[nsp-sec] [TLP:RED] Possible IOS(-XR) SNMP security issue

Chris Morrow morrowc at ops-netman.net
Fri Oct 27 14:09:56 EDT 2017 

At Fri, 27 Oct 2017 18:39:15 +0100,
Dominik Bay <db at rrbone.net> wrote:
> 
> ----------- nsp-security Confidential --------
> 
> THE FOLLOWING MESSAGE IS TLP RED
> 
> Folks,
> 
> we are currently seeing the following issue mentioned below.
> My description is deliberately vague in some points to protect the innocent.
> 
> 1. Found a compromised server hosting (daily) varying dumps of (mostly)
> full IOS and IOS-XR PE and CE configurations (Internet connected
> equipment as far as I can tell)
> 
> 2. Devices have proper SNMP and VTY ACLs, mostly average to strong
> passwords by judging clear text and decoded type 7 passwords

this DOES require RW community though, right? (or did you mean there's
a bug where you can do RW things when no RW is configured... which
would be horrid)

> 
> Theory:
> - Attacker bypasses ACL by spoofing nearby IPs
> - Attacker uses bug in IOS(-XR) SNMP stack to trigger configuration
> up/download to device
> - Attacker uses information from config upload for further penetration
> 
> 
> >From config headers I see the following versions across devices:
> 
> !! IOS XR Configuration 4.2.1
> !! IOS XR Configuration 4.2.4
> 
> version 12.1
> version 12.2 (12.2(55)SE9 confirmed running on an affected device)
> version 12.3
> version 12.4
> version 15.0
> version 15.1
> version 15.2
> version 15.3
> version 15.4
> version 15.5
> version 15.6
> version 16.4
> 
> If someone is seeing attacks on their infrastructure with known old or
> current SNMP communities please let me or your LEA know. We are trying
> to coordinate with German LEA on this matter and are providing them with
> a more conclusive report tomorrow.
> 
> Cheers,
> Dominik
> 
> -- 
> rrbone UG (haftungsbeschraenkt) - Ruhrallee 9 - 44139 Dortmund
> HR B 23168 Amtsgericht Dortmund - Geschaeftsfuehrer: Dominik Bay
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________

More information about the nsp-security mailing list