Cisco learned of a vulnerability in its software from the CIA documents published by WikiLeaks on March 7. But the security flaw wasn't included in the problems highlighted by WikiLeaks--Cisco's security team discovered the problem themselves while digging through the "Vault 7" document trove.
The company said in a security advisory that the vulnerability could "allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges." The problem was in the Cisco Cluster Management Protocol (CMP) processing code used by the Cisco IOS and Cisco IOS XE software. Cisco provided a list of 318 products affected by the vulnerability; you can find the full list in the company's advisory.
The vulnerability resulted from two problems:
- The failure to restrict the use of CMP-specific Telnet options to only internal, local communications between cluster members and instead accept and process such options over any Telnet connection to an affected device, and
- The incorrect processing of malformed CMP-specific Telnet options.
Cisco said it plans to address the vulnerability in future software updates and that no workarounds can mitigate the problem in the meantime. But it did advise customers to switch from the Telnet protocol to SSH because "disabling the Telnet protocol as an allowed protocol for incoming connections would eliminate the exploit vector." Anyone who can't do that can still "reduce the attack surface by implementing infrastructure access control lists (iACLs)."
The vulnerability was publicly disclosed on March 17. Cisco said at the time that "the Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory." That's good news, considering 10 days passed between WikiLeaks' publication of the Vault 7 documents and Cisco's advisory about a critical vulnerability that affects hundreds of products.
Other vulnerabilities have been found in the Vault 7 trove. WikiLeaks revealed that the CIA targets smartphones to work around end-to-end encrypted messaging apps, that the spy agency circumvented major antivirus software, and that the agency has shown interest in remotely hacking cars. (Three antivirus vendors named in the docs--F-Secure, Avira, and AVG--later told us that the problems have been addressed, or they downplayed their impact.)
Now it's clear that more problems are likely to be found in the Vault 7 documents--and that's just within the files WikiLeaks decided to publish. Here's what the organization said about some of the things it decided not to release:
Wikileaks has carefully reviewed the "Year Zero" disclosure and published substantive CIA documentation while avoiding the distribution of 'armed' cyberweapons until a consensus emerges on the technical and political nature of the CIA's program and how such 'weapons' should analyzed, disarmed and published.
WikiLeaks also said that it "has intentionally not written up hundreds of impactful stories to encourage others to find them and so create expertise in the area for subsequent parts in the series" and that there are "very considerably more stories than there are journalists or academics who are in a position to write them." Expect more companies to find vulnerabilities (or hear about them directly from WikiLeaks) well into the foreseeable future.