Cisco Talos issued a warning that attackers are using a publicly available tool to scan customer systems searching for Cisco Smart Install clients with the intent of leveraging a known flaw to remove files or enable remote code execution.
The Talos team stated that malicious actors may be using an app called the Smart Install Exploitation Tool, which is posted on Github, to scan for the clients. The company believes those taking advantage of the flaw have intimate knowledge of the Smart Install Protocol to obtain customer configurations from affected devices. Cisco Smart Install is a component of the Cisco Smart Operations solution that helps manage LAN switches.
“The attack leverages a known issue with the Smart Install protocol. Cisco PSIRT has published a security response to this activity. Abuse of the Smart Install protocol can lead to modification of the TFTP server setting, exfiltration of configuration files via TFTP, replacement of IOS image and potentially execution of IOS commands,” Talos reported.
Cisco does not consider this an actual vulnerability in Cisco IOS, IOS XE, or the Smart Install feature itself but a misuse of the Smart Install protocol, which does not require authentication by design and the company has updated the Smart Install Configuration Guide to include best security practices.