Cisco Smart Install Exploit: Here’s Why You Should Disable SMI Following Recent Cyberattacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a recommendation to disable the legacy Cisco Smart Install (SMI) feature after it was observed being exploited in recent cyberattacks. Today, we will highlight how you can disable the Cisco Smart Install exploit to prevent it from taking over your systems.

Cisco Smart Install (SMI) is a legacy feature designed to simplify the deployment and configuration of Cisco network switches. It was originally developed to streamline the setup process for new switches, allowing network administrators to configure and deploy multiple devices with minimal manual intervention.

Here’s why it was commonly in use:

1. Zero-Touch Deployment: SMI enables switches to be automatically configured when they are first powered on and connected to the network. This eliminates the need for manual configuration of each individual switch.

2. Centralized Management: The feature allows network administrators to manage the initial setup and configuration of multiple switches from a single location, simplifying network management.

3. Auto-Image Upgrade: SMI can automatically upgrade the firmware of switches to ensure they are running the latest software version.

4. Auto-Configuration: SMI automatically applies a pre-defined configuration to new switches, ensuring they are set up according to network standards and requirements.

Despite its convenience, Cisco Smart Install has been associated with significant security risks:

• Unauthorized Access: If not properly configured or disabled, the SMI feature can be exploited by attackers to gain unauthorized access to network devices.

• Exploitation by Attackers: Attackers can use the feature to alter device configurations, replace system images, create rogue accounts, or exfiltrate sensitive information.

• Exposure to Internet: Devices with SMI enabled and exposed to the internet can be scanned and targeted by malicious actors, making them vulnerable to attacks.

Due to these risks, Cisco and cybersecurity organizations like CISA have recommended disabling the SMI feature, especially in environments where it is no longer needed. This is to prevent potential exploitation by threat actors who may use it as a vector for attacks.

CISA identified that threat actors are abusing the SMI feature, along with other protocols and software, to steal sensitive data, including system configuration files. This prompted the agency to issue an alert advising administrators to disable the legacy SMI protocol, which has been replaced by the Cisco Network Plug and Play solution, to prevent further attacks.

CISA also urged administrators to review the NSA's advisory on Smart Install Protocol Misuse and the Network Infrastructure Security Guide for additional configuration guidance.

Back in 2018, the Cisco Talos team had already flagged the Cisco SMI protocol as a vulnerability, noting that it was being exploited to target Cisco switches in attacks linked to various hacking groups, including the Russian-backed Dragonfly APT group, also known as Crouching Yeti or Energetic Bear.

These attackers capitalized on switch owners' failure to configure or disable the SMI protocol, leaving the SMI client exposed and vulnerable to malicious "installation/configuration" commands.

Vulnerable switches allowed threat actors to modify configuration files, replace the IOS system image, create unauthorized accounts, and exfiltrate data using the TFTP protocol.

In February 2017 and February 2018, Cisco had warned its customers about active scans by malicious actors searching for Cisco devices with SMI enabled and exposed to the internet.

Currently, the threat monitoring service Shadowserver reports that over 6,000 IP addresses with the Cisco Smart Install feature are still exposed online, a decrease from over 11,000 in August 2023.

CISA also advised administrators to enhance password protection measures after discovering that attackers are exploiting weak password types to compromise Cisco network devices.

"A Cisco password type refers to the algorithm used to secure a device’s password within a system configuration file. Weak password types can be easily cracked, allowing attackers to gain access to system configuration files and potentially compromise networks," CISA stated.

The agency recommended using NIST-approved Type 8 password protection for all Cisco devices. This ensures that passwords are hashed using the Password-Based Key Derivation Function version 2 (PBKDF2), with the SHA-256 hashing algorithm, an 80-bit salt, and 20,000 iterations.

For more information on implementing Type 8 privilege EXEC mode passwords and creating local user accounts with Type 8 passwords on Cisco devices, CISA referred administrators to the NSA's "Cisco Password Types: Best Practices" guide.

CISA emphasized the importance of following best practices for securing administrator accounts and passwords within configuration files. This includes using strong hashing algorithms, avoiding password reuse across systems, ensuring passwords are strong and complex, and avoiding the use of shared group accounts that lack accountability. Also phasing out the legacy tech ensures that the Cisco Smart Install exploit lacks the necessary conditions to infect machines.