Hacking 4 Script KiddiesVulnerabilitiesIt’s a Feature Not a Bug: Mitigating Risk Associated with Cisco Smart Install
Hacking 4 Script KiddiesVulnerabilitiesIt’s a Feature Not a Bug: Mitigating Risk Associated with Cisco Smart Install
Vulnerabilities

It’s a Feature Not a Bug: Mitigating Risk Associated with Cisco Smart Install

TheScriptKiddie

Background:

 Cisco Smart Install is a feature for automated or touchless deployment of new equipment. Smart Install allows network engineers to deploy unconfigured devices to the network where the device will connect to a Smart Install Director to retrieve configuration files and automate the initial setup. While this can be an attractive feature for network engineers to enable easier deployment of unconfigured devices in remote locations, it is also easily abused by attackers and allows attackers to download configurations, upload new configurations, or make other unauthorized changes to network devices without authentication. Historically, Smart Install was enabled by default, however in current versions of Cisco software it is disabled by default. Although Smart Install is now disabled by default, awareness of Smart Install is still important for network engineers and cybersecurity professionals because network infrastructure software is not always on a regular basis due to availability requirements.

Threat Landscape:

Threat actors are taking an increased interest in network infrastructure, such as routers, switches, and firewalls. Recently, the state-sponsored threat actor, Salt Typhoon has been targeting Smart Install1 . This is likely because network infrastructure devices are not typically monitored by security professionals and cannot be protected with agent-based security tools that have become common for endpoints. Disabling Smart Install is simple and is accomplished by issuing the no vstack command:

no vstack

Even if Smart Install is disabled on the network knowing how to monitor and detect Smart Install can help network engineers and cybersecurity professionals better protect their network infrastructure.

Finding Smart Install:

If network infrastructure device event logs are aggregated in a security information event monitoring tool. To support this, Cisco provides a “Notification” event, which is used for normal events that could be significant2. This event will look similar to:

Error Message SMI-5-CLIENT: Smart Install Client feature is enabled. It is recommended to disable the Smart Install feature when it is not actively used. To disable feature execute 'no vstack' in configuration mode

Additionally, most vulnerability scanners will also detect if Smart Install is enabled on Cisco devices. For example, Tenable plugin ID 105161, can if detect Smart Install is enabled3. It is important to note that Tenable plugin ID 105161 only characterizes Smart Install as an “informational” vulnerability and therefore may not get prioritized in vulnerability management processes.

Additional monitoring can be enabled on network intrusion detection systems such as Snort. Snort has several built-in rules that support finding attackers attempting to locate network devices with Smart Install enabled and attempts to download the device configuration, use of TFTP via Smart Install, and other uses of Smart Install4.

Mitigating Smart Install:

As mentioned earlier in this article, Smart Install can be disabled using the no vstack command. Some older versions of Cisco software do not have the no vstack command and require alternative mitigation such as blocking port 4786 on all IP interfaces. For networks actively using Smart Install, configure an ACL to restrict communications to the Smart Install Director. An example ACL is provided below from the Smart Install Configuration Guide5:

ip access-list extended SMI_HARDENING_LIST

permit tcp host 10.10.10.1 host 10.10.10.200 eq 4786

deny tcp any any eq 4786

permit ip any any

Conclusions:

Attacks against network infrastructure devices are increasing due to their high availability requirements, in frequent updates, and lack of agent-based security tools. Despite being disabled by default in current software releases, Smart Install can present significant risks to networks and due to ease of abuse and lack of authentication mechanisms. Therefore, developing and maintaining the ability to detect the presence of Smart Install should be a priority for network engineers and cybersecurity professionals.

Sources:

1. Weathering the storm: In the midst of a Typhoon

https://blog.talosintelligence.com/salt-typhoon-analysis

2. Smart Install Configuration Guide – Smart Install System Messages

https://www.cisco.com/c/en/us/td/docs/switches/lan/smart_install/configuration/guide/smart_install/messages.html3

3. Cisco Smart Install Detection | Tenable®

https://www.tenable.com/plugins/nessus/105161

4. Snort – Rules for Smart Install

https://www.snort.org/rule_docs?utf8=%E2%9C%93&search_type=standard&simple_search%5Bsid_or_explanation_or_message_or_cves_cve_key_i_cont%5D=smart+install&submit_rule_search=

5. Smart Install Configuration Guide – Smart Install Concepts

https://www.cisco.com/c/en/us/td/docs/switches/lan/smart_install/configuration/guide/smart_install/concepts.html

Hi, I’m TheScriptKiddie

We use cookies to improve your experience on our website