After digging through the CIA archives released by WikiLeaks, Cisco says they've discovered a previously unknown flaw impacting 318 switch models. The bug, which the CIA has known about for an undetermined amount of time, can allow a remote attacker to execute code or cause a reload of a targeted device.
Cisco says in its advisory, the vulnerability in the Cluster Management Protocol (CMP) exists due to the combination of two factors.
The first is failure to restrict CMP-specific Telnet options to "local communications between cluster members and instead accept and process such options over any Telnet connection to an affected device."
The second factor is the processing of malformed CMP-specific options.
"An attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections. An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device," the advisory states.
CMP-specific Telnet options are processed by default, which means even if there are no cluster configuration commands present on the device, an attacker can still exploit the vulnerability via Telnet on IPv4 or IPv6.
"This vulnerability can only be exploited through a Telnet session established to the device - sending the malformed options on Telnet sessions through the device will not trigger the vulnerability," Cisco explained.
Cisco says they will release software updates that address the vulnerability in Cisco IOS and Cisco IOS XE. However, they didn't provide a timeline as to when those fixes will be made available. Instead, Cisco urged customers to keep an eye on the IOS Software Checker tool for details.
For now, Cisco recommends that administrators disable Telnet as an allowed protocol for incoming connections and use SSH instead, as this will eliminate the exploit vector. Moreover, disabling Telnet in favor of SSH is highly recommended by Cisco as a rule for device hardening. Additional details on this process are available here.
If for some reason disabling Telnet just isn't an option, then Cisco recommends customers lower the attack surface by implementing iACLs – or infrastructure access control lists. Information on iACLs is available here.
The devices affected by the vulnerability discovered in the CIA cache include 264 Catalyst switches, more than 50 Industrial Ethernet switches, Embedded Service 2020 switches, Cisco RF Gateway, and the SM-X Layer 2/3 EtherSwitch Service Module.