During the fall of 2018, I was engaged on a pentest project; where the network infrastructure consisted of multiple Cisco products. Performing the base reconnaissance and enumeration, I noticed that TCP port 4786 was present on several of the Cisco switches. Being a former Cisco Network and Unified Communications admin/architect for over 15+ years and still hold an active CCIE (#17963), I found that that port was odd. So, off to my favorite search engine to further investigate.
Based on my research TCP Port 4786 was part of Cisco’s zero touch plug-and-play Cisco Smart Install image management feature set. Further research uncovered that Cisco recognized that the Smart Install protocol could be misused. However, it was not a vulnerability. Hmmm…guessing it was a feature enhancement?!?!?
Further research uncovered that Cisco acknowledged that Smart Install was susceptible to a RCE vulnerability (CVE-2018-0171).
Returning to the search engine, I found a script created by Christian Papathanasiou, on GitHub, that would exploit CVE-2018-0171. So, I downloaded it and installed the required tftpy module with pip.
In order not to expose any of the customer’s information accidently, I decided to recreate the environment within my home lab. I used an early Cisco Catalyst 3560 24PS and upgraded the code to include the Cisco Smart Install feature set.
Next, I launched Christian’s script and let it do its magic. Within less than 30 seconds, I had the Start-up configuration from my lab switch.
Reviewing the contents of the config file, I found credentials for Type 5 and Type 7 passwords. Type 7 passwords used the Vigenere algorithm in order to obfuscate the password. Whereas Type 5 passwords were salted MD5 hashes.
It should also be noted that both user accounts had privileges set at 15. Meaning, both users had Enable or administrative access for the device.
Next, I downloaded another script that would decrypt Type 5 and Type 7 passwords created by Alexandre Cheron called cisco_pwdcrypt. I used pip to install the required modules and ran the script to decrypt the Type 7 password.
Note: If one has the Solar Winds Engineer Tool Kit, a Cisco password cracker should be included.
Using the cracked password for the admin account, I launched SSH to connect to the switch. It should also be noted that I had to alter the ssh command to include the SHA1 group; which was no longer natively available within Ubuntu 18.04’s SSH application.
Voilà, a new VTY connection to the switch was established.
As to mitigating CVE-2018–0171 as well as the “feature enhancement” for the Cisco Smart Install, Cisco recommended that customers not using the feature should disable it with the command of no vstack. However, Cisco has acknowledged that the command may not be available in certain IOS versions and should refer to BugID CSCtj75729. Thus, the next recommendation was to upgrade or downgrade IOS.
In addition, Cisco recommended using the security best practice of adding an ACL (Access Control List) to the switch or switches to control Smart Install client access for TCP Port 4786.
Lastly, it should be best practice to use Type 5 based complexed passwords when possible. In addition, SSH access should be limited by ACL to authorized personnel.
Disclaimer:
This article is made available for educational purposes only!!! In addition, this article provides general information on cyber security topics used for “Ethical Hacking”.
Persons accessing this information assume full responsibility for the use and agree to not use this content for any illegal purpose. Furthermore, the author is not liable for any direct or indirect damages or expense incurred which may result from the use of the information covered within this article.
Information within this article is “as is”, without warranty of any sort.
