2017 m. vasario 15 d., trečiadienis

Cisco Security Response: Cisco Smart Install Protocol Misuse

Cisco Security Response: Cisco Smart Install Protocol Misuse

Response ID: cisco-sr-20170214-smi

Revision 1.0

For Public Release 2017 February 14 16:00  UTC (GMT)

+-----------------------------------------------------------
----------

Summary
=======

Several researchers have reported on the use of Smart Install (SMI) protocol messages
toward Smart Install clients, also known as integrated branch clients (IBC), allowing an
unauthenticated, remote attacker to change the startup-config file and force a reload of the
device, upgrade the IOS image on the device, and execute high-privilege CLI commands on
switches running Cisco IOS and IOS XE Software.

Cisco does not consider this a vulnerability in Cisco IOS, IOS XE, or the Smart Install
feature itself but a misuse of the Smart Install protocol that by design does not require
authentication. Customers who seek more than zero-touch deployment should consider deploying
the Cisco Network Plug and Play solution instead.

Cisco has updated the Smart Install Configuration Guide to include security best practices
regarding the deployment of the Cisco Smart Install feature within customer infrastructures:
http://www.cisco.com/c/en/us/td/docs/switches/lan/smart_install/configuration/guide/smart_install/concepts.html#23355

This response is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi

Komentarų nėra:

Rašyti komentarą