Cisco warns of critical leak in switches after discovery of CIA hacking tools

Network equipment manufacturer Cisco has found a critical leak in the Vault 7 dump, which was recently published by WikiLeaks. The vulnerability affects about three hundred different Cisco switches that are equipped with IOS and IOS XE software. There is no patch yet.

The vulnerability, attribute cve-2017-3881, allows a non-logged-in attacker to remotely execute arbitrary code on the device and thus take over. Because there is currently no patch or work-around available, the company recommends disabling access via telnet for vulnerable switches.

Most affected switches are Catalyst series models. The vulnerability resides in the Cluster Management Protocol code. The CMP uses telnet for communication between different devices in a cluster. However, it is possible to send a special Telnet command from outside while building a session.

Following the publication of the CIA files by WikiLeaks on March 7, Cisco announced that it would examine the declassified information for evidence of leaks in its own products. In the days following its publication, WikiLeaks said it would give tech companies access to the technical details of the hacking tools used by the CIA.

According to information from Motherboard, the organization makes requirements for providing information, for example that there must be a patch for any leaks within 90 days. Previously, NSA hacking tools had been published by the Shadowbrokers. Among those files were also exploits that targeted Cisco equipment, including firewalls.