Cisco Small Business Switch Vulnerabilities (CVE-2018-15439)

By Nick Walter

Introduction

            Before I dive into the vulnerabilities, it is important to understand what exactly a small business switch is and how it differs from other “regular” switches. Small business (SMB) switches function like regular switches, but they are specifically designed for small businesses as the name would suggest. So how are they designed differently? Well small businesses usually do not have the same budget of other larger businesses. To accommodate for this, companies like Cisco, who develop, manufacture, and sell switches have also made a switch that is much more affordable. This is what’s known as the SMB switch. However in order to make these switches more affordable there are some drawbacks.

Drawbacks

            You spend less on a SMB switch, approximately ⅓ of the cost of a regular switch, great! But let’s take a look at what exactly you’re missing out on to save money. First off with the SMB switch you’re going to get far less bandwidth than you would with a regular switch. This isn’t too big of a deal though because if you are a small business, odds are you don’t need as much bandwidth anyways. The next few drawbacks are where you can start to see some red flags being raised. When it comes to the actual software installed on the switches you get far less with SMB switches. For example, with a regular switch you have a lot more levers and dials you can fine tune to your company’s needs such as the quality, the levels of security, traffic flow, and more! One last drawback worth pointing out is a step deeper than the software, it’s about configuring that software. SMB switches come installed with basic configurations where there are less details and options when it comes to controlling your network. Whereas the regular switches give you the in depth breakdown of your network and you can really comb through and fine tune your device to allow it to perform everything your business needs.

Small Businesses and Cyber Security

            I’ve already pointed out some of the flaws in SMB switches when it comes to what they can do, but does this really matter? Do hackers really target small businesses? It’s just a small business, what could they have that’s worth stealing? Yes. Yes. And lots! Every year approximately 50-60% of small businesses are the victim of a cyber attack (Figure 1). Small businesses handle customer information, including payments such as credit cards, debit cards, and more just like other larger corporations so hackers have plenty of reason to target them. The difference being, as previously discussed, small businesses usually don’t have the budget to afford security software much less a security team to be constantly monitoring what’s going on with the IT side of their business. If I’m a hacker and I find out this information this makes me want to attack small businesses even more. Finally to top it all off, in a report conducted by Ponemon Institute it was found that 67% of small businesses are concerned about cyber security and only 29% are confident they can contain or mitigate the risk of insecure devices (Figure 20)!

The Vulnerability

Now that we know what SMB switches are, why they’re more vulnerable than other switches, and the businesses using these switches are easier targets, it’s time to dive into the vulnerability to see what it is and how hackers are exploiting it. The vulnerability I will be talking about for this blog is the “Cisco Small Business Switches Privileged Access Vulnerability”. This vulnerability could allow a remote attacker to bypass the user authentication system of an affected device. If an attacker was to do this, the attacker could login to an affected device and then proceed to execute any commands he/she would like with full admin privileges. It goes without saying that anyone who has full admin privileges and isn’t suppose to is never a good thing, especially when the person who has them has malicious intent. The way the vulnerability works is on an affected device there is a default, unremovable, privileged user account. The account is there in the first place because it is needed for initial setup of the switch. After the switch is set up it is recommended to disable this account by using another account you have created that has an access privilege of level 15. The catch is if there are no user created accounts with a privilege level of 15 then the default account is re-enabled without any warning or notification. Since you now have a default account active again on your device, this makes it very easy for an attacker to hijack the account and use it as they wish all whilst having those full admin privileges previously mentioned.

Checking for the Vulnerability

Now that you know what the vulnerability is and how it can be used for exploitation, it is a good idea to make sure you are not vulnerable. In order for this exploit to work your SMB switch must have no user accounts with an access privilege of level 15. To check your device you can run the following command:

Switch# show running-config | include privilege 15

If there is output from this command then you are safe and do not need to worry about this vulnerability. However, if the command produces no output then you are vulnerable and should continue reading to learn about the fixes and workarounds for this vulnerability. Cisco has listed the following devices as vulnerable:

• Cisco Small Business 200 Series Smart Switches
• Cisco Small Business 300 Series Managed Switches
• Cisco Small Business 500 Series Stackable Managed Switches
• Cisco 250 Series Smart Switches
• Cisco 350 Series Managed Switches
• Cisco 350X Series Stackable Managed Switches
• Cisco 550X Series Stackable Managed Switches

Fixes and Workarounds

            As of writing this blog, Cisco has still not released any software update to address this vulnerability. On the flipside to that, Cisco is also has reported no attacker has exploited this vulnerability yet either. The workaround proposed by Cisco is to add at least one user account with an access privilege level of 15 to the device. This can be done with the following commands:

Switch# configure terminal

Switch(config)# username <username> privilege 15 password <password>

To confirm you properly added a user with the correct access level to prevent this vulnerability, you can run the command previously listed in this post and there will be output listed after running the command.

Conclusion

            This was just one of many cyber threats that affect small businesses nearly every day. While I am glad to have helped report on one vulnerability and provided a workaround for it, I hope this blog helps open the eyes of small business owners to the very real danger of cyber attacks. Cyber attacks on small businesses have been growing over the past few years and show no signs of slowing down. There will always be vulnerabilities in devices, and eventually it will get to the point, if it hasn’t already, where having cyber security personal in your business is a necessity. Yes, this is an extra cost to starting a business, but starting your own business has never been easy, or cheap, and if you are truly committed to starting your own business you should be able and willing to adapt to the changing times and the new challenges they bring. Building a strong cyber defense is certainly one of those changes!

Sources

• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-sbsw-privacc
• https://medium.com/@fsjoanna/cisco-catalyst-vs-small-business-switches-728dd82e9643
• https://www.csrps.com/wp-content/uploads/2019/03/2017-Ponemon-State-of-Cybersecurity-in-Small-and-Medium-Sized-Businesses-SMB.pdf