A critical remote code execution vulnerability has been discovered in Cisco’s Smart Install Client code. Remote attackers can leverage this vulnerability to execute arbitrary code without any authentication. This can also be used to create Denial of Service conditions. The vulnerability was initially presented at GeekPWN 2017 Hong-Kong May 13th, 2017, and was patched by Cisco on March 28th 2018 along with an advisory.

Technical Information

The vulnerability exists in the Smart Install Client, which comes on some IOS/IOS-XE switches. Smart Install automates the initial configuration for new switches. This allows administrators to ship devices to new locations without pre-configuration. Smart Install technology has 2 agents, the Director which acts as a management point for client switches, and the Client which communicates with the Director to receive management instructions. The Client will open a server on TCP port 4786 and interact with the Director.
A remote attacker can craft a Discovery Initialization message to cause a stack-based buffer overflow, allowing arbitrary code to enter the buffer. Under normal conditions, the port should not be accessible from the internet, however public scanning has shown that many networks have this vulnerable port open. This is likely because the port is open by default on Smart Install Clients.

Organizations using Cisco IOS/IOS XE devices should verify if their products are affected by using the Cisco Widget located at: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2

Ensuring your security is our priority at ElevatedPrompt. If you have any questions or concerns regarding this vulnerability or have any cybersecurity concerns and questions, please reach out to your ElevatedPrompt account representative or email us at [email protected]