The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert about cyber threat actors exploiting the legacy Cisco Smart Install (SMI) feature to gain unauthorized access to sensitive data.
CISA reports that attackers are leveraging this outdated Cisco feature to acquire system configuration files through available protocols or software on affected devices. Additionally, the agency continues to observe the use of weak password algorithms on Cisco network devices, which leaves them vulnerable to password-cracking attacks. Ensuring strong, secure passwords and disabling legacy features like Cisco Smart Install are critical for network security.”
Once threat actors gain access to a device through this method, they can easily retrieve system configuration files, potentially leading to a deeper compromise of the entire network.
CISA advises that organizations must ensure all network device passwords are stored with robust security measures. The agency recommends using ‘type 8’ password protection for Cisco devices to safeguard passwords within configuration files and strengthen overall network security.
Enterprises are also being urged to review the National Security Agency’s (NSA) Smart Install Protocol Misuse advisory and the Network Infrastructure Security Guide for detailed configuration guidance.
Key best practices recommended include using a strong hashing algorithm for password storage, avoiding password reuse, setting strong and complex passwords, and avoiding the use of group accounts that lack individual accountability.
This advisory follows Cisco’s warning about the public release of a proof-of-concept (PoC) exploit for CVE-2024-20419 (CVSS score: 10.0), a critical vulnerability in the Smart Software Manager On-Prem (Cisco SSM On-Prem) that could allow a remote, unauthenticated attacker to change any user’s password.
Cisco has also highlighted several critical vulnerabilities (CVE-2024-20450, CVE-2024-20452, and CVE-2024-20454, CVSS scores: 9.8) in Small Business SPA300 Series and SPA500 Series IP Phones, which could enable attackers to execute arbitrary commands on the operating system or trigger a denial-of-service (DoS) condition.
