back to article Cisco patches switch hijacking hole – the one exploited by the CIA

Cisco has patched a critical security flaw in its switches that can be potentially exploited by miscreants to hijack networks – a flaw disclosed in the Vault 7 leak of CIA files. Switchzilla says the vulnerability, CVE-2017-3881, can be exploited remotely by simply establishing a Telnet connection and sending a cluster …

  1. Anonymous Coward
    Anonymous Coward

    Do people really leave Telnet enabled ?

    1. Gerhard Mack

      Cisco treated SSH like a premium feature for the longest time. Even just a few years ago enabling the SSH v2 protocol required the Advanced encryption pack licence.

    2. Brad Ackerman
      FAIL

      There are idiots still using Windows XP; unencrypted HTTP for login (hence the Firefox changes); ridiculously out-of-date web browsers; Silverlight; and for all I know SSHv1 and LM authentication. Cisco used to charge extra for SSH support.

      Think of this as the Rule 34 of infosec: if it's possible to configure a system that way, no matter how dumb, some asshole will do it.

    3. gerdesj
      Childcatcher

      Yes, sadly

      All switches that cost more than say £200 that I know of all have telnet enabled by default. Its bloody crap. It's not as though sshd is expensive - its free!

      Mind you, given the calibre of some of the "top end" switch fiddlers that I have come across, I am not surprised. Security Not My Problem seems to be a mantra rather than a character flaw for some.

      1. Diginerd

        Re: Yes, sadly

        V3 if you must....

  2. Anonymous Coward
    Anonymous Coward

    Re:Telnet

    In any medium or largish (100+ network devices) I would expect a few telnet enabled devices.

    Combine misconfiguration, firmware that doesn't support encryption, non-standard switches to support a requirement that is deemed "non-IT" when it's purchased but IT end up supporting it, old devices that don't have firmware that only support telnet in a remote office - good security is hard at scale and on a budget...

  3. tom dial Silver badge

    Telnet? Really?

    From 2009 or so within the US DoD networks, telnet (and ftp) services were generally not allowed. There were exceptions, nearly all ftp from non-DoD data providers, and these were addressed by establishing hardened proxy servers or DMZs where traffic could be examined and transferred securely for internal use. In later years, the screws were tightened several times a year in a continuing effort to weed out remaining exceptions.along with ftp.

    It exceeds my ability to understand use of telnet for administration, or enabling the telnet service on a network exposed to or reachable from the public Internet.

  4. A Non e-mouse Silver badge
    FAIL

    ACLs

    Who the heck has something like a switch or router with a public IP address without locking down where you can login from?

    Fail for Cisco for the security hole, but an even bigger fail for sysadmins who never locked down telnet & SSH access.

  5. EnviableOne Bronze badge

    Cisco Security Advice

    Its been the recomendatio that Telnet and HTTP be turned off, in favour of SSH and HTTPS, and an ACL applied to VTY lines for years (at least 6 (2 iterations of the CCNA.))

    But along with leaving remote provisioning on, and CDP etc, Switchzilla expect you to get a certfied engineer to install it and do the work, rather than legislating for the guy that buys cisco because; no one got fired for buying it, and plugs it in expecting it work.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019