Cisco Systems recently announced that over 300 models of switches manufactured by Cisco contain an exploit that allows hackers to use a relatively simple command gaining complete and full control of the affected unit.
They found this exploit recently by analyzing several documents believed to have been stolen from the US Government which that itself is another scary thought on how safe and secure our government has been with protecting our national secrets. Cisco notified the world of this vulnerability March 17, 2017, on the Cisco Security Board.
How does this work? Well, the attacker can obtain the access by sending a malformed CMP command through the telnet protocol during the connection process, the affected device will essentially give the user privilege 15 level access to the unit.
Cisco said there are no work-a-rounds to address this bug. Cisco further indicated this only works when the unit is setup to accept incoming telnet connections. So in my mind, I would immediately disable the telnet protocol altogether, and that essentially fixes the issue.
You can disable telnet on your Cisco Device by logging in and typing the following commands in privileged mode. If you want to leave “SSH” access on, then leverage option one. If you want to turn off all remote access completely, then follow option two.
Option one (telnet only disabled)
- line vty0 15
- transport input ssh
Option two (all remote access disabled)
- line vty0 15
- transport input none
I would also suggest that you consider changing your crypto key as well if you feel that you have been exploited, and, verify the user accounts on the device are legitimate.
You can read the security announcement from Cisco here.