- RCE of QoS service CVE-2018-0151.
- Unauthenticated attacker can login to device using default username cisco CVE-2018-0150.
Exploit is not published for free yet but it is not a reason to ignore these vulnerabilities. Some people have this exploit, one can be sure. And you must protect your devices now because it is not too late yet.
I'll describe how to eliminate the danger of Smart Install vulnerabilities CVE-2018-0156, CVE-2018-0171, QoS CVE-2018-0151 and default username cisco CVE-2018-0150.
Но стоит учесть, что остальные требования по Cisco equipment hardening is very useful too. Sometimes it may be critical.
- Analyze you devices software if it is vulnerable to CVE mentioned above. Check software versions with vendor recommended ones.
- Analyze if your network contains hacked devices with unauthorized configuration changes. Restore productive configs, change passwords and keys. Collect logs to inform law enforcement agencies if needed.
- Disable Cisco Smart Install with no vstack command.
- Delete default username cisco.
- Restrict packets processing with dst port UDP 18999 (QoS) and TCP port 4786 (Smart Install) directed to network device as dst IP.
- Upgrade devices software/firmware to vendor recommended versions. Have in mind that maintenance window is needed.
- Configure equipment monitoring for:
- — Cisco Smart Install (vstack) activation and port TCP 4786 availability
- — UDP 18999 activation in system (listening state)
- — default username cisco appearing in configs
- integrate this monitoring process with incident management system in the organisation. Even if you eliminated bugs they can be back in future. Reason of bugs' appearance may be human factor, software behavior change after upgrade or new bug emersion.