[nsp-sec] [TLP:RED] Possible IOS(-XR) SNMP security issue
Dominik Bay
db at rrbone.net
Fri Oct 27 13:39:15 EDT 2017
THE FOLLOWING MESSAGE IS TLP RED
Folks,
we are currently seeing the following issue mentioned below.
My description is deliberately vague in some points to protect the innocent.
1. Found a compromised server hosting (daily) varying dumps of (mostly)
full IOS and IOS-XR PE and CE configurations (Internet connected
equipment as far as I can tell)
2. Devices have proper SNMP and VTY ACLs, mostly average to strong
passwords by judging clear text and decoded type 7 passwords
Theory:
- Attacker bypasses ACL by spoofing nearby IPs
- Attacker uses bug in IOS(-XR) SNMP stack to trigger configuration
up/download to device
- Attacker uses information from config upload for further penetration
>From config headers I see the following versions across devices:
!! IOS XR Configuration 4.2.1
!! IOS XR Configuration 4.2.4
version 12.1
version 12.2 (12.2(55)SE9 confirmed running on an affected device)
version 12.3
version 12.4
version 15.0
version 15.1
version 15.2
version 15.3
version 15.4
version 15.5
version 15.6
version 16.4
If someone is seeing attacks on their infrastructure with known old or
current SNMP communities please let me or your LEA know. We are trying
to coordinate with German LEA on this matter and are providing them with
a more conclusive report tomorrow.
Cheers,
Dominik
--
rrbone UG (haftungsbeschraenkt) - Ruhrallee 9 - 44139 Dortmund
HR B 23168 Amtsgericht Dortmund - Geschaeftsfuehrer: Dominik Bay
More information about the nsp-security
mailing list