[nsp-sec] [TLP:RED] Possible IOS(-XR) SNMP security issue

Fri Oct 27 18:53:15 EDT 2017

Folks:

    Hi there. Dario Ciccarone from the Cisco PSIRT here.

    Yes, indeed, the Cisco PSIRT is represented here by yours truly. I
just saw this thread and I've contacted Dominik to follow-up.

   thanks,

    Dario

On 10/27/17 1:56 PM, Barry Raveendran Greene wrote:
> ----------- nsp-security Confidential --------
>
> Hi Dominik,
>
> Is Cisco PSIRT plugged in (I think they should still be on NSP-SEC)?
>
> From what you describe, I’m not sure if there is any tools that would detect the “valid” SNMP activity. I don’t know if people are monitoring SNMP community errors (if that is an indicator). 
>
> What other suggestions can you give for people to check if this is happening?
>
> Thanks,
>
> Barry
>
> Sent from my iPad
>
>> On Oct 27, 2017, at 13:39, Dominik Bay <db at rrbone.net> wrote:
>>
>> ----------- nsp-security Confidential --------
>>
>> THE FOLLOWING MESSAGE IS TLP RED
>>
>> Folks,
>>
>> we are currently seeing the following issue mentioned below.
>> My description is deliberately vague in some points to protect the innocent.
>>
>> 1. Found a compromised server hosting (daily) varying dumps of (mostly)
>> full IOS and IOS-XR PE and CE configurations (Internet connected
>> equipment as far as I can tell)
>>
>> 2. Devices have proper SNMP and VTY ACLs, mostly average to strong
>> passwords by judging clear text and decoded type 7 passwords
>>
>> Theory:
>> - Attacker bypasses ACL by spoofing nearby IPs
>> - Attacker uses bug in IOS(-XR) SNMP stack to trigger configuration
>> up/download to device
>> - Attacker uses information from config upload for further penetration
>>
>>
>> From config headers I see the following versions across devices:
>>
>> !! IOS XR Configuration 4.2.1
>> !! IOS XR Configuration 4.2.4
>>
>> version 12.1
>> version 12.2 (12.2(55)SE9 confirmed running on an affected device)
>> version 12.3
>> version 12.4
>> version 15.0
>> version 15.1
>> version 15.2
>> version 15.3
>> version 15.4
>> version 15.5
>> version 15.6
>> version 16.4
>>
>> If someone is seeing attacks on their infrastructure with known old or
>> current SNMP communities please let me or your LEA know. We are trying
>> to coordinate with German LEA on this matter and are providing them with
>> a more conclusive report tomorrow.
>>
>> Cheers,
>> Dominik
>>
>> -- 
>> rrbone UG (haftungsbeschraenkt) - Ruhrallee 9 - 44139 Dortmund
>> HR B 23168 Amtsgericht Dortmund - Geschaeftsfuehrer: Dominik Bay
>>
>>
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>>
>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>> community. Confidentiality is essential for effective Internet security counter-measures.
>> _______________________________________________
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3504 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20171027/4a67f942/attachment.p7s>