09-08-2024Ravie LakshmananVulnerability / Network Security

The US Cybersecurity and Infrastructure Security Agency (CISA) has revealed that cybercriminals are abusing the outdated Cisco Smart Install (SMI) feature to gain access to sensitive data.

According to the agency, attackers “obtained system configuration files by leveraging available protocols or software on devices, such as by abusing the outdated Cisco Smart Install feature.”

It also said it continues to observe weak password types used on Cisco network devices, which exposes them to password-cracking attacks. Password types refer to algorithms used to secure a Cisco device’s password in a system configuration file.

Attackers who gain access to the device in this way can easily gain access to the system’s configuration files, allowing them to further compromise the victim’s networks.

“Organizations should ensure that all passwords on network devices are stored with a sufficiently high level of security,” according to CISA, which “recommends password security type 8 for all Cisco devices to protect passwords in configuration files.”

Companies are also urged to consult the National Security Agency’s (NSA) Advisories on Smart Install Protocol Abuse and Network Infrastructure Security Guide for configuration guidance.

Other best practices include using a strong hashing algorithm to store passwords, avoiding password reuse, assigning strong and complex passwords, and refraining from using unaccountable group accounts.

The development comes as Cisco warns of the public availability of proof-of-concept (PoC) code for CVE-2024-20419 (CVSS score: 10.0), a critical flaw impacting Smart Software Manager On-Prem (Cisco SSM On-Prem) that could allow a remote, unauthenticated attacker to change any user’s password.

The networking equipment major also warned of multiple critical flaws (CVE-2024-20450, CVE-2024-20452, and CVE-2024-20454, CVSS Scores: 9.8) in Small Business SPA300 Series and SPA500 Series IP Phones that could allow an attacker to execute arbitrary commands on the underlying operating system or cause a denial-of-service (DoS) condition.

“These vulnerabilities exist because incoming HTTP packets are not properly checked for errors, which can lead to a buffer overflow,” Cisco said in a bulletin published on August 7, 2024.

“An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to overflow an internal buffer and execute arbitrary commands with the root privilege level.”

The company said it does not plan to release software updates to fix the issues as the devices have reached the end of their lifespan, requiring users to upgrade to newer models.