For the last few weeks, we all got our ears torn out by story after story of WannaCry this, WannaCry that. Yet, not long ago, there was a similar exploit - Cisco 0-Day, CVE-2017-3881 - whose impact could have caused a similar outcry had it been more successful. We highlight the initial similarities between Cisco 0-Day and EternalBlue - the exploit that fueled WannaCry - but note the differences that altered their eventual impact and scale. We reiterate that both could have been avoided with some simple remediation steps.
First, a little about Cisco 0-Day: Uncovered from the "Vault 7" leak by WikiLeaks, CVE-2017-3881 or Cisco 0-Day, affects the Cluster Management Protocol (CMP) used in Cisco products. According to the Cisco Security Advisory, this Cisco 0-day impacts 318 Cisco products. The good news is, this 0-Day was recently (finally!) patched by Cisco Systems after a security researcher made public an exploit of the code.
For those that don't know, EternalBlue (CVE-2017-0144), leaked by the "Shadow Brokers" hack group, is the exploit that eventually led to the now famous self-spreading ransomware, WannaCry.
Now, let's break down their key attributes:
|Cisco 0-day (CVE-2017-3881)||EternalBlue (CVE-2017-0144)|
|Responsible Party||WikiLeaks||The Shadow Brokers|
|Affected Protocol(s)||Cluster Management Protocol (CMP)||Server Message Block 1 (SMBv1)|
|Patch Date||61 days after leak||31 days before leak|
|Exploitability||Remotely Exploitable||Remotely Exploitable|
|Scale of Impact||318 Cisco Products||All Windows machines with exposed SMBv1 without the MS17-010 patch (230K+ machines in over 150 countries)|
|Extent of Damage||Device takeover||Arbitrary Code Execution|
What can we point out to start?
- Both vulnerabilities were discovered by leaked information; Cisco from Wikileaks, and EternalBlue from The Shadow Brokers
- Both affect protocol implementations
- Both were left unpatched for months
- Both issues can lead to remote code execution
Despite their initial similarities, notice that Cisco 0-day was left unpatched for 61 days after leak. Yet,there have not been any reports on a widespread attack leveraging the Cisco 0-day vulnerability. Contrast this with EternalBlue, patched 31 days before leak; yet, suffered from a widespread attack. Furthermore, it is believed that Cisco 0-Day was lurking around in the wild for quite some time prior to the leak. If Cisco 0-Day had a longer lifespan, what made EternalBlue so easily exploited, so soon?
Primarily the ability to spread, and the extent of damage. Cisco 0-Day affected 318 Cisco products via device takeover. This enabled the attacker to takeover a vulnerable Cisco device, which was a potential gateway to further attacks on other devices in network. Contrast this with WannaCry's use of remote code execution: within weeks after the leak, EternalBlue was used to develop WannaCry, which then spread to all outdated Windows machines exposed to SMBv1, and automatically infected other vulnerable computers in the network.
Could both have been prevented? Yes, keeping systems and software up to date could easily prevent attacks made from public exploits. In the case of Cisco 0-Day CVE-2017-3881, hardening the systems overall, such as keeping sane defaults, can reduce the number of attack surfaces.
The underlying thread is that a delay in patching can have direct consequences on extent of damage and scale of impact, especially as usage of 3rd party components and libraries continue to proliferate. This is probably not the last we're going to hear of WannaCry, or Cisco, but at least it is promoting a healthy discussion over the need to secure open-source code in the new DevOps age. As George Santayana says "Those who do not learn from history are doomed to repeat it".