Security Experts:

Cisco Finds Zero-Day Vulnerability in 'Vault 7' Leak

Cisco has warned customers that the Vault 7 files obtained by WikILeaks contain information on a critical vulnerability affecting many of the company’s switches. Patches are not available, but Cisco has provided some mitigation advice.

The Vault 7 leak allegedly contains information on the CIA’s hacking capabilities, including exploits targeting mobile devices, desktop systems, networking equipment and IoT devices. Some of the tools also appear to target the products of cybersecurity companies, but an initial investigation showed that many of the exploited vulnerabilities were patched several years ago.

An initial analysis conducted by Cisco revealed the existence of malware targeting various routers and switches. This malware, designed to evade detection and ensure that it would not cause the compromised device to crash, is capable of collecting and exfiltrating data, executing commands, and manipulating web traffic.

On Friday, Cisco reported that its investigation also revealed the existence of a zero-day vulnerability affecting the Cluster Management Protocol (CMP) processing code of its IOS and IOS XE software.

The flaw, tracked as CVE-2017-3881, allows a remote, unauthenticated attacker to cause affected switches to reload or execute arbitrary code with elevated privileges and gain full control of the device. The security hole can be exploited via Telnet.

Cisco’s analysis showed that the zero-day affects over 300 switches and modules, including Catalyst, Embedded Service, IE and ME switches, and RF Gateway 10 devices. Some of the affected models are no longer sold and supported.

Until patches become available, customers have been advised to consider disabling the Telnet protocol for incoming connections and use only SSH. If disabling Telnet is not possible, users can reduce the attack surface via access control lists (ACLs).

Cisco has made available an online tool to help users determine if their IOS and IOS XE software is affected by the zero-day.

The networking giant said it was not aware of any attacks exploiting this vulnerability. WikiLeaks did say on Twitter that the “CIA was secretly exploiting” the flaw, but it’s unclear if the whistleblower organization has any evidence or if it’s just an assumption.

WikiLeaks has not made public any actual tools or exploits, but it has promised to provide detailed information to tech companies. However, the organization wants firms to agree to certain conditions, including a responsible disclosure policy that appears to be inspired by Google’s policy.

According to WikiLeaks, only Mozilla has been provided information on the vulnerabilities in the Vault 7 leak, while “Google and some other companies” only confirmed receiving the initial notification. WikiLeaks says “most of these lagging companies have conflicts of interest due to their classified work for U.S. government agencies.” WikiLeaks could soon release information on company responsiveness.

The CIA has neither confirmed nor denied the authenticity of the leaked files, but the intelligence agency has assured the public that it’s not conducting electronic surveillance on people in the U.S.

The White House has warned that there could be legal repercussions for companies using the information obtained by WikiLeaks as classified files remain classified even if they are made public.

Related: Apple, Google Say Users Protected Against CIA Exploits

Related: "Vault 7" Leak Shows CIA Learned From NSA Mistakes

Related: Industry Reactions to CIA Hacking Tools

view counter
Eduard Kovacs is an international correspondent for SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.