[nsp-sec] [TLP:RED] Possible IOS(-XR) SNMP security issue

Barry Raveendran Greene bgreene at senki.org
Sat Oct 28 14:30:11 EDT 2017 

Hi Team,

What we have is evidence for an active exploit. IMHO, the next step would be to pull together guidance for Operators to investigate. Upgrading networks take time and is non-trivial. In the mean time, risk and evidence for exploit should be top of the list for operators.

Thoughts?

Barry

Sent from my iPad

> On Oct 28, 2017, at 12:14, Hank Nussbacher <hank at efes.iucc.ac.il> wrote:
> 
> ----------- nsp-security Confidential --------
> 
> On 27/10/2017 23:10, Dominik Bay wrote:
> 
> Very common tactic is to download the entire IOS config via SNMP RO:
> https://gist.github.com/fdiskyou/3f0e06b9da92dcefd3cafb2a930585b1
> Then offload the password cracking and you now have RW and enable for
> whatever you want.
> If you do *not *have an ACL on your SNMP RO then your router has been pwned.
> 
> -Hank
> 
>> ----------- nsp-security Confidential --------
>> 
>> Another update on this issue:
>> 
>> It seems IOS-XR and some other devices are not directly affected, but
>> knowing the SNMP RW Community + SNMP ACL and missing ingress spoofing
>> protection can be used to exfil the config with CISCO-CONFIG-COPY-MIB.
>> 
>> Cheers,
>> Dominik
>> 
>>> On 10/27/2017 07:36 PM, Dominik Bay wrote:
>>> ----------- nsp-security Confidential --------
>>> 
>>> Chris,
>>> 
>>> here's my answer to an offlist E-Mail from Jon Miyake:
>>> 
>>> ###########
>>> Thank you. Actually that seems to be the right direction.
>>> 
>>> I was only looking into
>>> https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-smi
>>> and discarded it after I saw that it is only affecting IOS and IOS-XE.
>>> 
>>> I'm currently verifying across the IP addresses I have and will report
>>> back shortly.
>>> 
>>> Cheers,
>>> Dominik
>>> ###########
>>> 
>>> In the meantime I verified this with the IP addresses I gathered from
>>> the configuration dumps I already have.
>>> 
>>> With this tool I was able to reproduce the config download from affected
>>> devices:
>>> 
>>> https://github.com/Sab0tag3d/SIET
>>> 
>>> So this is actually not a SNMP bug as suspected first. I'm very sorry
>>> for overlooking the SA mentioned by Jon Miyake which is:
>>> 
>>> https://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi
>>> 
>>> Cheers,
>>> Dominik
>>> 
>>> 
>>>> On 10/27/2017 07:09 PM, Chris Morrow wrote:
>>>> At Fri, 27 Oct 2017 18:39:15 +0100,
>>>> Dominik Bay <db at rrbone.net> wrote:
>>>>> ----------- nsp-security Confidential --------
>>>>> 
>>>>> THE FOLLOWING MESSAGE IS TLP RED
>>>>> 
>>>>> Folks,
>>>>> 
>>>>> we are currently seeing the following issue mentioned below.
>>>>> My description is deliberately vague in some points to protect the innocent.
>>>>> 
>>>>> 1. Found a compromised server hosting (daily) varying dumps of (mostly)
>>>>> full IOS and IOS-XR PE and CE configurations (Internet connected
>>>>> equipment as far as I can tell)
>>>>> 
>>>>> 2. Devices have proper SNMP and VTY ACLs, mostly average to strong
>>>>> passwords by judging clear text and decoded type 7 passwords
>>>> this DOES require RW community though, right? (or did you mean there's
>>>> a bug where you can do RW things when no RW is configured... which
>>>> would be horrid)
>>>> 
>>>>> Theory:
>>>>> - Attacker bypasses ACL by spoofing nearby IPs
>>>>> - Attacker uses bug in IOS(-XR) SNMP stack to trigger configuration
>>>>> up/download to device
>>>>> - Attacker uses information from config upload for further penetration
>>>>> 
>>>>> 
>>>>>> From config headers I see the following versions across devices:
>>>>> 
>>>>> !! IOS XR Configuration 4.2.1
>>>>> !! IOS XR Configuration 4.2.4
>>>>> 
>>>>> version 12.1
>>>>> version 12.2 (12.2(55)SE9 confirmed running on an affected device)
>>>>> version 12.3
>>>>> version 12.4
>>>>> version 15.0
>>>>> version 15.1
>>>>> version 15.2
>>>>> version 15.3
>>>>> version 15.4
>>>>> version 15.5
>>>>> version 15.6
>>>>> version 16.4
>>>>> 
>>>>> If someone is seeing attacks on their infrastructure with known old or
>>>>> current SNMP communities please let me or your LEA know. We are trying
>>>>> to coordinate with German LEA on this matter and are providing them with
>>>>> a more conclusive report tomorrow.
>>>>> 
>>>>> Cheers,
>>>>> Dominik
>>>>> 
>>>>> -- 
>>>>> rrbone UG (haftungsbeschraenkt) - Ruhrallee 9 - 44139 Dortmund
>>>>> HR B 23168 Amtsgericht Dortmund - Geschaeftsfuehrer: Dominik Bay
>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> nsp-security mailing list
>>>>> nsp-security at puck.nether.net
>>>>> https://puck.nether.net/mailman/listinfo/nsp-security
>>>>> 
>>>>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>>>>> community. Confidentiality is essential for effective Internet security counter-measures.
>>>>> _______________________________________________
>>> 
>> 
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________

More information about the nsp-security mailing list