CISA Warns of Hackers Exploiting Legacy Cisco Smart Install Feature

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has disclosed that threat actors are abusing the legacy Cisco Smart Install (SMI) feature with the aim of accessing sensitive data.

The agency said it has seen adversaries “acquire system configuration files by leveraging available protocols or software on devices, such as abusing the legacy Cisco Smart Install feature.”

It also said it continues to observe weak password types used on Cisco network devices, thereby exposing them to password-cracking attacks. Password types refer to algorithms that are used to secure a Cisco device’s password within a system configuration file.

Threat actors who are able to gain access to the device in this manner would be able to easily access system configuration files, facilitating a deeper compromise of the victim networks.

“Organizations must ensure all passwords on network devices are stored using a sufficient level of protection,” CISA said, adding it recommends “type 8 password protection for all Cisco devices to protect passwords within configuration files.”

It is also urging enterprises to review the National Security Agency’s (NSA) Smart Install Protocol Misuse advisory and Network Infrastructure Security Guide for configuration guidance.

Additional best practices include the use of a strong hashing algorithm to store passwords, avoiding password reuse, assigning strong and complex passwords, and refraining from using group accounts that do not provide accountability.

The development comes as Cisco warned of the public availability of a proof-of-concept (PoC) code for CVE-2024-20419 (CVSS score: 10.0), a critical flaw impacting Smart Software Manager On-Prem (Cisco SSM On-Prem) that could enable a remote, unauthenticated attacker to change the password of any users.

The networking equipment major has also alerted of multiple critical shortcomings (CVE-2024-20450, CVE-2024-20452, and CVE-2024-20454, CVSS scores: 9.8) in Small Business SPA300 Series and SPA500 Series IP Phones that could permit an attacker to execute arbitrary commands on the underlying operating system or cause a denial-of-service (DoS) condition.

“These vulnerabilities exist because incoming HTTP packets are not properly checked for errors, which could result in a buffer overflow,” Cisco said in a bulletin published on August 7, 2024.

“An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to overflow an internal buffer and execute arbitrary commands at the root privilege level.”

The company said it does not intend to release software updates to address the flaws, as the appliances have reached end-of-life (EoL) status, necessitating that users transition to newer models.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.