Information Technology News.


Cisco is offended at accusations that its SMI protocol is easy to abuse

Share on Twitter.

Sponsered ad: Get a Linux Enterprise server with 92 Gigs of RAM, 16 CPUs and 8 TB of storage at our liquidation sale. Only one left in stock.

Sponsered ad: Order the best SMTP service for your business. Guaranteed or your money back.

February 15, 2017

Cisco isn't happy at all of the various accusations that its Smart Install (SMI) protocol is apparently vulnerable to some abuse in the field and has given the industry a rebuttal.

The issue (if there is one, because “it's a feature, not a bug,” according to Cisco) is that if system and networking admins are using SMI to auto-configure Cisco switches installed in branch offices, they still need to know it doesn't enforce authentication.

For example, if a potential attacker changes the startup-config file, so they could do nasty things such as force a reload, change the IOS image, or execute specific privileged commands.

As Cisco says in its advisory-- “We do not consider this a security vulnerability in Cisco IOS, IOS XE, or the Smart Install feature itself but a misuse of the Smart Install protocol, which does not require authentication by design”.

Cisco's explanation is that SMI isn't meant for day-to-day use: it's simply there to support network administrators who want to ship a switch to a branch office, and have an Integrated Branch Director (in a router) push configuration to it. That's it.

“The director itself provides a single management point for images and configuration of client switches. When a client switch is first installed into the network, the director automatically detects the new switch and identifies the correct Cisco IOS image. Then the configuration file is downloaded. It can also allocate an IP address and hostname to a client if needed,” Cisco asserts users.

Naturally, if you're not using SMI, the advice from Cisco is turn to it off. If you're using it for zero-touch deployment, turn it off once the switch is live. In the same manner, if you want to leave it enabled after the install, implement access control lists and (if available) control plane policing to implement better overall security.

Case closed. That Cisco would be a bit offended at what just happened is perfectly understandable. This isn't the first time such things happen in the IT industry and it sure won't be the last. Other networking equipment makers have been there as well with similar misunderstandings. We'll keep you updated.

Source: Cisco.


Sponsered ad: Get a Linux Enterprise server with 92 Gigs of RAM, 16 CPUs and 8 TB of storage at our liquidation sale. Only one left in stock.

Sponsered ad: Order the best SMTP service for your business. Guaranteed or your money back.

Share on Twitter.

IT News Archives | Site Search | Advertise on IT Direction | Contact | Home

All logos, trade marks or service marks on this site are the property of their respective owners.

Sponsored by Sure Mail™, Avantex and
by Montreal Server Colocation.

       © IT Direction. All rights reserved.