Monday, April 3, 2017


The Telnet Protocol and Zero Day Attacks: An Investigation Into the “Vault 7” Cisco Exploits And The Implications Thereof

Control the routers, and you can control the Internet. Recent revelations of leaked material from the United States Central Intelligence Agency by Wikileaks, from the collection known as “Vault 7”, show that the agency was hoarding a plethora of so-called “zero day” exploits: undisclosed vulnerabilities that can exploit computer systems. CIA manuals indicated specific areas of the Cisco IOS code as being vulnerable, in particular the Cluster Management Protocol code. Cisco engineers found the potential to exploit the Telnet protocol, an unsecure Internet or LAN protocol that allows for virtual terminal connections. The exploit, labelled by Cisco as CVE-2017-3881, allowed for the remote and unfettered access of at least 300 different models of Cisco switches over the Internet, despite the access intending to be allowed only for LAN. There are broad implications from this discovery. One is that the continued use of the antiquated Telnet protocol is prone to broad digital attacks, such as the Mirai botnet which targeted Internet of Things or “IoT” devices. Two, as the largest networking company in the world, such a broad exploitation of Cisco devices compromises the Internet at its fundamental core. Three, the hoarding by intelligence agencies of these exploits is risky to the public at large, due to the potential for overlap discovery where other nefarious hackers discover the exploits or, as in the case of the Shadow Brokers leak in 2016, where NSA cyberweapons that also utilized zero day exploits, and happened to target Cisco, were released in the open. Lastly, the repeated aforementioned loss of these government hoarded secrets strongly suggests that the agencies cannot be trusted with legislated backdoors into digital security such as encryption.


            Control the routers, and you can control the Internet. On March 7th, 2017, the largest publication of confidential documents from the United States Central Intelligence Agency was released by Wikileaks, known as “Vault 7” (Assange). Of particular interest to digital security specialists was how that the agency was hoarding a plethora of so-called “zero-day” exploits: undisclosed vulnerabilities that can exploit computer systems (Ulanoff). One exploit is alleged to make use of the Telnet protocol, an unsecure Internet or LAN protocol that allows for virtual terminal connections, in order to gain elevated access to Cisco’s routers and switches (Cimpanu). The exploit, labelled by Cisco as CVE-2017-3881, allowed for the remote and unfettered access to at least 300 different models of Cisco switches (Kennedy). As the largest networking company in the world, such a broad exploitation of Cisco devices compromises the Internet at its fundamental core. This paper will examine the history of the Telnet protocol and attacks upon it, Cisco switches, the recently revealed practice of intelligence agencies hoarding digital exploits, and the worldwide risk to digital security presented by this practice.

            The Telnet protocol was first defined and used in 1969 (TELNET: The Mother of All Applications Protocols). The protocol predates the modern Internet and is the basis for many other protocols such as HTTP and FTP (Geerling). Telnet, short for either telecommunications network or terminal network, is considered by some to be the “original Internet” (Gil, Fisher). The protocol allows for plain text remote interfaces over TCP/IP networks, and was designed with the assumption of a high level of trust between client and mainframe computers (Gil). These client computers did not require powerful hardware – only a connection to the network and a text based interface to utilize Telnet (Geerling). Using these terminals boosted productivity and saved time for those at universities and enterprises that required multiple users accessing the mainframe at once, which could often also be very distant. As such, security steps such as encryption were not designed into the protocol nor perhaps were they even needed given its use for closed networks (Gil, Geerling). What this entails for the modern user is that data transmitted via Telnet can easily be read through network packet sniffing. For most of its purposes, Telnet was superseded later by the Secure Shell protocol, better known as SSH, in response to a password-sniffing attack on a university utilizing plain text communication (Geerling). Unlike Telnet, SSH utilizes encryption through different methods at various points in the transaction including symmetrical encryption, asymetrical encryption, and hashing (Ellingwood). Telnet is still utilized, however, for checking services on remote servers, devices through local serial connections, and some remote device configuration (Neagu). Telnet also had a popular use for searching through public access library catalogs in the early days of the Internet (Lavendar). Some of these online catalogs are still accessible, assumed to be Telnet daemons running on machines that also provide HTTP access or on antiquated, forgotten servers (Public Access Catalogue). The protocol has also been utilized for bulletin-board access along with text-videogames known as multi-user dungeons or MUDs, due to antiquated code bases for MUDs not supporting SSH (Why Do MUDs use Telnet?). However, the most risky use of the protocol – the risk most relevant to the topic – is the use of the protocol for remote configuration (Fisher).

            Modern operating systems typically come with both the Telnet client and Telnet server disabled, and as of Windows Server 2016, the Telnet server itself is not included (Fisher, Gregory). The SANS Institute, a resource for information security training and security certification, warns that even the ability for a system to utilize Telnet increases risk (Zirkle). Since 1994, CERT – an cyber-security organization out of Carnegie Mellon University – has warned against the use of Telnet (Ongoing Network Monitoring Attacks). However, as demonstrated by recent attacks and potential exploits that made use of the Telnet protocol, there is still significant risk. To even summarize the large list of potential Telnet exploits in different systems is vastly beyond the scope of this paper, so only the most recent attacks that actually took place will be examined. First, the largest distributed denial of service attack ever recorded was done with the Mirai botnet (Mapping Mirai). Denial of service attacks are where systems all simultaneously make garbage communications attempts with an endpoint, such as a specific company’s Internet servers. In other words, it suffocates the connection through using available bandwidth (Popeskic). A botnet is a network of computers over the Internet that have been compromised in various degrees (Mapping Mirai).  In the case of Mirai, the focus was on “Internet of Things” or IoT devices – so-called “smart” Internet connected devices such as fridges, toasters, CCTVs, baby-monitors, et cetera (Mapping Mirai). There are estimated to be over 15 million devices on the Internet that still actively use the Telnet protocol, and Mirai spread in large part through these (Mapping Mirai). Mirai utilized a bruteforce attack – typically, a systematic guessing of usernames and passwords based on dictionaries, but in Mirai’s case based on a list of factory defaults – against these devices, many of which lack bruteforce protection (Mapping Mirai).. Once infected, these devices continue to function, albeit sluggishly, and monitor to a command and control server which then indicates the target of a DDoS attack. Mirai is far from the only piece of malware to spread through Telnet, and segments of its source code have been utilized in other malware that infects Linux-based embedded devices through the use of default passwords and bruteforce attacking (Leyden). Of particular interest is the CVE-2017-3881 vulnerability in Cisco devices, which allowed for an unauthenticated, remote attacker to reload a targeted device or execute code with elevated privileges in over 300 types of Cisco switches. To understand the grave potential for this exploit, it is important to understand how Cisco switches operate and what the practical security aspects are of the CVE-2017-3881 vulnerability.

            The actual code of the malware mentioned in Vault 7 has not yet been publicly disclosed, and it is entirely possible that the CVE-2017-3881 vulnerability is actually not the code affected. Nevertheless, according to Omar Santos and analysts with the Cisco Product Security Incident Response Team or PSIRT, they believe the CIA has access to malware that can target different families of Cisco devices, and that the malware can provide:

…Data collection, data exfiltration, command execution with administrative privileges (and without any logging of such commands ever been executed), HTML traffic redirection, manipulation and modification (insertion of HTML code on web pages, DNS poisoning, covert tunneling, and others. The authors have spent a significant amount of time making sure the tools, once installed, attempt to remain hidden from detection and forensic analysis on the device itself. It would also seem the malware author spends a significant amount of resources on quality assurance testing – in order, it seems, to make sure that once installed the malware will not cause the device to crash or misbehave.

Without immediate access to the code of the malware, Cisco was forced to audit the code based on clues from the Vault 7 leaks (Chirgwin). In the process, they found that the Cluster Management Protocol in the Cisco IOS and IOS XE Software could allow for a remote attack (Kovacs). The Cluster Management Protocol utilizes Telnet for signaling and command between cluster members. However, according to Cisco the vulnerability was due to two specific factors:

The failure to restrict the use of CMP-specific Telnet options only to internal, local communications between cluster members and instead accept and process such options over any Telnet connection to an affected device, and the incorrect processing of malformed CMP-specific Telnet options. An attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections. An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device.

In response, Cisco recommended the hardening of devices through disabling the ability for devices to accept Telnet connections, and later released software updates to address the specific vulnerability (Santos).

            According to the International Data Corporation or “IDC”, Cisco makes up as of 2016 nearly 60% of the market share in routers and switches (Haranas). Given this as well as the use of proprietary, typically closed-source software such as IOS in their devices, this makes Cisco a particularly large target. While attacks like Mirai were impressive in the multitude of embedded devices that were affected and crippling in botnet attacks and the difficulty in responding, the stealth and range of damage that could be affected by outright “owning” routers and switches is far more compromising. For example, as an intelligence agency or a criminal enterprise – data collection on routers in the Internet can do raw packet dumps, unencrypted passwords, browsing behaviors, vulnerability assessment, and so on. Data exfiltration through redirecting TCP and UDP packets can subvert firewall protection. Command execution with administrative privileges bypasses system management and also has the potential to be non auditable – a router rootkit. The implications of HTML redirecting and the insertion of HTML code on webpages also have widespread implications: redirection could cause “phishing” attacks at otherwise authentic URLs. For example, a false login page on a mirrored and compromised website stealing one’s credentials while using the exact same URL as the authentic website.

Of note, the fact that this exploit utilizes the Telnet protocol means that it could stand to reason that the exploit is very old. This raises questions about the company’s own auditing process in their software. While Cisco claims there is no evidence of the exploit ever having been used, in the same breath they say there is no way to accurately audit the exploit (Chirgwin). Wikileaks claims that the CIA was exploiting the flaw, but it is unknown whether there is hard evidence of that or if it is an assumption by the organization (Kovacs). Ergo, it logically follows that there is no way to know from simply auditing their device logs.

            The attacks uncovered by the Vault 7 leaks are not the first against Cisco by US intelligence agencies. In 2014, Edward Snowden through Wikileaks revealed that the National Security Agency or “NSA” had a practice of physically intercepting devices in transit and installing rootkits to monitor target companies (McElroy, Schneier). In 2013, the Shadow Brokers hacking group is believed to have compromised an NSA staging server, stealing the spy agency’s cyberweapons which made use of hoarded exploits. This was not revealed until 2016, potentially after elements had already been utilized and/or sold (Schneier). There is no indication the NSA was aware of the hack until 2016 (Whittaker). “When the NSA screws up, it’s US technology companies that have to bear the reputational costs,” says ACLU Chief Technologist Chris Soghoian. “The NSA gets to avoid all of the unpleasantness associated with its mistakes” (Brandom). Unlike the Wikileaks “Vault 7” leaks, Shadow Brokers released segments of the actual malware code to the public writ large, along with selling other tools on the black markets on the darknet, compromising Cisco equipment through dozens of different and previously unknown exploits. For instance, VPNs using IPsec internet key exchange with PIX firewalls below version 6 could be sent specially crafted packets to obtain the contents of the device memory. Other attacks included exploiting parsers through buffer overflow flaws, allowing remote SNMP code execution (Whittaker). The exploits are known as CVE-2016-6367 and CVE-2016-6366, or “EPICBANANA” and “EXTRABACON” per Omar Santos. According to Derek Kortepeter,

It is likely that we will hear of more patches being released from all companies exposed by this NSA leak. There is talk in the cybersecurity community now of how to best avoid incidents like this in the future. One of the most thrown-around suggestions is making sure the NSA is more diligent about disclosing vulnerabilities to vendors, rather than hoarding them. As we’ve seen, by hoarding all of this data, the NSA has made vendors’ jobs extremely difficult in regard to defending against cyber attacks.

Unlike the Shadow Brokers hacks, WikiLeaks has promised exclusivity in the direct binaries and some technical details with vendors affected by the Vault 7 leaks, including Apple, Microsoft, Google, Mozilla, and MicroTik. It is unclear whether this information has also been provided to Cisco, if the binaries are available to be provided at all, or if Cisco refuses to work with WikiLeaks. According to Eduard Kovacs, there could be legal repercussions for using any of the information obtained by WikiLeaks, as “classified files remain classified even if they are made public.” Looking at the segments of the publicly available leaks, they are more developer notes rather than program overviews – or even the programs themselves. Nevertheless, the CIA refuses to comment on the authenticity of the leaks, but given the exploits discovered, it seems obvious there is merit (Kovacs).

The CIA criticized the leaks as “such disclosures… equip our adversaries with tools and information to do us harm.” According to Wired writer Andy Greenberg, the real problem isn’t “someone in Langley is watching you through your hotel room’s TV. It’s the rest of the hacker world that the CIA has inadvertently empowered.” The vast amount of the zero-day stash revealed by the Vault 7 leaks suggests that it is not only the CIA that has access to these digital vulnerabilities, but theoretically foreign intelligence agencies and hacking syndicates may also have access. According to Kevin Bankston, director of the New America Foundation’s Open Technology Institute, “If the CIA can use it, so can the Russians, or the Chinese or organized crime. The lesson here, first off, is that stockpiling a bunch of vulnerabilities is bad for cybersecurity. And two, it means they’re likely going to get leaked by someone” (Greenberg). As the NSA cybertools were hacked by the Shadow Brokers group, according to WikiLeaks, the Vault 7 archive was circulated among US government contractors and paid, freelance hackers in an unauthorized manner, which raises the possibility of these leaks being the hands of nefarious hackers long before WikiLeaks’ publishing. The hoarding of these exploits also appears to contradict Obama administration policy. Again per Greenberg,

…the CIA appears to have kept the security flaws those techniques exploited secret. And the sheer number of those exploits suggests violations of the Vulnerabilities Equities Process, which the Obama administration created in 2010 to compel law enforcement and intelligence agencies to help fix those flaws, rather than exploit them whenever possible.

“Did CIA submit these exploits to the Vulnerabilities Equities Process?” asks Jason Healey, a director at the Atlantic Council.

If not, you can say that either the process is out of control or they’re subverting the president’s priorities… The deal we make in a democracy is that we understand we need military and intelligence services. But we want oversight in the executive branch and across the three branches of government. If the CIA says ‘we’re suppose to do this, but we’re just not going to,’ or ‘we’re going to do it just enough that the White House thinks we are,’ that starts to eat away at the fundamental oversight for which we have elected officials. (Greenberg)

There are thus large ethical dilemmas also raised by the compromise of digital security by US intelligence agencies. The implication that the CIA may have overstepped its legal boundaries through violation of the Vulnerabilities Equities Process implies that the agency operates as though it is beyond oversight, dangerously compromising the separation of powers inherent in the United States federal system of government.

When these secrets fall into the wrong hands, or even simply keeping them from vendors, compromises security not only for “targets” of the CIA but the worldwide digital infrastructure, affecting not only Americans. While these ethical and legal concerns are largely beyond the scope of this paper, they nevertheless deserve mentioning. It should not be considered disarmament for reasons that security expert Bruce Schneier raises,

The implications of US policy can be felt on a variety of levels. [Such] actions have resulted in a widespread mistrust of the security of US Internet products and services, greatly affecting American business. If we show that we're putting security ahead of surveillance, we can begin to restore that trust. And by making the decision process much more public than it is today, we can demonstrate both our trustworthiness and the value of open government. An unpatched vulnerability puts everyone at risk, but not to the same degree. The US and other Western countries are highly vulnerable, because of our critical electronic infrastructure, intellectual property, and personal wealth. Countries like China and Russia are less vulnerable -- North Korea much less -- so they have considerably less incentive to see vulnerabilities fixed.

The CIA’s security practice, ethics aside, also show a degree of irresponsibility in waging cyberwarfare. The act of buying exploits from so-called “blackhat” hackers on the dark web, hoarding those exploits, and then entrusting their portfolio to agency employees and contractors – one of whom is the source of the Vault 7 leaks – is according to some analysts, in many ways, the digital equivalent of sloppy nuclear arms dealing that one would expect from a failed state. Not all security analysts agree with this assessment, however. Rob Graham of Errata Security notes that the agency buys zero-day exploits in order to utilize them. Critics of the policy are thus asking the government to spend millions on vulnerabilities in order to disclose them (Leyden, CIA Hacking Dossier).

            The inability for the agencies to keep this cache of malware and exploits secure is also particularly worrying in the wake of demand for government-legislated backdoors into devices. If these huge caches are so easily leaked, then certainly a “factory default” account or methodology for root access can also be leaked. FBI Director James Comey called for companies to intentionally build security flaws into their devices – a technical backdoor – in the wake of the San Bernardino shooting case (Hall). The FBI had also attempted to force Apple to provide access into the devices of the shooters, before dropping their request and settling on paying a hacker to do so (Nakashima).

            More and more, there is a conflict between interest of security and privacy and intelligence aims of state actors. Companies like Cisco, who operate in the global market, have their reputations and products at risk when state actors are allowed to uncover or purchase and utilize vulnerabilities free of legal repercussion. This particularly becomes problematic when those caches are released into the public. Nevertheless, digital vendors also have a responsibility to continuously test and patch their own software. The use of Telnet, for instance, in any way shape or form – a protocol that has been warned against for over twenty years – is irresponsible. Why Cisco continues to permit the utilization of the protocol in modern switches and router is probably due to compatibility issues between cluster manager services. Nevertheless, such weak points in the technological foundations of the Internet are an Achilles’ heel. Worse still, intelligence agencies operating outside the bounds of their own regulation and will of the people are a weakness in the integrity of state apparatus.


Assange, J. (2017, March 7). Vault 7: CIA Hacking Tools Revealed. Retrieved April 01, 2017, from
Brandom, R. (2016, August 19). After Shadow Brokers, should the NSA still be hoarding vulnerabilities? Retrieved April 01, 2017, from
Chirgwin, R. (2017, March 19). Cisco reports bug disclosed in WikiLeaks' Vault 7 CIA dump. Retrieved April 01, 2017, from
Cimpanu, C. (2017, March 20). Cisco's Investigation into Vault 7 Leak Uncovers 0-Day Affecting 318 Products. Retrieved April 01, 2017, from
Ellingwood, J. (2014, October 22). Understanding the SSH Encryption and Connection Process | DigitalOcean. Retrieved April 01, 2017, from
Fisher, T. (2017, March 6). What is Telnet? (How to Use Telnet Client in Windows). Retrieved April 01, 2017, from
Geerling, J. (2014, April 15). A brief history of SSH and remote access. Retrieved April 01, 2017, from
Gil, P. (2017, March 19). What Exactly Is 'Telnet'? What Does Telnet Do? Retrieved April 01, 2017, from
Greenberg, A. (2017, March 08). How the CIA's Hacking Hoard Makes Everyone Less Secure. Retrieved April 01, 2017, from
Gregory, K. (2016, October 14). Telnet Server Removed From Windows Server 2016. Retrieved April 01, 2017, from
Hall, J. (2016, March 03). Issue Brief: A “Backdoor” to Encryption for Government Surveillance. Retrieved April 01, 2017, from
Haranas, M. (2016, June 27). IDC: Cisco's Networking Market Share Dominance Slipping As It Battles HPE, Huawei. Retrieved April 01, 2017, from
Kennedy, P. (2017, March 20). Cisco 0-day Unpatched Switch Telnet Vulnerability CVE-2017-3881. Retrieved April 01, 2017, from
Kortepeter, D. (2016, August 31). NSA hack: Cisco releases patches for exposed vulnerabilities. Retrieved April 01, 2017, from
Kovacs, E. (2017, March 20). Cisco Finds Zero-Day Vulnerability in 'Vault 7' Leak. Retrieved April 01, 2017, from
Lavender, C. (n.d.). Using Telnet and the WWW to Search Library Catalogs Online. Retrieved April 01, 2017, from
Leyden, J. (2016, October 31). A successor to Mirai? Newly discovered malware aims to create fresh IoT botnet. Retrieved April 01, 2017, from
Leyden, J. (2017, March 8). CIA hacking dossier leak reignites debate over vulnerability disclosure. Retrieved April 01, 2017, from
Mapping Mirai: A Botnet Case Study. (2016, October 05). Retrieved April 01, 2017, from
McElroy, R. (2017, March 22). Own the Routers. Own the Internet. Retrieved April 01, 2017, from
Neagu, C. (2015, October 06). Simple Questions: What Is Telnet & What Can It Still Be Used For? Retrieved April 01, 2017, from
Ongoing Network Monitoring Attacks. (1994, February 3). Retrieved April 01, 2017, from
Popeskic, V. (2015, September 14). Telnet Attacks – Ways to compromise remote connection. Retrieved April 01, 2017, from
Public access catalogue? r/telnet. (n.d.). Retrieved April 01, 2017, from
Santos, O. (2016, August 17). The Shadow Brokers EPICBANANA and EXTRABACON Exploits. Retrieved April 01, 2017, from
Santos, O. (2017, March 7). The Wikileaks Vault 7 Leak – What We Know So Far. Retrieved April 01, 2017, from
Scheneier, B. (2014, May 22). Disclosing vs Hoarding Vulnerabilities. Retrieved April 01, 2017, from
TELNET: The Mother of All (Application) Protocols. (n.d.). Retrieved April 01, 2017, from
Ulanoff, L. (2017, March 08). This is why you should be terrified of the Wikileaks Vault 7 data dump. Retrieved April 01, 2017, from
Whittaker, Z. (2016, August 18). Cisco, Fortinet patch flaws used by alleged NSA hacking group. Retrieved April 01, 2017, from
Why do most MUDs use Telnet instead of SSH? r/MUD. (n.d.). Retrieved April 01, 2017, from
Zirkle, L. (n.d.). IDFAQ: Do telnet and rlogin increase the risk of compromise? Retrieved April 01, 2017, from

No comments:

Post a Comment