Cisco Smart Install misuse

Our advisories highlight current cyber security threats and vulnerabilities in New Zealand, and provide guidance on how to mitigate their impact.

Subscribe to our updates to be notified as soon as we publish an advisory.

11:00am, 18 April 2018

TLP Rating: Clear

Cisco Smart Install misuse

CERT NZ is aware of an active campaign targeting Cisco devices with Smart Install (SMI) enabled.

Attackers are identifying these devices by scanning for public IP addresses that have specific SMI ports open and services running. Once a device is identified, the SMI protocol is misused and an attacker is able to access and control the device.

What's happening

Systems affected

Cisco devices that have SMI enabled and are internet-accessible. These devices can be identified in a number of ways, including checking for devices with SMI port 4786 open and running.

Exploiting this protocol requires SMI to be enabled. It is prudent to work on the basis that all Cisco devices with SMI port 4786 open are affected until they are investigated.

What to do

Prevention

All affected devices need to be investigated and unnecessary services and protocols should be disabled or controlled through Access Control Lists (ACL) to prevent the device from being compromised.

Mitigation

Cisco devices that have SMI enabled should be investigated and the recommendations from Cisco should be followed as soon as possible. This includes either disabling SMI or adding ACL on port 4786 if SMI is required.

Review logs to identify any suspicious activity, such as commands from internet-based hosts or connections to unknown IPs.

Contact the National Cyber Security Centre (NCSC) if you think you are impacted on 04 498 7654 or info@ncsc.govt.nz

Cisco Security Advisory External Link

More information

If you require more information or further support, contact NCSC on 04 498 7654 or info@ncsc.govt.nz.

Details about the campaign from US-CERT External Link

CERT NZ Critical Controls: unused services and protocols