Author Topic: MAJOR Cisco Vuln 2 Apr 2018  (Read 379 times)

deanwebb (OP)

  • Permit any any all log
  • Administrator
  • Volume Licensing
  • *****
  • Join Date: Jan 2015
  • Posts: 7817
  • Country: us
  • Rep: 19
  • *I* am the one who NACs.
    • View Profile
  • Certifications: FSCA: ForeScout Certified Administrator, CCNP Security, Tufin CSE, TippingPoint ASE
MAJOR Cisco Vuln 2 Apr 2018
« on: April 04, 2018, 04:51:37 PM »
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2

Check your gear and make sure this service is off or that you're blocking the hell out of TCP/4786.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!

deanwebb (OP)

  • Permit any any all log
  • Administrator
  • Volume Licensing
  • *****
  • Join Date: Jan 2015
  • Posts: 7817
  • Country: us
  • Rep: 19
  • *I* am the one who NACs.
    • View Profile
  • Certifications: FSCA: ForeScout Certified Administrator, CCNP Security, Tufin CSE, TippingPoint ASE
Re: MAJOR Cisco Vuln 2 Apr 2018
« Reply #1 on: April 04, 2018, 05:15:35 PM »
BTW, the service is *on* by default. Just talked to some guys that were able to pop a switch with this vuln pretty easily.

:rage:

EDIT:

[vendor mode="on"]ForeScout has a security policy template that checks for this. If you're running ForeScout, get that SPT update and check your gear.[vendor mode="off"]
« Last Edit: April 04, 2018, 05:19:24 PM by deanwebb »
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!

SimonV

  • advipservicesk9
  • ****
  • Join Date: Jan 2015
  • Posts: 1033
  • Country: be
  • Rep: 10
    • View Profile
    • Blog
  • Certifications: N+ GFL, CCNP, CCNA Wireless, JNCIS-SEC/ENT
Re: MAJOR Cisco Vuln 2 Apr 2018
« Reply #2 on: April 05, 2018, 04:12:21 AM »
More information and source code are posted on the Embedi site.  We're checking now with Cisco if "no vstack" counts as a valid workaround.

Otanx

  • advipservicesk9
  • ****
  • Join Date: Jan 2015
  • Posts: 1692
  • Country: us
  • Rep: 8
    • View Profile
  • Certifications: CCNP
Re: MAJOR Cisco Vuln 2 Apr 2018
« Reply #3 on: April 05, 2018, 09:30:12 AM »
After some testing with our cyber guys the no vstack works. We also scanned for any open tcp/4786. Smart Install should have been off a long time ago because of this one - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170214-smi

-Otanx

SimonV

  • advipservicesk9
  • ****
  • Join Date: Jan 2015
  • Posts: 1033
  • Country: be
  • Rep: 10
    • View Profile
    • Blog
  • Certifications: N+ GFL, CCNP, CCNA Wireless, JNCIS-SEC/ENT
Re: MAJOR Cisco Vuln 2 Apr 2018
« Reply #4 on: April 05, 2018, 09:52:46 AM »
Indeed, Cisco also confirmed it. They should at least mention it in the advisory nonetheless...

deanwebb (OP)

  • Permit any any all log
  • Administrator
  • Volume Licensing
  • *****
  • Join Date: Jan 2015
  • Posts: 7817
  • Country: us
  • Rep: 19
  • *I* am the one who NACs.
    • View Profile
  • Certifications: FSCA: ForeScout Certified Administrator, CCNP Security, Tufin CSE, TippingPoint ASE
Re: MAJOR Cisco Vuln 2 Apr 2018
« Reply #5 on: April 05, 2018, 03:11:38 PM »
I will check on my homelab switch...

Code: [Select]
USDAL-3750e-CDA-01(config)#do sh vstack config
 Role: Client
 Vstack Director IP address: 0.0.0.0

 *** Following configurations will be effective only on director ***
 Vstack default management vlan: 1
 Vstack management Vlans: none
USDAL-3750e-CDA-01(config)#do sh tcp br all | inc 4786
044300E0  *.4786                  *.*                    LISTEN

Oh my... I need to turn that stuff off!
Code: [Select]
USDAL-3750e-CDA-01(config)#no vstack
% Incomplete command.

USDAL-3750e-CDA-01(config)#

* deanwebb then reads later in the tech note that not all switches support turning off vstack...
:rage:
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!

deanwebb (OP)

  • Permit any any all log
  • Administrator
  • Volume Licensing
  • *****
  • Join Date: Jan 2015
  • Posts: 7817
  • Country: us
  • Rep: 19
  • *I* am the one who NACs.
    • View Profile
  • Certifications: FSCA: ForeScout Certified Administrator, CCNP Security, Tufin CSE, TippingPoint ASE
Re: MAJOR Cisco Vuln 2 Apr 2018
« Reply #6 on: April 12, 2018, 12:34:27 PM »
If you have a Netflow monitor in place, check it for TCP 4786 traffic. You may have something evil inside your network... or something evil that found a way around the firewalls...
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!

Otanx

  • advipservicesk9
  • ****
  • Join Date: Jan 2015
  • Posts: 1692
  • Country: us
  • Rep: 8
    • View Profile
  • Certifications: CCNP
Re: MAJOR Cisco Vuln 2 Apr 2018
« Reply #7 on: April 12, 2018, 03:07:51 PM »
We set our IDS to alert to any TCP/4786 packet with a ACK flag set. This way I don't get alerts on scanning, but will get alerted if any of my gear responds.

-Otanx

SimonV

  • advipservicesk9
  • ****
  • Join Date: Jan 2015
  • Posts: 1033
  • Country: be
  • Rep: 10
    • View Profile
    • Blog
  • Certifications: N+ GFL, CCNP, CCNA Wireless, JNCIS-SEC/ENT
Re: MAJOR Cisco Vuln 2 Apr 2018
« Reply #8 on: April 13, 2018, 02:26:18 AM »
New advisory is up.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180409-smi

This one includes the 'no vstack' workaround, merely 14 days after the exploit was published.
« Last Edit: April 13, 2018, 02:33:55 AM by SimonV »

ristau5741

  • Administrator
  • OC-1920
  • *****
  • Join Date: Jan 2015
  • Posts: 12230
  • Country: us
  • Rep: 19
    • View Profile
  • Certifications: Instanity
Re: MAJOR Cisco Vuln 2 Apr 2018
« Reply #9 on: April 13, 2018, 06:13:57 AM »
There another critical one out yesterday,  affects IOS and IOS/XE -  QoS for DMVPN UDP port 18999


https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-qos
:professorcat:

“You can destroy your now by worrying about tomorrow.”
-Janis Joplin

deanwebb (OP)

  • Permit any any all log
  • Administrator
  • Volume Licensing
  • *****
  • Join Date: Jan 2015
  • Posts: 7817
  • Country: us
  • Rep: 19
  • *I* am the one who NACs.
    • View Profile
  • Certifications: FSCA: ForeScout Certified Administrator, CCNP Security, Tufin CSE, TippingPoint ASE
Re: MAJOR Cisco Vuln 2 Apr 2018
« Reply #10 on: April 13, 2018, 07:08:16 AM »
We set our IDS to alert to any TCP/4786 packet with a ACK flag set. This way I don't get alerts on scanning, but will get alerted if any of my gear responds.

-Otanx

You'll want an alert if the scan is from outside your network, I can guarantee that.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!

deanwebb (OP)

  • Permit any any all log
  • Administrator
  • Volume Licensing
  • *****
  • Join Date: Jan 2015
  • Posts: 7817
  • Country: us
  • Rep: 19
  • *I* am the one who NACs.
    • View Profile
  • Certifications: FSCA: ForeScout Certified Administrator, CCNP Security, Tufin CSE, TippingPoint ASE
Re: MAJOR Cisco Vuln 2 Apr 2018
« Reply #11 on: April 13, 2018, 07:30:33 AM »
There another critical one out yesterday,  affects IOS and IOS/XE -  QoS for DMVPN UDP port 18999


https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-qos


So, add another line to that ACL that blocks 4786...
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!

Otanx

  • advipservicesk9
  • ****
  • Join Date: Jan 2015
  • Posts: 1692
  • Country: us
  • Rep: 8
    • View Profile
  • Certifications: CCNP
Re: MAJOR Cisco Vuln 2 Apr 2018
« Reply #12 on: April 13, 2018, 10:32:41 AM »
We set our IDS to alert to any TCP/4786 packet with a ACK flag set. This way I don't get alerts on scanning, but will get alerted if any of my gear responds.

-Otanx

You'll want an alert if the scan is from outside your network, I can guarantee that.

I really don't care if the scan is from outside my network. I just checked our flow, and I have thousands of entries for TCP/4786 with one packet, and the SYN flag set. Those are just random attackers trying every IP to see what responds. If I respond to one of those attackers then I care. My response will have SYN and ACK flags set (normal TCP handshake), and my IDS will alert me.

Now for the UDP/18999 one I can't do that as there is no handshake. The Cisco alert makes it sound like it is a one packet attack. This means I can't tell if the attack is successful or not from monitoring the network. The only saving grace on that is it was found internally by Cisco so it isn't a 0 day. However, it will not take long for someone to figure it out from the details given so patch your gear, and double check you patched everything.

-Otanx


deanwebb (OP)

  • Permit any any all log
  • Administrator
  • Volume Licensing
  • *****
  • Join Date: Jan 2015
  • Posts: 7817
  • Country: us
  • Rep: 19
  • *I* am the one who NACs.
    • View Profile
  • Certifications: FSCA: ForeScout Certified Administrator, CCNP Security, Tufin CSE, TippingPoint ASE
Re: MAJOR Cisco Vuln 2 Apr 2018
« Reply #13 on: April 13, 2018, 11:49:26 AM »
If the scan is from outside the network and hitting the firewall, I agree, meh.

If the scan is from outside the network and hitting internal hosts, that would warrant further serious investigation.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!