====================================================================

                             CERT-Renater

                 Note d'Information No. 2017/VULN036
_____________________________________________________________________

DATE                : 15/02/2017

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Cisco Smart Install.

=====================================================================
https://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi
____________________________________________________________________

Cisco Security Response: Cisco Smart Install Protocol Misuse

Response ID: cisco-sr-20170214-smi

Revision 1.0

For Public Release 2017 February 14 16:00  UTC (GMT)

+---------------------------------------------------------------------

Summary
=======

Several researchers have reported on the use of Smart Install (SMI)
protocol messages toward Smart Install clients, also known as
integrated branch clients (IBC), allowing an unauthenticated, remote
attacker to change the startup-config file and force a reload of the
device, upgrade the IOS image on the device, and execute high-privilege
CLI commands on switches running Cisco IOS and IOS XE Software.

Cisco does not consider this a vulnerability in Cisco IOS, IOS XE,
or the Smart Install feature itself but a misuse of the Smart Install
protocol that by design does not require authentication. Customers who
seek more than zero-touch deployment should consider deploying
the Cisco Network Plug and Play solution instead.

Cisco has updated the Smart Install Configuration Guide to include
security best practices regarding the deployment of the Cisco Smart
Install feature within customer infrastructures:
http://www.cisco.com/c/en/us/td/docs/switches/lan/smart_install/configuration/guide/smart_install/concepts.html#23355

This response is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi

==========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================