Wikileaks’ CIA dump plugs massive Cisco security hole

by Steve Blum • , , , ,

If you look into the core of the Internet or just in a typical corporate or institutional data center, you’ll see rack after rack loaded with switches, routers and other gear made by Cisco. A vulnerability in even one of their products can leave a lot of networks and data open to attack. So you might come to the conclusion that spotting that kind of flaw and fixing it as quickly as possible is matter of national security.

You’d be wrong.

It turns out that more than three hundred Cisco devices can be breached via a cracking technique used by the Central Intelligence Agency and revealed in a massive document dump by Wikileaks. Company researchers have concluded that

  • Malware exists that seems to target different types and families of Cisco devices, including multiple router and switches families.
  • The malware, once installed on a Cisco device, seem to provide a range of capabilities: data collection, data exfiltration, command execution with administrative privileges (and without any logging of such commands ever been executed), HTML traffic redirection, manipulation and modification (insertion of HTML code on web pages), DNS poisoning, covert tunneling and others.
  • The authors have spent a significant amount of time making sure the tools, once installed, attempt to remain hidden from detection and forensic analysis on the device itself.
  • It would also seem the malware author spends a significant amount of resources on quality assurance testing – in order, it seems, to make sure that once installed the malware will not cause the device to crash or misbehave.

There’s a quick way to block it – disable telnet, an ancient and insecure communications protocol – but a permanent fix has yet to be released.

Generally, there are two ways the CIA could have obtained this exploit: either it was developed internally or it was purchased on the black market. If the former, it could have been duplicated by anyone with sufficient skill. If the latter, it means the CIA knew that broad swathes of the world’s IT infrastructure was exposed to anyone with deep enough pockets. In either case, its first duty should have been to plug the hole, and not sit on it until its own firewall was breached.