Cisco switch flaw led to attacks on critical infrastructure in several countries

Switches and LED Switch Status

Cisco Switch Switches occupy the same place in the network as hubs. Unlike hubs, switches examine each packet and process it accordingly rather than simply repeating the signal to all ports. Switches map the Ethernet addresses of the nodes residing on each network segment and then allow only the necessary traffic to pass through the switch. When a packet is received by the switch, the switch examines the destination and source hardware addresses and compares them to a table of network segments and addresses. If the segments are the same, the packet is dropped or “filtered”; if the segments are different, then the packet is “forwarded” to the proper segment. Additionally, switches prevent bad or misaligned packets from spreading by not forwarding them.


You can use the switch LEDs to monitor switch activity and its performance. Figure 1-23 shows the switch LEDs and the Mode button that you use to select one of the port modes.

All LEDs are visible through the GUI management applications—Network Assistant for multiple switches and the device manager for a single switch. The switch software configuration guide describes how to use the CLI to configure and to monitor individual switches and switch clusters.

Only the Catalyst 2960 PoE switches have a PoE LED.

The four Catalyst 2960 8-port switches and these models do not have an RPS connector or an RPS LED: Catalyst 2960-24-S, Catalyst 2960-24TC-S, Catalyst 2960-48TT-S, Catalyst 2960-48TC-S.

Cisco switch flaw led to attacks on critical infrastructure in several countries

  • Leveraging a protocol misuse issue in the Cisco Smart Install Client, nation state actors have been able to target cyberattacks at critical infrastructure in many countries.
  • Cisco has released a new open source tool that scans for the Cisco Smart Install protocol, which may impact more than 168,000 systems.

A flaw in Cisco switches has allowed hackers to target critical infrastructure in many countries with cyberattacks, according to a Thursday security report from the Cisco Talos team. As many as 168,000 systems may be affected by the flaw.

According to the report, attackers are targeting a protocol issue with the Cisco Smart Install Client. If a user doesn’t configure or turn off the Cisco Smart Install, it will hang out in the background waiting for commands on what to do.

The post noted that, if abused, the Smart Install protocol can be used to “modify the TFTP server setting, exfiltrate configuration files via TFTP, modify the configuration file, replace the IOS image, and set up accounts, allowing for the execution of IOS commands.”

The Talos team used the search tool Shodan to determine that more than 168,000 systems could be vulnerable to an attack from this flaw. However in 2016, cyber security firm Tenable noted that there were 251,000 exposed Cisco Smart Install Clients, the report said.

The report also noted that incidents of scanning for Cisco Smart Install Clients saw a “sharp increase” around November 9, 2017. This doesn’t necessarily indicate malicious behavior, but is interesting nonetheless.

If an admin wants to determine whether or not their Smart Install Client is active, they need to run the show vstack config command, the report said. Here’s an example:

Cisco Inter Switch Link

class="code">switch#show vstack config | inc Role

Role: Client (SmartInstall enabled)

It’s also important to check the logs to look for write operations, device reloads, and other indicators.

The easiest way to shut down the issue is to run the no vstack command on an affected device, the report said. If that’s not available, try restricting access with an access control list (ACL) for the interface. Here’s what that looks like:

ip access-list extended SMI_HARDENING_LIST

permit tcp host host eq 4786

deny tcp any any eq 4786

permit ip any any

For additional help, contact the Cisco Technical Assistance Center (TAC) for free incident response assistance.

How routing & switching keep the Business Going

“In order to secure and monitor perimeter devices, network administrators need to be especially vigilant. It can be easy to ‘set and forget’ these devices, as they are typically highly stable and rarely changed,” the report said. “Combine this with the advantages that an attacker has when controlling a network device, and routers and switches become very tempting targets.”


Recommended For You

About the Author: usama

Leave a Reply

Your email address will not be published. Required fields are marked *