Company
Deception / 09.15.2021

Defending Against Cisco Authentication Bypass Vulnerability Exploits

By Guy Waizel, Chief Operating Officer, TrapX Security

The significant increase in new software vulnerabilities creates a huge challenge for organizations’ IT and security departments, especially in healthcare and IoT industrial environments where it is virtually impossible to patch mission critical systems in a timely manner. Can you really win the race of patching operating systems and software fast enough to beat the cyber criminals at their game? New vulnerabilities are being discovered with increasing frequency, such as the latest Microsoft vulnerabilities that we recently discussed, or the just-announced Cisco critical vulnerability (CVE-2021-34746 ), which we’ll discuss here. Can you afford to gamble on being faster than the hackers?

TrapX DeceptionGrid empowers organizational IT/Sec to proactively defend against undiscovered software vulnerabilities by quickly and easily creating emulation traps. Traps can emulate existing assets with known vulnerabilities. The traps deceive attackers, who try to exploit new vulnerabilities, reducing risk to real assets and enabling you to detect the attack source and immediately isolate it. 

Deceiving the Attackers

TrapX DeceptionGrid 7.2 uses patented emulation technology to deliver comprehensive protection and visibility at scale. DeceptionGrid deploys a crowd of tangible assets, hidden in plain sight among organizational assets, that interact with attackers and misinform them so as to identify them and to gain insight into their tactics, techniques, and procedures (TTPs), enabling rapid response and containment. In just minutes, with DeceptionGrid you can launch hundreds of credible emulations that engage attackers and malware, generating high-fidelity alerts for rapid response.

Traps purposely present known vulnerabilities in Cisco and other vendors’ switches as medium interaction traps. TrapX also enables the creation of any other customized emulation traps. When an attacker exploits any vulnerability in the traps or runs any other commands on them, a complete inside picture of the attack is produced.

For example, when an attacker accesses a Cisco Switch emulation UI, he sees a real Cisco switch web interface as below. The interface can be customized as appropriate for the organizational environment.

 

The attacker can also run SSH commands and receive successful, realistic responses, which also produce alerts. Here’s an example of such an alert:

For other Cisco devices or software, including Cisco Firewall, Nexus, MD5, Aironet, Catalyst, routers, VOIP, Controllers, VPN and more, organizations can use the TrapX DeceptionGrid Build Your Own Trap (BYOT) feature, which automatically creates a trap with the OS fingerprint matching existing organizational devices. On Linux based assets, the SSH emulated service can provide real responses of a real high-interaction Linux trap. This high-interaction Linux trap can be customized to engage an attacker for an extended period of time.

Recently, Cisco published new critical vulnerability CVE-2021-34746: Authentication Bypass Vulnerability in Cisco Enterprise NFV Infrastructure Software. A vulnerability in the external TACACS+ authentication, authorization and accounting (AAA) feature of Cisco Enterprise NFV Infrastructure Software (NFVIS) could enable an unauthenticated, remote attacker to completely bypass authentication and take over an affected device with administrative privileges. This vulnerability affects Cisco Enterprise NFVIS Release 4.5.1 with configured TACACS external authentication.

With DeceptionGrid, you can create a custom trap matching Cisco Enterprise NFVIS. You can then configure the trap to use the high-interaction SSH for its responses, and install on the high-interaction trap the TACACS+ software and/or any other software that might be required to recreate the vulnerability.

An attacker attempting to check the trap for the vulnerable TACACS+ module or trying to modify any associated configuration files will receive realistic responses, and TrapX will record an alert. For example:

 

When an attacker tries to exploit the vulnerability, DeceptionGrid records interaction and infection alerts. And with TrapX integrations with third-party security and network systems, attackers can be automatically or manually diverted to VLAN quarantine.

Summary

In these few examples, we’ve seen known vulnerabilities that attackers can exploit to breach organizations, as we have seen also about new Microsoft vulnerabilities. In today’s world you need to make sure to protect against the new vulnerabilities being discovered almost every day. This is difficult to do quickly, especially in large organizations, and impossible to do in critical environments such as healthcare and operational systems.

With TrapX emulation traps, you can reduce risk by identifying attackers and isolating them no matter what new vulnerability develops in the future.

About TrapX Security

TrapX provides a new generation of Deception technology with real-time breach detection and prevention. Our proven solutions immerse tangible IT assets in a virtual minefield of traps that misinform and misdirect would-be attackers, alerting SOC teams to malicious activity with immediate, actionable intelligence. Our solutions enable our customers to isolate, rapidly fingerprint and disable new Zero-Day attacks and APTs in real-time. TrapX Security has thousands of government and Global 2000 users worldwide, servicing customers in manufacturing, defense, healthcare, finance, energy, consumer products, and other vital industries. For more information, visit www.trapx.com.

Learn more about our unique approach to Deception

Discover why more than 300 global customers call TrapX "simple, powerful, and affordable."