According to this article Cisco just had a bit of a shock in the Vault 7 CIA leak – namely that a simple malformed telnet command to one of its effected switches can either reboot it or get it to execute commands with admin privileges (or the equivalent of admin).
This is a Zero Day as its easy to exploit and very high impact indeed.
To me, this raises the interesting question – what is a modern day networking device doing supporting telnet like functionality anyway? and especially while is it ON by default….
What is telnet?
Simply put telnet is probably one of the eldest application layer network protocols out there. According to wikipedia it has been around as long as I have, since 1969!
In its simple form its a basic ‘plain text’ protocol, i.e no encryption, you can ‘sniff’ what text is being sent back and forth straight off the network. It has no protection against Man-in-the-middle attacks, you might as well broadcast what is being exchanged (well you are if its over open WiFi!).
Basically it has been completely superseded by protocols like SSH, so you have no valid reason to be using it now day to day.
Why is it on a network device?
Networking equipment vendors usually want to make it as easy as possible for people to do the initial set up and configuration of a switch or router – so having a telnet login function makes good sense in that case; but it should never be left on when used as part of a production network.
If fact, certain security standards (like PCI DSS) explicitly prohibit the use of unencrypted sessions to protect against Man-in-the-middle attacks that could then enable attacks against the core sensitive financial data.
What I’d recommend
- Check all your Cisco switches impacted and turn on the ssh access and disable the telnet access (don’t wait for the patch, do this now).
- Change all the passwords on your networking kit to previously unused passwords.
- Make sure none of your machines respond to port 23 (this is the telnet port), if they do turn it off.
- Check your router and specifically ban port 23 traffic (if you are using deny all as your default, check you don’t have rules enabling port 23 specifically).
I’d also check that your networking devices are not exposing their HTTP or equivalent admin interfaces to the ‘public’ or external side of your network.