[c-nsp] many 2960-X rebooting today

Nick Cutting ncutting at edgetg.com
Fri Mar 16 14:08:14 EDT 2018


Thanks we have disabled this now - It is in our new build script, these were rolled out a few months ago.

I guess there is no way of seeing if this exploit was executed, perhaps in the crashdump somewhere?

-----Original Message-----
From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Brandon Applegate
Sent: Friday, March 16, 2018 1:19 PM
To: cisco-nsp mailing list <cisco-nsp at puck.nether.net>
Subject: Re: [c-nsp] many 2960-X rebooting today

This message originates from outside of your organisation.



> On Mar 16, 2018, at 12:49 PM, Nick Cutting <ncutting at edgetg.com> wrote:
> 
> Anyone seen a number of internet facing 2960-X switches restart today?
> 
> We have had 3 different clients, 6 different switches all reboot today.
> 
> No uptime in common, no code version in common.
> 
> One of them has WS-C2960X-24TS-L - Version 15.2(2)E6
> 
> The only thing they do have in common is that they have internet IP addresses for MGT - with SSH allowed, locked down to certain public IP's.
> 
> Just wondering if this may be the execution of an exploit by a baddie.
> 
> Nick

I haven’t - but the first thing that popped into my head was:

https://github.com/Sab0tag3d/SIET

You might want to scan/nmap your switches.  I know some folks that got hit with this last year.

--
Brandon Applegate - CCIE 10273
PGP Key fingerprint:
0641 D285 A36F 533A 73E5  2541 4920 533C C616 703A "For thousands of years men dreamed of pacts with demons.
Only now are such things possible."



More information about the cisco-nsp mailing list