Protect yourself from Cisco Smart Install Attack and others. ToDo list

Protect yourself from Cisco Smart Install Attack and others. ToDo list
I can see a lot of publications about Cisco Smart Install attack on Aprl 6, 2018. Vedor and researchers started some interesting war of words as rap battle. I'd like to be independent side in this battle and I want to share my expeience how to protect your infrastructure from such attacks.

On March 28, 2018 Cisco published 2 Smart Install vulnerabilities:

But community forgot another vulnerabilities from March 28, 2018:
Exploit is not published for free yet but it is not a reason to ignore these vulnerabilities. Some people have this exploit, one can be sure. And you must protect your devices now because it is not too late yet.
name='more'> I'll describe how to eliminate the danger of Smart Install vulnerabilities  CVE-2018-0156 CVE-2018-0171 , QoS  CVE-2018-0151  and default username cisco  CVE-2018-0150 .
But you must understand that another requirements for Cisco hardening
Но стоит учесть, что остальные требования по  Cisco equipment hardening  is very useful too. Sometimes it may be critical.
Картинки по запросу secure server clipart
You can see the action plan below. It may help you to minimize current threats with vulnerabilities described above and it is also useful for future to maintain your Cisco and other network equipment secure.

Final ToDo list:
  • Analyze you devices software if it is vulnerable to CVE mentioned above. Check software versions with vendor recommended ones.
  • Analyze if your network contains hacked devices with unauthorized configuration changes. Restore productive configs, change passwords and keys. Collect logs to inform law enforcement agencies if needed.
  • Disable Cisco Smart Install with "no vstack" command. 
  • Delete default username "cisco".
  • Restrict packets processing with dst port UDP 18999 (QoS) and TCP port 4786 (Smart Install) directed to network device as dst IP.
  • Upgrade devices software/firmware to vendor recommended versions. Have in mind that maintenance window is needed.
  • Configure equipment monitoring for: 
  • - Cisco Smart Install (vstack) activation and port TCP 4786 availability
  • - UDP 18999 activation in system (listening state)
  • - default username "cisco" appearing in configs
  • integrate this monitoring process with incident management system in the organisation. Even if you eliminated bugs they can be back in future. Reason of bugs' appearance may be human factor, software behavior change after upgrade or new bug emersion.
So it is incredibly important to maintain continious monitoring of secure state of your network equipment.

Alt text
История Ричарда Столмана - от любви до ненависти. Раскрыты подробности уплаты выкупа вымогателям а киберграбители взялись за цифровое искусство. Смотрите 12 выпуск security-новостей на нашем Youtube канале.

Андрей Дугин

Практическая информационная безопасность и защита информации | Information Security and Cyber Defense in Deed