Security Experts:

Connect with us

Hi, what are you looking for?


Incident Response

Cisco Finds Zero-Day Vulnerability in ‘Vault 7’ Leak

Cisco has warned customers that the Vault 7 files obtained by WikILeaks contain information on a critical vulnerability affecting many of the company’s switches. Patches are not available, but Cisco has provided some mitigation advice.

Cisco has warned customers that the Vault 7 files obtained by WikILeaks contain information on a critical vulnerability affecting many of the company’s switches. Patches are not available, but Cisco has provided some mitigation advice.

The Vault 7 leak allegedly contains information on the CIA’s hacking capabilities, including exploits targeting mobile devices, desktop systems, networking equipment and IoT devices. Some of the tools also appear to target the products of cybersecurity companies, but an initial investigation showed that many of the exploited vulnerabilities were patched several years ago.

An initial analysis conducted by Cisco revealed the existence of malware targeting various routers and switches. This malware, designed to evade detection and ensure that it would not cause the compromised device to crash, is capable of collecting and exfiltrating data, executing commands, and manipulating web traffic.

On Friday, Cisco reported that its investigation also revealed the existence of a zero-day vulnerability affecting the Cluster Management Protocol (CMP) processing code of its IOS and IOS XE software.

The flaw, tracked as CVE-2017-3881, allows a remote, unauthenticated attacker to cause affected switches to reload or execute arbitrary code with elevated privileges and gain full control of the device. The security hole can be exploited via Telnet.

Cisco’s analysis showed that the zero-day affects over 300 switches and modules, including Catalyst, Embedded Service, IE and ME switches, and RF Gateway 10 devices. Some of the affected models are no longer sold and supported.

Until patches become available, customers have been advised to consider disabling the Telnet protocol for incoming connections and use only SSH. If disabling Telnet is not possible, users can reduce the attack surface via access control lists (ACLs).

Cisco has made available an online tool to help users determine if their IOS and IOS XE software is affected by the zero-day.

The networking giant said it was not aware of any attacks exploiting this vulnerability. WikiLeaks did say on Twitter that the “CIA was secretly exploiting” the flaw, but it’s unclear if the whistleblower organization has any evidence or if it’s just an assumption.

WikiLeaks has not made public any actual tools or exploits, but it has promised to provide detailed information to tech companies. However, the organization wants firms to agree to certain conditions, including a responsible disclosure policy that appears to be inspired by Google’s policy.

According to WikiLeaks, only Mozilla has been provided information on the vulnerabilities in the Vault 7 leak, while “Google and some other companies” only confirmed receiving the initial notification. WikiLeaks says “most of these lagging companies have conflicts of interest due to their classified work for U.S. government agencies.” WikiLeaks could soon release information on company responsiveness.

The CIA has neither confirmed nor denied the authenticity of the leaked files, but the intelligence agency has assured the public that it’s not conducting electronic surveillance on people in the U.S.

The White House has warned that there could be legal repercussions for companies using the information obtained by WikiLeaks as classified files remain classified even if they are made public.

Related: Apple, Google Say Users Protected Against CIA Exploits

Related: “Vault 7” Leak Shows CIA Learned From NSA Mistakes

Related: Industry Reactions to CIA Hacking Tools

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.