[nsp-sec] [TLP:RED] Possible IOS(-XR) SNMP security issue

Dominik Bay db at rrbone.net
Fri Oct 27 15:42:26 EDT 2017 

Hi Donald,

as it now is known to be a publicly announced vulnerability some months
ago which seems to be actively used now, I'd say there's no TLP needed.
I only placed it under TLP:RED because I wasn't sure if it is a new
attack vector via SNMP.

Once again sorry for the noise and thanks for the prompt feedback of
nsp-sec subscribers.

Cheers,
Dominik

On 10/27/2017 08:38 PM, Smith, Donald wrote:
> Did you really mean RED?
> 
> Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person
> 
> So we can't share this beyond this list and its membership (at this time).
> Your welcome to keep it that way, but suspect you wanted us to share internally (perhaps old TLP:AMBER internal only ...?)
> 
> Your also welcome to release any part of this under any sharing framework you define!! But currently I can't discuss this with my router or snmp teams.
> 
> 
> 
> if (initial_ttl!=255) then (rfc5082_compliant==0)
> Donald.Smith at centurylink.com
> 
> ________________________________________
> From: nsp-security [nsp-security-bounces at puck.nether.net] on behalf of Chris Morrow [morrowc at ops-netman.net]
> Sent: Friday, October 27, 2017 12:09 PM
> To: Dominik Bay
> Cc: 'nsp-security at puck.nether.net'
> Subject: Re: [nsp-sec] [TLP:RED] Possible IOS(-XR) SNMP security issue
> 
> ----------- nsp-security Confidential --------
> 
> At Fri, 27 Oct 2017 18:39:15 +0100,
> Dominik Bay <db at rrbone.net> wrote:
>>
>> ----------- nsp-security Confidential --------
>>
>> THE FOLLOWING MESSAGE IS TLP RED
>>
>> Folks,
>>
>> we are currently seeing the following issue mentioned below.
>> My description is deliberately vague in some points to protect the innocent.
>>
>> 1. Found a compromised server hosting (daily) varying dumps of (mostly)
>> full IOS and IOS-XR PE and CE configurations (Internet connected
>> equipment as far as I can tell)
>>
>> 2. Devices have proper SNMP and VTY ACLs, mostly average to strong
>> passwords by judging clear text and decoded type 7 passwords
> 
> this DOES require RW community though, right? (or did you mean there's
> a bug where you can do RW things when no RW is configured... which
> would be horrid)
> 
>>
>> Theory:
>> - Attacker bypasses ACL by spoofing nearby IPs
>> - Attacker uses bug in IOS(-XR) SNMP stack to trigger configuration
>> up/download to device
>> - Attacker uses information from config upload for further penetration
>>
>>
>> >From config headers I see the following versions across devices:
>>
>> !! IOS XR Configuration 4.2.1
>> !! IOS XR Configuration 4.2.4
>>
>> version 12.1
>> version 12.2 (12.2(55)SE9 confirmed running on an affected device)
>> version 12.3
>> version 12.4
>> version 15.0
>> version 15.1
>> version 15.2
>> version 15.3
>> version 15.4
>> version 15.5
>> version 15.6
>> version 16.4
>>
>> If someone is seeing attacks on their infrastructure with known old or
>> current SNMP communities please let me or your LEA know. We are trying
>> to coordinate with German LEA on this matter and are providing them with
>> a more conclusive report tomorrow.
>>
>> Cheers,
>> Dominik
>>
>> --
>> rrbone UG (haftungsbeschraenkt) - Ruhrallee 9 - 44139 Dortmund
>> HR B 23168 Amtsgericht Dortmund - Geschaeftsfuehrer: Dominik Bay
>>
>>
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>>
>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>> community. Confidentiality is essential for effective Internet security counter-measures.
>> _______________________________________________
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
> This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.
> 
> 


-- 
rrbone UG (haftungsbeschraenkt) - Ruhrallee 9 - 44139 Dortmund
HR B 23168 Amtsgericht Dortmund - Geschaeftsfuehrer: Dominik Bay

More information about the nsp-security mailing list