[nsp-sec] [TLP:RED] Possible IOS(-XR) SNMP security issue
Dominik Bay
db at rrbone.net
Fri Oct 27 14:36:12 EDT 2017
Chris,
here's my answer to an offlist E-Mail from Jon Miyake:
###########
Thank you. Actually that seems to be the right direction.
I was only looking into
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-smi
and discarded it after I saw that it is only affecting IOS and IOS-XE.
I'm currently verifying across the IP addresses I have and will report
back shortly.
Cheers,
Dominik
###########
In the meantime I verified this with the IP addresses I gathered from
the configuration dumps I already have.
With this tool I was able to reproduce the config download from affected
devices:
https://github.com/Sab0tag3d/SIET
So this is actually not a SNMP bug as suspected first. I'm very sorry
for overlooking the SA mentioned by Jon Miyake which is:
https://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi
Cheers,
Dominik
On 10/27/2017 07:09 PM, Chris Morrow wrote:
> At Fri, 27 Oct 2017 18:39:15 +0100,
> Dominik Bay <db at rrbone.net> wrote:
>>
>> ----------- nsp-security Confidential --------
>>
>> THE FOLLOWING MESSAGE IS TLP RED
>>
>> Folks,
>>
>> we are currently seeing the following issue mentioned below.
>> My description is deliberately vague in some points to protect the innocent.
>>
>> 1. Found a compromised server hosting (daily) varying dumps of (mostly)
>> full IOS and IOS-XR PE and CE configurations (Internet connected
>> equipment as far as I can tell)
>>
>> 2. Devices have proper SNMP and VTY ACLs, mostly average to strong
>> passwords by judging clear text and decoded type 7 passwords
>
> this DOES require RW community though, right? (or did you mean there's
> a bug where you can do RW things when no RW is configured... which
> would be horrid)
>
>>
>> Theory:
>> - Attacker bypasses ACL by spoofing nearby IPs
>> - Attacker uses bug in IOS(-XR) SNMP stack to trigger configuration
>> up/download to device
>> - Attacker uses information from config upload for further penetration
>>
>>
>> >From config headers I see the following versions across devices:
>>
>> !! IOS XR Configuration 4.2.1
>> !! IOS XR Configuration 4.2.4
>>
>> version 12.1
>> version 12.2 (12.2(55)SE9 confirmed running on an affected device)
>> version 12.3
>> version 12.4
>> version 15.0
>> version 15.1
>> version 15.2
>> version 15.3
>> version 15.4
>> version 15.5
>> version 15.6
>> version 16.4
>>
>> If someone is seeing attacks on their infrastructure with known old or
>> current SNMP communities please let me or your LEA know. We are trying
>> to coordinate with German LEA on this matter and are providing them with
>> a more conclusive report tomorrow.
>>
>> Cheers,
>> Dominik
>>
>> --
>> rrbone UG (haftungsbeschraenkt) - Ruhrallee 9 - 44139 Dortmund
>> HR B 23168 Amtsgericht Dortmund - Geschaeftsfuehrer: Dominik Bay
>>
>>
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>>
>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>> community. Confidentiality is essential for effective Internet security counter-measures.
>> _______________________________________________
--
rrbone UG (haftungsbeschraenkt) - Ruhrallee 9 - 44139 Dortmund
HR B 23168 Amtsgericht Dortmund - Geschaeftsfuehrer: Dominik Bay
More information about the nsp-security
mailing list