Cisco Finds Critical Vulnerability In WikiLeaks Docs

Cisco learned of a vulnerability in its software from the CIA documents published by WikiLeaks on March 7. But the security flaw wasn't included in the problems highlighted by WikiLeaks--Cisco's security team discovered the problem themselves while digging through the "Vault 7" document trove.

The company said in a security advisory that the vulnerability could "allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges." The problem was in the Cisco Cluster Management Protocol (CMP) processing code used by the Cisco IOS and Cisco IOS XE software. Cisco provided a list of 318 products affected by the vulnerability; you can find the full list in the company's advisory.

The vulnerability resulted from two problems:

  • The failure to restrict the use of CMP-specific Telnet options to only internal, local communications between cluster members and instead accept and process such options over any Telnet connection to an affected device, and
  • The incorrect processing of malformed CMP-specific Telnet options.

Cisco said it plans to address the vulnerability in future software updates and that no workarounds can mitigate the problem in the meantime. But it did advise customers to switch from the Telnet protocol to SSH because "disabling the Telnet protocol as an allowed protocol for incoming connections would eliminate the exploit vector." Anyone who can't do that can still "reduce the attack surface by implementing infrastructure access control lists (iACLs)."

The vulnerability was publicly disclosed on March 17. Cisco said at the time that "the Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory." That's good news, considering 10 days passed between WikiLeaks' publication of the Vault 7 documents and Cisco's advisory about a critical vulnerability that affects hundreds of products.

Other vulnerabilities have been found in the Vault 7 trove. WikiLeaks revealed that the CIA targets smartphones to work around end-to-end encrypted messaging apps, that the spy agency circumvented major antivirus software, and that the agency has shown interest in remotely hacking cars. (Three antivirus vendors named in the docs--F-Secure, Avira, and AVG--later told us that the problems have been addressed, or they downplayed their impact.)

Now it's clear that more problems are likely to be found in the Vault 7 documents--and that's just within the files WikiLeaks decided to publish. Here's what the organization said about some of the things it decided not to release:

Wikileaks has carefully reviewed the "Year Zero" disclosure and published substantive CIA documentation while avoiding the distribution of 'armed' cyberweapons until a consensus emerges on the technical and political nature of the CIA's program and how such 'weapons' should analyzed, disarmed and published.

WikiLeaks also said that it "has intentionally not written up hundreds of impactful stories to encourage others to find them and so create expertise in the area for subsequent parts in the series" and that there are "very considerably more stories than there are journalists or academics who are in a position to write them." Expect more companies to find vulnerabilities (or hear about them directly from WikiLeaks) well into the foreseeable future.

Nathaniel Mott
Freelance News & Features Writer

Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.

  • Murissokah
    I'm not sure if I got this right, but did they just make public through mainstream media a security flaw for which they have no fix?
  • WFang
    Well, the information was public already, so them not finding and admitting to it could well be considered neglect by investors and customers. Keep in mind, anyone (with the proper resources and background) could have combed the same document leak and come up with the same approach.

    If anything, their public confirmation is a smart move both towards existing customers (notifying them about a known flaw) and towards investors. Both are at this point some degree of damage control.

    (Removed one word for clarity.)
  • TheViper
    Shouldn't be using telnet anyway. SSH only unless your IOS release does not support encryption...then you have bigger problems to start with.
  • eriko
    @ TheViper

    And SSH VERSION 2 at that.

    I was battling Chinese hackers I couldn't keep out of my infrastructure for weeeeeeeks.

    I did not notice that I was on SSH v1, which is known to be compromised.

    So I generated new crypto keys, and set SSH v2, and that was that, they have not been in since. I also added an ACL entries for about 100 IPs that were involved in it too, all one by one, dog dammit, and a simple VTY-allowed list for me.

    I see them denied in my logs every few mins or so. Less and less often too. Seems they are close to giving up.

    I never once heard back from a single Chinese ISP regarding these attacks.
  • Braindead154
    If your still using Telnet, you've got bigger problems than this vulnerability.