[nsp-sec] [TLP:RED] Possible IOS(-XR) SNMP security issue
Dominik Bay
db at rrbone.net
Fri Oct 27 16:10:04 EDT 2017
Another update on this issue:
It seems IOS-XR and some other devices are not directly affected, but
knowing the SNMP RW Community + SNMP ACL and missing ingress spoofing
protection can be used to exfil the config with CISCO-CONFIG-COPY-MIB.
Cheers,
Dominik
On 10/27/2017 07:36 PM, Dominik Bay wrote:
> ----------- nsp-security Confidential --------
>
> Chris,
>
> here's my answer to an offlist E-Mail from Jon Miyake:
>
> ###########
> Thank you. Actually that seems to be the right direction.
>
> I was only looking into
> https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-smi
> and discarded it after I saw that it is only affecting IOS and IOS-XE.
>
> I'm currently verifying across the IP addresses I have and will report
> back shortly.
>
> Cheers,
> Dominik
> ###########
>
> In the meantime I verified this with the IP addresses I gathered from
> the configuration dumps I already have.
>
> With this tool I was able to reproduce the config download from affected
> devices:
>
> https://github.com/Sab0tag3d/SIET
>
> So this is actually not a SNMP bug as suspected first. I'm very sorry
> for overlooking the SA mentioned by Jon Miyake which is:
>
> https://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi
>
> Cheers,
> Dominik
>
>
> On 10/27/2017 07:09 PM, Chris Morrow wrote:
>> At Fri, 27 Oct 2017 18:39:15 +0100,
>> Dominik Bay <db at rrbone.net> wrote:
>>>
>>> ----------- nsp-security Confidential --------
>>>
>>> THE FOLLOWING MESSAGE IS TLP RED
>>>
>>> Folks,
>>>
>>> we are currently seeing the following issue mentioned below.
>>> My description is deliberately vague in some points to protect the innocent.
>>>
>>> 1. Found a compromised server hosting (daily) varying dumps of (mostly)
>>> full IOS and IOS-XR PE and CE configurations (Internet connected
>>> equipment as far as I can tell)
>>>
>>> 2. Devices have proper SNMP and VTY ACLs, mostly average to strong
>>> passwords by judging clear text and decoded type 7 passwords
>>
>> this DOES require RW community though, right? (or did you mean there's
>> a bug where you can do RW things when no RW is configured... which
>> would be horrid)
>>
>>>
>>> Theory:
>>> - Attacker bypasses ACL by spoofing nearby IPs
>>> - Attacker uses bug in IOS(-XR) SNMP stack to trigger configuration
>>> up/download to device
>>> - Attacker uses information from config upload for further penetration
>>>
>>>
>>> >From config headers I see the following versions across devices:
>>>
>>> !! IOS XR Configuration 4.2.1
>>> !! IOS XR Configuration 4.2.4
>>>
>>> version 12.1
>>> version 12.2 (12.2(55)SE9 confirmed running on an affected device)
>>> version 12.3
>>> version 12.4
>>> version 15.0
>>> version 15.1
>>> version 15.2
>>> version 15.3
>>> version 15.4
>>> version 15.5
>>> version 15.6
>>> version 16.4
>>>
>>> If someone is seeing attacks on their infrastructure with known old or
>>> current SNMP communities please let me or your LEA know. We are trying
>>> to coordinate with German LEA on this matter and are providing them with
>>> a more conclusive report tomorrow.
>>>
>>> Cheers,
>>> Dominik
>>>
>>> --
>>> rrbone UG (haftungsbeschraenkt) - Ruhrallee 9 - 44139 Dortmund
>>> HR B 23168 Amtsgericht Dortmund - Geschaeftsfuehrer: Dominik Bay
>>>
>>>
>>> _______________________________________________
>>> nsp-security mailing list
>>> nsp-security at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/nsp-security
>>>
>>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>>> community. Confidentiality is essential for effective Internet security counter-measures.
>>> _______________________________________________
>
>
--
rrbone UG (haftungsbeschraenkt) - Ruhrallee 9 - 44139 Dortmund
HR B 23168 Amtsgericht Dortmund - Geschaeftsfuehrer: Dominik Bay
More information about the nsp-security
mailing list