[nsp-sec] [TLP:RED] Possible IOS(-XR) SNMP security issue

Barry Raveendran Greene bgreene at senki.org
Fri Oct 27 13:56:02 EDT 2017 

Hi Dominik,

Is Cisco PSIRT plugged in (I think they should still be on NSP-SEC)?

From what you describe, I’m not sure if there is any tools that would detect the “valid” SNMP activity. I don’t know if people are monitoring SNMP community errors (if that is an indicator). 

What other suggestions can you give for people to check if this is happening?

Thanks,

Barry

Sent from my iPad

> On Oct 27, 2017, at 13:39, Dominik Bay <db at rrbone.net> wrote:
> 
> ----------- nsp-security Confidential --------
> 
> THE FOLLOWING MESSAGE IS TLP RED
> 
> Folks,
> 
> we are currently seeing the following issue mentioned below.
> My description is deliberately vague in some points to protect the innocent.
> 
> 1. Found a compromised server hosting (daily) varying dumps of (mostly)
> full IOS and IOS-XR PE and CE configurations (Internet connected
> equipment as far as I can tell)
> 
> 2. Devices have proper SNMP and VTY ACLs, mostly average to strong
> passwords by judging clear text and decoded type 7 passwords
> 
> Theory:
> - Attacker bypasses ACL by spoofing nearby IPs
> - Attacker uses bug in IOS(-XR) SNMP stack to trigger configuration
> up/download to device
> - Attacker uses information from config upload for further penetration
> 
> 
> From config headers I see the following versions across devices:
> 
> !! IOS XR Configuration 4.2.1
> !! IOS XR Configuration 4.2.4
> 
> version 12.1
> version 12.2 (12.2(55)SE9 confirmed running on an affected device)
> version 12.3
> version 12.4
> version 15.0
> version 15.1
> version 15.2
> version 15.3
> version 15.4
> version 15.5
> version 15.6
> version 16.4
> 
> If someone is seeing attacks on their infrastructure with known old or
> current SNMP communities please let me or your LEA know. We are trying
> to coordinate with German LEA on this matter and are providing them with
> a more conclusive report tomorrow.
> 
> Cheers,
> Dominik
> 
> -- 
> rrbone UG (haftungsbeschraenkt) - Ruhrallee 9 - 44139 Dortmund
> HR B 23168 Amtsgericht Dortmund - Geschaeftsfuehrer: Dominik Bay
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________

More information about the nsp-security mailing list