CVE-2018-0171 is a vulnerability in Cisco's Smart Install (SMI) feature for IOS and IOS XE caused by improper validation of packet data and exploitable via TCP port 4786. The flaw allows unauthenticated remote attackers to trigger denial of service or execute remote code when devices remain unpatched. Threat actors linked to the Russian government have been observed collecting configuration files from thousands of end-of-life devices vulnerable to CVE-2018-0171, and modifying configurations to gain unauthorized access. Actors used that access to conduct reconnaissance and to probe protocols and applications associated with industrial control systems. The activity is attributed to Beserk Bear (Dragonfly), an FSB cyber unit with historic focus on Cisco devices.
The flaw in question, tracked as CVE-2018-0171, exists in the Smart Install (SMI) feature of Cisco's Internetwork Operating System (IOS) and IOS XE. It arises through the improper validation of packet data and is exploited by sending a specially-crafted Smart Install message to a vulnerable device on TCP port 4786. If left unpatched, enables an unauthenticated, remote attacker to achieve a denial of service (DoS) condition, or to conduct remote code execution (RCE).
The US authorities said the unit conducting the current spate of intrusions was likely Beserk Bear, aka Dragonfly, a cyber unit of Russia's Federal Security Service, the FSB, which is known to have targeted networking devices - particularly those that accept legacy protocols, and had previously worked on custom malwares that specifically targeted Cisco products, notably a strain referred to as SYNful Knock.
Collection
[
|
...
]