[nsp-sec] [TLP:RED] Possible IOS(-XR) SNMP security issue
Hank Nussbacher
hank at efes.iucc.ac.il
Sat Oct 28 12:14:55 EDT 2017
On 27/10/2017 23:10, Dominik Bay wrote:
Very common tactic is to download the entire IOS config via SNMP RO:
https://gist.github.com/fdiskyou/3f0e06b9da92dcefd3cafb2a930585b1
Then offload the password cracking and you now have RW and enable for
whatever you want.
If you do *not *have an ACL on your SNMP RO then your router has been pwned.
-Hank
> ----------- nsp-security Confidential --------
>
> Another update on this issue:
>
> It seems IOS-XR and some other devices are not directly affected, but
> knowing the SNMP RW Community + SNMP ACL and missing ingress spoofing
> protection can be used to exfil the config with CISCO-CONFIG-COPY-MIB.
>
> Cheers,
> Dominik
>
> On 10/27/2017 07:36 PM, Dominik Bay wrote:
>> ----------- nsp-security Confidential --------
>>
>> Chris,
>>
>> here's my answer to an offlist E-Mail from Jon Miyake:
>>
>> ###########
>> Thank you. Actually that seems to be the right direction.
>>
>> I was only looking into
>> https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-smi
>> and discarded it after I saw that it is only affecting IOS and IOS-XE.
>>
>> I'm currently verifying across the IP addresses I have and will report
>> back shortly.
>>
>> Cheers,
>> Dominik
>> ###########
>>
>> In the meantime I verified this with the IP addresses I gathered from
>> the configuration dumps I already have.
>>
>> With this tool I was able to reproduce the config download from affected
>> devices:
>>
>> https://github.com/Sab0tag3d/SIET
>>
>> So this is actually not a SNMP bug as suspected first. I'm very sorry
>> for overlooking the SA mentioned by Jon Miyake which is:
>>
>> https://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi
>>
>> Cheers,
>> Dominik
>>
>>
>> On 10/27/2017 07:09 PM, Chris Morrow wrote:
>>> At Fri, 27 Oct 2017 18:39:15 +0100,
>>> Dominik Bay <db at rrbone.net> wrote:
>>>> ----------- nsp-security Confidential --------
>>>>
>>>> THE FOLLOWING MESSAGE IS TLP RED
>>>>
>>>> Folks,
>>>>
>>>> we are currently seeing the following issue mentioned below.
>>>> My description is deliberately vague in some points to protect the innocent.
>>>>
>>>> 1. Found a compromised server hosting (daily) varying dumps of (mostly)
>>>> full IOS and IOS-XR PE and CE configurations (Internet connected
>>>> equipment as far as I can tell)
>>>>
>>>> 2. Devices have proper SNMP and VTY ACLs, mostly average to strong
>>>> passwords by judging clear text and decoded type 7 passwords
>>> this DOES require RW community though, right? (or did you mean there's
>>> a bug where you can do RW things when no RW is configured... which
>>> would be horrid)
>>>
>>>> Theory:
>>>> - Attacker bypasses ACL by spoofing nearby IPs
>>>> - Attacker uses bug in IOS(-XR) SNMP stack to trigger configuration
>>>> up/download to device
>>>> - Attacker uses information from config upload for further penetration
>>>>
>>>>
>>>> >From config headers I see the following versions across devices:
>>>>
>>>> !! IOS XR Configuration 4.2.1
>>>> !! IOS XR Configuration 4.2.4
>>>>
>>>> version 12.1
>>>> version 12.2 (12.2(55)SE9 confirmed running on an affected device)
>>>> version 12.3
>>>> version 12.4
>>>> version 15.0
>>>> version 15.1
>>>> version 15.2
>>>> version 15.3
>>>> version 15.4
>>>> version 15.5
>>>> version 15.6
>>>> version 16.4
>>>>
>>>> If someone is seeing attacks on their infrastructure with known old or
>>>> current SNMP communities please let me or your LEA know. We are trying
>>>> to coordinate with German LEA on this matter and are providing them with
>>>> a more conclusive report tomorrow.
>>>>
>>>> Cheers,
>>>> Dominik
>>>>
>>>> --
>>>> rrbone UG (haftungsbeschraenkt) - Ruhrallee 9 - 44139 Dortmund
>>>> HR B 23168 Amtsgericht Dortmund - Geschaeftsfuehrer: Dominik Bay
>>>>
>>>>
>>>> _______________________________________________
>>>> nsp-security mailing list
>>>> nsp-security at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/nsp-security
>>>>
>>>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>>>> community. Confidentiality is essential for effective Internet security counter-measures.
>>>> _______________________________________________
>>
>
More information about the nsp-security
mailing list