There is no such thing as perfect code and everyone knows this, including the guy that’s looking to attack you. Studies have shown that there are anywhere from 15-50 bugs in per 1000 line of code. In a world where IOT is headed towards being the next disruptive technology (some claim it already is), it has never been more important to put security above all else.
The recent Cisco vulnerability discovered by the security researchers at Embedi is the perfect example of the magnitude in which a neglected vulnerability can affect a business. This vulnerability could allow an unauthenticated, remote attacker to execute arbitrary code, take full control over the vulnerable network equipment and intercept traffic. The stack-based buffer overflow vulnerability (CVE-2018-0171) resides due to improper validation of packet data in Smart Install Client, a plug-and-play configuration and image-management feature that helps administrators to deploy (client) network switches easily.
Embedi released details of the attack along with a proof of concept after Cisco released it’s patch updates to help address these threats. This was done through a threat called Remote Code Execution, which ranks 9.8 on the Common Vulnerability Scoring System (CVSS). Remote code execution is a classic method of attack designed to trigger arbitrary code execution from one machine on another, especially via a wide-area network such as the Internet.
It was reported that researchers found a total of 8.5 million devices which were vulnerable with the port open on the Internet, leaving approximately 250,000 unpatched devices totally accessible to attackers. To be able to exploit this vulnerability, an attacker needs to send a crafted Smart Install message to an affected device on TCP port 4786, which is opened by default. The vulnerability can also result in a denial-of-service condition (watchdog crash) by triggering indefinite loop on the affected devices. Embedi’s security researchers demonstrated the vulnerability at a conference in Hong Kong after reporting it to Cisco in May 2017.
What Does the Cisco Remote Code Execution Vulnerability Teach Us?
Now that we’ve summarized this event which could have potentially cost Cisco a fortune, let’s look at what we can take away from this.
1. You are not going to always be as fortunate as Cisco. Fortunately for Cisco, EMBEDI was on the good side of the fence. Not everyone is going to be nice and report your threats to you. Besides, there are sadistic people out there who laugh at the fall of a Giant! And yes this could include the Google’s and the Facebook’s of the world.
2. Invest small or lose big, you choose. Small amounts of money to invest in the security of your business could save you some serious gold! In the case of Cisco, yes they may have been a ransom involved during the time of reporting a threat but at least it wasn’t exploited to an extent of the unrepairable damage.
3. New security threats find their way into the world of technology every day, try automating your security testing process. Believe me, when I say, this was not the only time Cisco experienced a threat, neither will it be the last time they faced one. Attackers get innovative every day finding new ways to get past your line of defense. However no amount of automation is going to solve your entire security needs, but at least it adds a fair bit of agility and muscle to your security wall. Automating with a good vendor also gives you the power of constantly updating with newer threats that are being created each day.
4. Get Hacked! - Yes, you heard right, getting hacked (by the good guys of course) might be the best way to ensure good security for your business. This is exactly what happened in the case of Cisco. They got HACKED! A hack that saved them a potential billion dollars. It’s a proactive way of looking at security. Like the wise man once said, if you want to beat a hacker, you’ve got to start thinking like one.
There are of course many other things you can do to ensure security for your business but the above-mentioned points are a reminder of what most businesses are not doing proactively. If a large enterprise like Cisco could be hacked even after all they’ve invested into security, how much more vulnerable are businesses of small and medium sizes? It’s a thought to ponder upon. Go back, get your security re-evaluated and I’m sure you are going to want to put the security of your business, your customers and your fortune above all else.