Выбрать язык

Выбрать язык | Show only

Русский | English

воскресенье, 8 апреля 2018 г.

Protect yourself from Cisco Smart Install Attack and others. ToDo list

I can see a lot of publications about Cisco Smart Install attack on Aprl 6, 2018. Vedor and researchers started some interesting war of words as rap battle. Let's try to be independent side in this battle. I want to share my experience how to protect your infrastructure from such attacks.

On March 28, 2018 Cisco published 2 Smart Install vulnerabilities:

But community forgot another vulnerabilities from March 28, 2018:
Exploit is not published for free yet but it is not a reason to ignore these vulnerabilities. Some people have this exploit, one can be sure. And you must protect your devices now because it is not too late yet.
I'll describe how to eliminate the danger of Smart Install vulnerabilities CVE-2018-0156CVE-2018-0171, QoS CVE-2018-0151 and default username cisco CVE-2018-0150.
But you must understand that another requirements for Cisco hardening
Но стоит учесть, что остальные требования по Cisco equipment hardening is very useful too. Sometimes it may be critical.
Картинки по запросу secure server clipart
You can see the action plan below. It may help you to minimize current threats with vulnerabilities described above and it is also useful for future to maintain your Cisco and other network equipment secure.

Final ToDo list:
  • Analyze you devices software if it is vulnerable to CVE mentioned above. Check software versions with vendor recommended ones.
  • Analyze if your network contains hacked devices with unauthorized configuration changes. Restore productive configs, change passwords and keys. Collect logs to inform law enforcement agencies if needed.
  • Disable Cisco Smart Install with "no vstack" command. 
  • Delete default username "cisco".
  • Restrict packets processing with dst port UDP 18999 (QoS) and TCP port 4786 (Smart Install) directed to network device as dst IP.
  • Upgrade devices software/firmware to vendor recommended versions. Have in mind that maintenance window is needed.
  • Configure equipment monitoring for: 
  • - Cisco Smart Install (vstack) activation and port TCP 4786 availability
  • - UDP 18999 activation in system (listening state)
  • - default username "cisco" appearing in configs
  • integrate this monitoring process with incident management system in the organisation. Even if you eliminated bugs they can be back in future. Reason of bugs' appearance may be human factor, software behavior change after upgrade or new bug emersion.
So it is incredibly important to maintain continious monitoring of secure state of your network equipment.

Комментариев нет:

Отправить комментарий