A Mass Attack On Cisco By Using The Protocol Of Smart Client Installer

A Mass Attack On Cisco Main Logo

A Mass Attack On Cisco By Using The Protocol Of Smart Client Installer

Cisco recently learned of some of the hacker groups that Cisco switches chose to target, using the problem of misuse of the protocol in the Cisco Smart Install Client.

  • Several incidents in different countries, including some related to critical infrastructure, have been associated with improper use of the Smart Install protocol.

Some experts believe that a number of attacks are associated with hackers who are in the service of the state. As a result, we take an active position and call on customers, again, to assess risks and apply methods for neutralizing risks.

  • On February 14, 2017 (yes, there are no errors, it’s about 2017), the Cisco Security Incident Response Team (PSIRT) published a bulletin describing the results of the active scan associated with Cisco Smart Install clients.

The Cisco Smart Install Client software is an obsolete utility designed to remotely configure new Cisco equipment, in particular, Cisco switches. In the sequel, Cisco Talos published a note in the blog and release of the open source tool that scans devices using the Cisco Smart Install protocol. In addition to the above signature for the system, Snort attacks (SID: 41722-41725), allowing to detect any attempts to use this technology.

The Cisco Smart Install protocol can be used to change TFTP server settings, export TFTP files, change configuration files, replace the IOS network image and configure accounts that enable IOS commands. Although this is not a vulnerability in the classical sense, the misuse of this protocol can serve as an attack vector, which should be immediately neutralized.

  • During late 2017 and early 2018, Talos watched as criminals tried to scan customers using this vulnerability. Recent information has raised the urgency of this problem and we decided to return to it again.

Despite the fact that Cisco Smart Install, has recently been disclosed and fixed another vulnerability in the Cisco Smart Install Client. This vulnerability was discussed publicly, and a code was issued with evidence of the possibility of intervention (PoC). To address the problem of protocol misuse, clients must also address this vulnerability by installing the appropriate update.


As part of the Cisco Talos study, we began to study how many devices are potentially vulnerable to this attack. The results were extremely disturbing. Using Shodan, Talos was able to determine that more than 168,000 systems could potentially be detected via the Cisco Internet Install Client.

A Mass Attack On Cisco Photo 1

This is better than the results of 2016 when one of Tenable’s employees reported 251,000 vulnerable Cisco Smart Install Client clients “visible” from the Internet. There may be differences in the methodology for scanning Cisco Talos and Tenable, but we expect a significant reduction in the number of available devices for the attack.

In addition, although there has been a drop in scanning volumes since our initial bulletin, Talos has seen a sharp increase in scanning attempts for the Cisco Smart Install Client around November 9, 2017.


You can determine if you have a Cisco Smart Install Client on the switch. Running the show vstack config command will allow you to determine whether the Smart Install Client is active. Below is an example of such a command with a response to it:

switch # show vstack config | inc Role
Role: Client (SmartInstall enabled)

  • Additional features of the active Cisco Smart Install Client can be present if level 6 registration (informational) or higher is enabled. These event logs can include but are not limited to, TFTP writes operations, command execution, and device reboots.

The easiest way to neutralize this problem is to run the no vstack command on the vulnerable device. If for some reason this option is not available to the client, the best option is to restrict access through the ACL for the interface, an example of which is shown below:

ip access-list extended SMI_HARDENING_LIST
permit tcp host host eq 4786
deny tcp any any eq 4786
permit ip any any

This type of ACL allows only the nodes shown above access to the Smart Install Client, which greatly limits the ability to implement the attack. In addition, our intrusion prevention systems (IPS) have signatures that allow us to determine whether an impact on the Smart Install Client is being carried out or not.


For this and other issues, it is important to remember Cisco’s commitment to supporting affected customers. All customers, regardless of the status of the support contract, receive free incident assistance as well as the assistance offered to contract customers for any incident involving known or reasonably suspicious security vulnerabilities in the Cisco product. If you encounter an incident with a Cisco product, contact the Cisco Technical Support Center (TAC)


To ensure security and perimeter control, network administrators need to be particularly vigilant. It is easy to “install and forget” network devices because they are usually very stable and rarely change. Suffice it to recall the results of our last year’s annual cybersecurity report, in which we demonstrated the results of our study proving that the average time for customers to stay out of vulnerabilities in network and server equipment and software averages about five years.

Combine this with the advantages that the attacker has when gaining access and intercepting the management of the network device and you will realize that routers and switches are becoming very tempting targets for intruders. Especially when it comes to devices on the perimeter of an organization or a telecom operator.

Watching the active use of this vector by cybercriminals, Cisco strongly recommends that all customers revise their architecture, use Talos tools to scan their network and remove the Cisco Smart Install Client from all devices where it is not being used.