Could your SMI service open you up to attacks?
Scanner tools are good for obtaining copious amounts of information about network exposed systems, and their open ports, but the results still need interpreting by skilled testers, and the devil is in the detail.
Even informational items can be gold dust for hackers. Indeed, what may seem benign can hide a number of risks. One example is a service that is displayed as an informational item or even flagged as an open port during infrastructure scans, being easily overlooked called Smart Install (also known as SMI). This service appears benign but it could lead to a complete compromise of Cisco switching infrastructure.
This SMI service was developed to make it easy to manage and maintain Cisco switches, with both plug and play configurations and image management features. Switches using SMI can be deployed easily into existing networks with supported devices acting as clients to a director switch or router, which handles configuration deployment.
The service is commonly seen on TCP port 4786, and in many networks, this port is left open for all to see. The feature is often on by default, although more recent patches can help to mitigate this by disabling the feature if it is not in use. The feature also has a history of vulnerabilities including remote code execution, denial of service, and information disclosure.
Depending on the version of IOS used, and the devices in use, the SMI service can be misused to perform the following attacks:
- Substitute the configuration file
- Execute high-privilege commands
- Obtain IOS configurations which can include passwords, routing information, access control information and so on
- Cause denial of service
- Conduct a remote code execution attack
These vulnerabilities can go unnoticed for years as switch infrastructure is not always regularly reviewed, leaving the infrastructure vulnerable to crippling attacks.
Identification of vulnerable systems is essential so it is recommended that regular testing of networks and configurations is conducted to ensure that any weaknesses are identified. Cisco also has an IOS software checker which can help to identify vulnerable systems.
- If it's not used, disable the SMI service.
- Maintain licensing and good links with vendors in order to obtain patches.
- Cisco has released free updates for issues relating to SMI.
- Implement a good patching regime to check for, review, and install patches when they become available.
- Ensure that any SMI ports are controlled by access control lists, firewall rules, or on separate VLANs. Avoid flat networks wherever possible.
List of devices supporting SMI: https://www.cisco.com/c/en/us/td/docs/switches/lan/smart_install/configuration/guide/smart_install/supported_devices.html#51890
Recent advisories: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180409-smi
Cisco IOS software checker: https://tools.cisco.com/security/center/softwarechecker.x