Cisco IOS Smart Install Protocol Misuse (cisco-sr-20170214-smi)

info Nessus Plugin ID 99233
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The Smart Install feature is enabled on the remote Cisco IOS device.

Description

The remote Cisco IOS device has the Smart Install feature enabled. The Smart Install (SMI) protocol does not require authentication by design. The absence of an authorization or authentication mechanism in the SMI protocol between the integrated branch clients (IBC) and the director can allow a client to process crafted SMI protocol messages as if these messages were from the Smart Install director. An unauthenticated, remote attacker can exploit this to perform the following actions :

- Change the TFTP server address on the IBC.

- Copy arbitrary files from the IBC to an attacker-controlled TFTP server.

- Substitute the client's startup-config file with a file that the attacker prepared and force a reload of the IBC after a defined time interval.

- Load an attacker-supplied IOS image onto the IBC.
- Execute high-privilege configuration mode CLI commands on an IBC, including do-exec CLI commands.

Solution

Disable the Smart Install feature.

See Also

http://www.nessus.org/u?bc0b0179

Plugin Details

Severity: Info

ID: 99233

File Name: cisco-sr-20170214-smi-ios.nasl

Version: 1.6

Type: combined

Family: CISCO

Published: 4/6/2017

Updated: 12/1/2020

Dependencies: cisco_ios_version.nasl

Vulnerability Information

CPE: cpe:/o:cisco:ios

Required KB Items: Host/Cisco/IOS/Version, Host/local_checks_enabled

Vulnerability Publication Date: 2/14/2017