Iran’s 3,500 Switches Attacked – Cisco IOS/IOS XE Remote Code Execution Vulnerability CVE-2018-0171 Exploitation

Iran’s 3,500 Switches Attacked – Cisco IOS/IOS XE Remote Code Execution Vulnerability CVE-2018-0171 Exploitation

abril 12, 2018 | NSFOCUS

News from The Iran Project, the Iranian cyber police confirmed Friday night that the country’s data center was attacked. The attack involved Iran 3500 switches, but the official in the country emphasized that the attack didn’t lead to sensitive data leakage. From description, the suspected attacker exploited the Cisco IOS / IOS XE remote code execution vulnerability-2018-0171 CVE, while Cisco said, on a global range more than 8.5 million switches are potential attack targets, hence more than 160,000 systems may be affected.

The Attack Hasn’t Caused Data Leakage. Problem Has Been Solved, Said Iran Official

Ali Nickelneuve, director of Iran Cyber ​​Police (FATA) Center for Detection and Prevention, said on Saturday

“No abnormal data access and leaks were caused. The problem has been resolved.”

He added that when starting to work on Saturday morning, all Iranian companies or organizations will face some confusion and anomalies in their networks, and they should take immediate actions to eliminate these problems.

Cisco IOS / IOS XE remote code execution vulnerability CVE-2018-0171 exploit highly suspected. TCP port 4786 needs attention

Cisco issued an alert in February 2017 saying that Smart Install Clients that were not turned off or did not have proper security controls configured had increased the frequency of scanning the Internet. Hackers can send new commands to switches running Cisco IOS or IOS XE network operating systems.

By exploiting the vulnerability, hackers can target attacks towards critical infrastructure of a number of countries, including Iran. According to the report, due to the problems in the data centers of major Internet service providers such as Afranet, Shatel, Sabanet, etc., Many Iran’s important services and websites were out of service last night.

According to “the guardian”, Iranian IT Minister Mohammad Javad Azari-Jahromi posted on Twitter with a snapshot of a PC screen displaying a US flag along with hackers’information. He said it is still not clear who carried out the attack. According to a state television report, Azali Jahumi stated that the attack mainly affected Europe, India and the United States.

Azari-Jahromi said:“Approximately 55,000 devices in the United States have been affected. With 14,000 devices in our country affected, the Iran’s total affected devices is at 2%.”


It is said that 8.5 million switches worldwide may be attacked, leading to 160,000 systems being potentially affected

On March 29, Cisco warned that at least 8.5 million switches were under attack, and as many as 168,000 systems in the world might be affected by this vulnerability.

According to Cisco Talos researchers, attackers are exploiting the “protocol abuse”vulnerability in the Cisco Smart Installation Client to get access to critical infrastructure providers. In the week following Cisco’s announcement, Cisco released a Smart Installation Client (a tool for rapid deployment of new switches) threat notification.

According to Cisco, an organization can determine if a device is affected by a smart installation issue by running the command “show vstack config”, which will show if the smart installation client is active.

The easiest way to mitigate this problem is to run the command “no vstack” on the affected devices. If this is not feasible, the best option is to use access control list on the APIs to restrict access.