[c-nsp] TIL: Maintenance Operations Protocol (MOP)

Drew Weaver drew.weaver at thenap.com
Fri Aug 6 12:18:13 EDT 2021


Yes,

Plus consider the fact that if you do a 'show users' it shows up as a VTY connection and if you set transports on your configuration interfaces (console) it ignores that and still works.

-Drew


-----Original Message-----
From: cisco-nsp <cisco-nsp-bounces at puck.nether.net> On Behalf Of Randy (K6RP)
Sent: Friday, August 6, 2021 12:13 PM
To: cisco-nsp <cisco-nsp at puck.nether.net>
Subject: Re: [c-nsp] TIL: Maintenance Operations Protocol (MOP)

For something that is answering by default, where brutes cannot be 
blocked or ratelimited by CoPP or MLS kbobs?   Control plane DDoS 
anyone?

What other surprises are in it's codes?

I'm sure a (hopefully) whitehat would have fun with this one.

---
~Randy (K6RP)

On 08/06/2021 9:00 am, Drew Weaver wrote:
> AAA was unconfigured as I was testing on a lab router.
> 
> Whether or not it provides unauthorized access depends on whether you 
> expect anyone that has something connected to that router to have 
> access to the console or not.
> 
> At the very least it provides an opportunity and a vector.
> 
> It doesn't seem to log anything when you use it, too.
> 
> -----Original Message-----
> From: Oliver Boehmer (oboehmer) <oboehmer at cisco.com>
> Sent: Friday, August 6, 2021 11:48 AM
> To: Gert Doering <gert at greenie.muc.de>; Lukas Tribus <lukas at ltri.eu>
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] TIL: Maintenance Operations Protocol (MOP)
> 
> 
>     On Fri, Aug 06, 2021 at 02:00:30PM +0200, Lukas Tribus wrote:
>     > I'm no longer putting in hundreds of hours to fight losing 
> battles,
>     > which earlier in my carrier I did:
>     >
> https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.cisco.com_s
> ecurity_center_content_CiscoSecurityAdvisory_Cisco-2DSA-2D20140828-2DC
> VE-2D2014-2D3347&d=DwIGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiM
> M&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=C7uP5I5FPqc4m2MQRUF_
> ir9MYgYPqlHPppfTRkcOuGU&s=cqRIG75OwMpTMXCVJLn6A_Iq4_3cYPNbJBKRE0xMhSk&
> e=
> 
>     Ensuring that MOP is dead and stays buried might actually be worth 
> a
>     PSIRT effort - any feature that is on-by-default and enables 
> unauthorized
>     access to a device should be worth the fight.
> 
> +1, and worth a PSIRT case right away.
> But it doesn't provide unauthorized access, does it? Drew's test 
> showed a password prompt (not sure what the AAA config looked like)..
> 
> 	oli
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> https://urldefense.proofpoint.com/v2/url?u=https-3A__puck.nether.net_m
> ailman_listinfo_cisco-2Dnsp&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A
> _CdpgnVfiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=ZUHFdp0mN
> GBoAt2x7IibB5wtqmMT0eB8-LONI5uB814&s=GOpxtNUbb64MhC2AZqTgYHArDZFDggCDo
> LtGb8d0N1I&e= archive at 
> https://urldefense.proofpoint.com/v2/url?u=http-3A__puck.nether.net_pi
> permail_cisco-2Dnsp_&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnV
> fiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=ZUHFdp0mNGBoAt2x
> 7IibB5wtqmMT0eB8-LONI5uB814&s=xdkRJ-gfUnCBgWmKNESTsXN95Wq2Tf2lcmCLOCfl
> F8M&e=
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net https://urldefense.proofpoint.com/v2/url?u=https-3A__puck.nether.net_mailman_listinfo_cisco-2Dnsp&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=ZUHFdp0mNGBoAt2x7IibB5wtqmMT0eB8-LONI5uB814&s=GOpxtNUbb64MhC2AZqTgYHArDZFDggCDoLtGb8d0N1I&e=
archive at https://urldefense.proofpoint.com/v2/url?u=http-3A__puck.nether.net_pipermail_cisco-2Dnsp_&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=ZUHFdp0mNGBoAt2x7IibB5wtqmMT0eB8-LONI5uB814&s=xdkRJ-gfUnCBgWmKNESTsXN95Wq2Tf2lcmCLOCflF8M&e=


More information about the cisco-nsp mailing list