Cisco's critical zero-day bug gets even worse – 'thousands' of IOS XE devices pwned Remember that critical zero-day bug Cisco disclosed yesterday? Well, it gets worse. It now appears "thousands" of the networking giant's switches and routers have already been compromised by criminals that exploited the authentication bypass flaw and installed implants. This, according to security shop VulnCheck chief …
In fairness to "the cloud," this appears to be a straight-up security error in Cisco's software running on their physical hardware (routers, switches, etc.). In principle, one would be safer in the cloud, assuming that the cloud vendor is not also running affected Cisco equipment.
What's more surprising to me is that anyone is running the Web interface facing the Internet or untrusted networks. Every network admin worth his/her salt ought to have access from the outside world locked down nine ways from Sunday, which to me means disabling remote Web management.
Did we read the same article? Or do you (and those other down-votes) work for cisco?
Thousands of failure point. Breaches already happened. Not even cisos's first few dozen times this has happened. I'm pretty sure I did not imagine those words. Oh wait, there they are right there in black and white.
Oh ho ha, you almost had me going there for about an... attosecond. Yep, right there in black and white.
Take the piss somewhere else. An admin worth their salt would not accept junk hardware not fit for purpose to begin with. Yet here we are.
Exactly this.
Starting point for the base config on any cisco device - disable telnet, enable ssh, set local authentication (preferably radius/tacacs), configure an access class on the management interface so only trusted management network IP addresses can log in via ssh/snmp, configure audit logging, make sure you're running a recent IOS that isn't riddled with bugs or holes. This is the way it's been for the last two decades if not longer.
The web server (ip http server / ip http secure-server) has been disabled by default on every cisco device I've ever deployed, you've got to go out of your way to enable it (either by command or during initial setup). It doesn't give you anywhere near the full control you get via the command line, so it's pretty much impossible to properly secure a cisco device using the GUI. Only people I've ever seen use it are those who aren't experienced/comfortable with cisco devices or their CLI.
I'm always bewildered when people get pwned by this stuff.
With network kit the management should only be configured on specific interfaces with a very specific ACL. The first thing about protecting against authentication bypass vulns is don't let anybody have access to your management interface.
For preference you want OOB management only and that on a private MPLS.
Obviously that's not absolutely fool proof but every little helps. If you just stick management on SSH on the WAN interface of your router then your only protection is the authentication on your router.
One problem I did find with Cisco lately is they've paired their IOS XE switch with a wireless controller that has a web interface, and clients want to be able to use said web interface. I think it's the 9500 series switch. Mind you, there is no justification for a wireless controller to be internet facing in the first place; if you're going to buy a $20k+ switch and add that controller, you should be securing it behind a proper firewall. And lock down the management access via ACLs.
For the Office Extend feature that has remote WAP's connecting to the WLC over the Internet it's going to be internet facing. The web interface isn't required to be accessible for OEAP but the CAPWAP port certainly does. Ideally you'd lock that port down to known IP's but they way that feature is designed it's probably not always possible. IOS-XE under pins the dedicated 9800 WLC's too now.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
