The U.S. Cyber security and Infrastructure Security Agency (CISA) has issued a crucial advisory urging organisations to disable the outdated Cisco Smart Install (SMI) feature, following a series of recent cyber-attacks that exploited this vulnerability. CISA's alert underscores the growing threat landscape, where malicious actors are increasingly targeting legacy protocols to gain unauthorised access to sensitive information, including system configuration files.
CISA's latest advisory highlights that cybercriminals have been actively leveraging the legacy SMI protocol, along with other vulnerable software and protocols, to compromise network devices and steal critical data. The agency has strongly recommended that administrators disable the SMI protocol, which has been replaced by the more secure Cisco Network Plug and Play solution, to mitigate the risk of these ongoing attacks.
Additionally, CISA advises organisations to consult the National Security Agency's (NSA) Smart Install Protocol Misuse advisory and Network Infrastructure Security Guide for further guidance on securing their network infrastructure. These resources provide essential configuration best practices to help organisations protect against similar threats.
Historically, the Cisco Smart Install protocol has been a target for cybercriminals. Back in 2018, Cisco's Talos threat intelligence team identified that the SMI protocol was being abused in attacks aimed at Cisco switches. These attacks were linked to several notorious hacking groups, including the Russian-backed Dragonfly advanced persistent threat (APT) group, also known as Crouching Yeti and Energetic Bear.
The vulnerability arose from switch owners failing to properly configure or disable the SMI protocol, leaving the client exposed and susceptible to "installation/configuration" commands from attackers. Once compromised, threat actors could manipulate configuration files, replace the IOS system image, create rogue accounts, and exfiltrate sensitive information using the TFTP protocol.
Cisco had previously warned its customers in February 2017 and February 2018 about the active scanning of Internet-exposed SMI-enabled devices by malicious actors. Despite these warnings, the exploitation of the SMI protocol continues to be a significant concern, prompting CISA's recent advisory.
Strengthening Password Security on Cisco Devices
In addition to addressing the SMI protocol vulnerabilities, CISA has also emphasised the importance of robust password protection for Cisco network devices. The agency has observed that attackers often exploit weak password types to gain unauthorised access to network infrastructure.
A Cisco password type refers to the algorithm used to secure device passwords within system configuration files. Weak password types can be cracked, allowing attackers to access system configuration files and compromise the entire network. To prevent this, CISA recommends implementing strong password protection measures.
Specifically, CISA advises organisations to use NIST-approved Type 8 password protection for all Cisco devices. This involves hashing passwords with the Password-Based Key Derivation Function version 2 (PBKDF2), using the SHA-256 hashing algorithm, an 80-bit salt, and 20,000 iterations. These measures significantly enhance password security, making it much harder for cybercriminals to crack them.
For further details on how to enable Type 8 privilege EXEC mode passwords and create a local user account with a Type 8 password on a Cisco device, CISA refers administrators to the NSA's Cisco Password Types: Best Practices guide.
CISA also emphasises following best practices for securing administrator accounts and passwords within configuration files. This includes using strong hashing algorithms, avoiding password reuse, ensuring passwords are complex, and steering clear of group accounts that lack individual accountability.
By adhering to these guidelines, organisations can significantly bolster their defences against the ever-evolving landscape of cyber threats.
