote unauthenticated OS re-install is a feature, not a bug, says Cisco
If you think bad guys could abuse the Smart Install protocol, just turn it off
Cisco's taken umbrage at accusations that its Smart Install (SMI) protocol is vulnerable to abuse.
The problem – if there is one, because “it's a feature, not a bug” – is that if netadmins are using SMI to auto-configure switches installed in branch offices they need to know it doesn't enforce authentication.
If an attacker changes the
startup-config file, they can do all manner of fun things: force a reload, change the IOS image, or execute privileged commands.
As Switchzilla says in its advisory: “Cisco does not consider this a vulnerability in Cisco IOS, IOS XE, or the Smart Install feature itself but a misuse of the Smart Install protocol, which does not require authentication by design”.
Cisco's point is that SMI isn't meant for day-to-day use: it's there to support sysadmins who want to ship a switch to a branch office, and have an Integrated Branch Director (in a router) push configuration to it.
“The director provides a single management point for images and configuration of client switches. When a client switch is first installed into the network, the director automatically detects the new switch and identifies the correct Cisco IOS image and the configuration file for downloading. It can also allocate an IP address and hostname to a client.”
Obviously, if you're not using SMI, the advice is turn it off. If you're using it for zero-touch deployment, turn it off once the switch is live; and if you want to leave it enabled after install, implement access control lists and (if available) control plane policing.
Cisco notes the possibility of SMI protocol misuse were reported to it by Brian Martin at Tenable Network Security, Daniel Turner of Trustwave SpiderLabs, and Alexander Evstigneev and Dmitry Kuznetsov of Digital Security. ®