Home Tags Simple Network Management Protocol

Tag: Simple Network Management Protocol

DDoS attacks abusing exposed LDAP servers on the rise

Each DDoS (distributed denial-of-service) attack seem to be larger than the last, and recent advisories from Akamai and Ixia indicate that attackers are stepping up their game.

As attackers expand their arsenal of reflection methods to target CLDAP ...

Network Management Systems are a ‘treasure map’ for hackers

Payroll printer, HR's server - wahey... jackpot! Network Management Systems are far more easily attacked than previously reckoned, according to new research by Rapid7. The firm behind the popular Metasploit penetration testing tool warns that vulnerabilities in systems used to manage network elements (routers, servers, printers and more) offers attackers a “treasure map” of valuable - and perhaps non-obvious - enterprise targets, such as the printer that is responsible for payroll runs, or HR's central server containing personally identifiable information on the employee base. The new research from Rapid7 explores how it is often possible to attack various types of network management system (NMS) over the Simple Network Management Protocol (SNMP), a protocol used extensively by NMSes to manage and monitor a wide variety of networked devices.

Three distinct attack vectors are explored: Passively injecting Cross-Site Scripting (XSS) attacks over SNMP agent-provided data, which is passed unprocessed from the SNMP server service and rendered on an NMS web-based administration console. Actively injecting XSS attacks over SNMP trap alert messages, intended for NMS consoles. Format string processing on the NMS web management console, when format strings passed unprocessed from SNMP agent-provided data. The prevalence of the flaws is partly explained because Machine-to-machine communications “often escape the scrutiny afforded to more typical user-to-machine communication”, according to Deral Heiland, research lead at Rapid7.
Varied failures to inspect resulted in exposing NMS web-based administration consoles to persistent XSS and a format string exploit. Rapid7’s research team uncovered 13 vulnerabilities across products from nine different vendors, all of which came as a result of a lack of validation of machine-provided input.

All nine of the vendors were notified of these issues by Rapid7 well before the publication of paper on the research on Wednesday. Products accessed included Castle Rock SMNPc, CloudView NMS, Ipswitch WhatsUp Gold, ManageEngine OpUtils, Netikus EventSentry, Opmantek NMIS, Opsview Monitor, Paessler PRTG and Spiceworks Desktop. Users of these products are urged to ensure they are running the latest versions of the software. ®

Extra Bacon? No thanks: that’s the name name of a probably-NSA-sourced...

And none of you are patching it, not even UK government users Tens of thousands of Cisco ASA firewalls are vulnerable to an authentication bypass exploit thought to have been cooked up by the United States National Security Agency (NSA). The "Extra Bacon" exploit was one of many found as part of an Equation Group cache leaked by a hacking outfit calling itself the Shadow Brokers. Equation Group is thought to be an offensive NSA Tailored Access Operations unit. The leaked exploits and the tools stolen by Shadow Brokers are thought to have come from a compromised command and control staging server. Cisco has rushed out patches against the Extra Bacon exploit, while researchers extended the attack to compromise more modern ASA units. Now Rapid 7 engineering duo Derek Abdine and Bob Rudis say tens of thousands of ASA boxes appear still to be exposed to the attack judging by the time of last reboot. The pair scanned the 50,000 ASA devices Rapid 7 had previously catalogued to find the last time reboot times. About 12,000 refused to provide the information. Some 10,000 of the 38,000 ASA devices had rebooted within the 15 days since Cisco released its patch, meaning about 28,000 were un-patched. Those un-patched include four large US firms, a UK government agency and a financial services company, and a large Japanese telecommunications provider. Exploiting Extra Bacon while severe is complex and unreliable, and does not mean all un-patched vulnerable ASA boxes are at high risk. Attackers must reach vulnerable devices through UDP SNMP and know the SNMP community string, and have SSH access. "Even though there's a high probable loss magnitude from a successful exploit, the threat capability and threat event frequency for attacks would most likely be low in the vast majority of organisations that use these devices to secure their environments," Abdine and Rudis say. "Having said that, Extra Bacon is a pretty critical vulnerability in a core network security infrastructure device and Cisco patches are generally quick and safe to deploy, so it would be prudent for most organisations to deploy the patch as soon as they can obtain and test it." The pair caution those organisations which have considered the chance for exploitation to be low to fully understand their exposure. ®

Cisco SOHO switches patched for SOHOpeless vuln

Buggy defaults in SNMP This week's Cisco patch round includes a critical vuln in the kind of product least likely to get patched – a small business Ethernet switch. The Small Business 220 Series Smart Plus switches ship with a hard-coded SNMP community string, which means if it's visible to the Internet, a remote attacker can access its SNMP objects. While Cisco rates the vulnerability as critical, it also notes that SNMP is off by default on the devices; it's only if the management protocol is turned on that the devices are vulnerable. It's present on switches running firmware release,, and; new firmware is available. The same switches also have issues in their Web interface: a cross-site request forgery bug; a cross-site scripting issue; and a denial-of-service vulnerability. WebEx Meetings Player can be crashed by a remote attacker – in the author's experience it can be crashed just by trying to join a meeting, but whatever – and a new version is available. There are also a couple of minor DoS vulnerabilities in Switchzilla's wireless LAN controller software. ® Sponsored: 2016 Cyberthreat defense report

Cisco Wireless LAN Controller TSM SNMP Denial of Service Vulnerability

A vulnerability in the traffic stream metrics (TSM) implemented with the Inter-Access Point Protocol (IAPP) of the Cisco Wireless LAN Controller (WLC) could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition becaus...

Cisco starts patching firewall devices against NSA-linked exploit

Cisco Systems has started releasing security patches for a critical flaw in Adaptive Security Appliance (ASA) firewalls targeted by an exploit linked to the U.S. National Security Agency. The exploit, dubbed ExtraBacon, is one of the tools used by a group that the security industry calls the Equation, believed to be a cyberespionage team tied to the NSA. ExtraBacon was released earlier this month together with other exploits by one or more individuals who use the name Shadow Brokers.

The files were provided as a sample of a larger Equation group toolset the Shadow Brokers outfit has put up for auction. ExtraBacon exploits a buffer overflow vulnerability in the Simple Network Management Protocol (SNMP) implementation from Cisco's ASA software. It allows attackers to remotely execute rogue code on the affected devices, as long as they can send traffic to their SNMP interface.

This typically requires being on the same internal network as the targeted devices. Even though the ExtraBacon exploit was designed to work for versions 8.4(4) and earlier of the ASA software, other researchers demonstrated that it can be modified to also work on newer versions.

Cisco confirmed in an advisory that all versions of SNMP in Cisco ASA software contain the flaw. On Wednesday, the company updated its advisory to announce the availability of patched versions for different Cisco ASA branches, namely 9.1.7(9), 9.5(3), and 9.6.1(11). Devices using ASA software versions from the 8.x and 7.x branches should be migrated to version 9.1.7(9), according to the vendor.

Also, patched releases for the 9.0, 9.2, 9.3, and 9.4 branches are expected Thursday and Friday.

These will be 9.0.4(40), 9.2.4(14), 9.3.3(10) and 9.4.3(8). In addition to ASA software, which is used in different stand-alone devices and security modules for routers and switches, the Cisco Firepower Threat Defense (FTD) Software, the Cisco Firewall Services Module (FWSM), and Cisco PIX Firewalls are also affected by this vulnerability. Software version 6.0.1(2) was released for Cisco FTD, but Cisco Firewall Service Modules and Cisco PIX Firewalls have reached their end of life, and no patches will be provided for them. Security researchers have so far established links between the code in the tools leaked by Shadow Brokers and those previously found in the wild and attributed to the Equation group.

Furthermore, 14 files leaked by Shadow Brokers contain a 16-character string that NSA operatives are known to have used in their malware and which is listed in an NSA manual leaked by Edward Snowden, The Intercept reported. There is a second Equation exploit in the Shadow Brokers leak that targets ASA software.
It is called EpicBanana and exploits a vulnerability that Cisco claims was patched back in 2011 in version 8.4(3). Nevertheless, the company published a new advisory for the flaw in order to increase its visibility. A third exploit, BenignCertain, affects legacy Cisco PIX firewalls that are no longer supported.

Cisco investigated the exploit and said only versions 6.x and earlier of the PIX software are affected. Users who still have such devices on their networks should make sure they're running software versions 7.0 and later, which are not affected.

The Secret Behind the NSA Breach: Network Infrastructure Is the Next...

How the networking industry has fallen way behind in incorporating security measure to prevent exploits to ubiquitous routers, proxies, firewalls and switches. Advanced attackers are targeting organizations’ first line of defense--their firewalls—and turning them into a gateway into the network for mounting a data breach. On August 13, the shady “Shadow Brokers” group published several firewall exploits as proof that they had a full trove of cyber weapons. Whether intended to drive up bids for their “Equation Group Cyber Weapons Auction” (since removed), or to threaten other nation states, the recent disclosure raises the question: if organizations can’t trust their own firewalls, then what can they trust? Does the cache of cyber weapons exposed by Shadow Brokers signal a shift in attack methods and targets? We analyzed the dump and found working exploits for Cisco ASA, Fortinet FortiGate and Juniper SRX (formerly NetScreen) firewalls.

The names of the exploits provided by the Shadow Brokers match the code names described in Edward Snowden’s 2013 revelations of NSA snooping. The exploit names are not the only link to the NSA.

By analyzing the implementation of a cryptographic function, researchers at Kaspersky have found the same encryption constant used in malware attributed to the Equation Group (Kaspersky’s nickname for the NSA) and python code in the latest breach. Cyber Attacks with a Side of EXTRABACONResearching one of the Cisco ASA exploits (dubbed EXTRABACON) in our lab, we found that it’s a simple overflow using SNMP read access to the device.

The additional payload bundled with the exploit removes the password needed for SSH or telnet shell access, providing full control over the appliance.

The payload can also re-enable the original password to reduce the chance that the attacker will be detected. The python code handles multiple device versions and patches the payload for the version at hand.

This indicates the amount of operations the group had in the past as the developers probably modified the exploit on a case-by-case basis. We ran the exploit against a supported version of a Cisco ASA in our lab multiple times and it didn’t crash once, showing the prowess of the exploit developers. Our attempt yielded a shell without password protection: Networking Equipment in the CrosshairsWhile the exploits themselves are interesting in their own right, no one is addressing the elephant in the room: attackers increasingly target network infrastructure, including security as a means to infiltrate networks and maintain persistence. While the entire cybersecurity industry is focused on defending endpoints and servers, attackers have moved on to the next weak spot.

This advancement underscores the need to detect active network attackers because they can certainly—one way or another—penetrate any given network. Persisting and working from routers, proxies, firewalls or switches requires less effort than controlling end points; attackers don’t need to worry that an anti-virus agent will detect an unusual process, and networking devices are rarely updated or replaced. Most networks have the same routers and switches from a decade ago. Plus, few forensics tools are available to detect indicators of compromise on networking devices and attackers can gain an excellent vantage point within the network.  Network devices vendors have fallen behind operating system vendors in terms of implementing stronger security measures.

A wide range of networking equipment still run single-process operating systems without any exploit mitigation enabled (Cisco IOS, I’m looking at you) or exhibit the effects of little to no security quality assurance testing.
In recent years, endpoint and mobile operating systems have incorporated security techniques such as address space layout randomization (ASLR), data execution prevention (DEP), sandboxes, and other methods that made life harder for every exploit writer.

The affected networking devices provide none of these security mechanisms and it shows. Not the First and Definitely Not the LastThe Equation Group breach is not the first example of highly capable attackers targeting network devices.

The threat actor behind last year’s Hacking Team breach leveraged a vulnerability in a VPN device to obtain full access to their internal network without any obstacles.

The attacker moved from the networking device to endpoints without using a single piece of malware, only taking what he needed from endpoints remotely or running well known administrative tools.

This is a soft spot in every endpoint solution’s belly; a privileged attacker using credentials to access files is not considered malicious as long he doesn’t use any malicious software. Notice that as we have stated earlier, the attacker, quoted in pastebin, opted for an embedded exploit and not the other options, stating that it’s the easiest one: So, I had three options: look for a 0day in Joomla, look for a 0day in postfix, or look for a 0day in one of the embedded devices.

A 0day in an embedded device seemed like the easiest option, and after two weeks of work reverse engineering, I got a remote root exploit.
As always, nation state attacks are usually a step ahead of the entire industry on both the defensive and offensive. We will probably see the same methods employed by less sophisticated attackers as it becomes increasingly difficult to compromise endpoint devices and stay undetected. We have seen this happen before; cybercrime attackers stole techniques from Equation Group, as well as Stuxnet and Flame malware and Reign and other APTs and it will surely happen again with the Equation Group’s recently leaked exploits. In the meantime, here are four recommendations to help fortify network devices against attack: Recommendation 1: Patch your network devices promptly. Replace network devices that have reached their end of support date. Recommendation 2: Restrict access to devices management addresses to the minimum required, and block any unneeded, seemingly benign protocols including SNMP and NTP. Recommendation 3: Manage your device passwords as you would with your administrator accounts by periodically changing your passwords and defining a different password for each device.

Do not use a standard template for passwords.

For example, the password Rout3rPassw0rd192.168.1.1 might seem strong, but after compromising one device, the attacker will know all of the passwords. Recommendation 4: Deploy a network monitoring solution that can profile users and IP-connected devices to establish a baseline of normal behavior and then detect unusual activity originating from network devices.

Attackers have no way of knowing what “normal” looks like for any given network and network detection is the only generic way to stop attackers from compromising network devices. Related Content:   Yoni Allon is responsible for leading the LightCyber research team in monitoring and researching cybercriminal and cyberwarfare actions and ensuring that the LightCyber Magna platform accurately finds these behaviors through its detectors and machine learning. Mr.

Allon has ...
View Full Bio More Insights

NSA-linked Cisco exploit poses bigger threat than previously thought

Enlargereader comments 26 Share this story Recently released code that exploits Cisco System firewalls and has been linked to the National Security Agency can work against a much larger number of models than many security experts previously thought. An exploit dubbed ExtraBacon contains code that prevents it from working on newer versions of Cisco Adaptive Security Appliance (ASA), a line of firewalls that's widely used by corporations, government agencies, and other large organizations. When the exploit encounters 8.4(5) or newer versions of ASA, it returns an error message that prevents it from working. Now researchers say that with a nominal amount of work, they were able to modify ExtraBacon to make it work on a much newer version.

The finding means that ExtraBacon poses a bigger threat than many security experts may have believed. SilentSignal The newly modified exploit is the work of SilentSignal, a penetration testing firm located in Budapest, Hungary.
In an e-mail, SilentSignal researcher Balint Varga-Perke wrote: We first started to work on the exploit mainly to see how easy it would be to add support for other (newer) versions.

Turns out it is very easy, that implies two things: The leaked code is not as poor quality as some might suggest The lack of exploit mitigation techniques in the target Cisco software makes the life of attackers very easy As Ars previously reported, the zero-day exploit allows remote attackers who have already gained a foothold in a targeted network to take full control of a firewall.
It was one of more than a dozen highly advanced attacks that was part of a mysterious leak by a previously unknown group calling itself the ShadowBrokers. Researchers say digital fingerprints left inside the code all but prove the attacks belonged to the Equation Group, an elite hacking crew with ties to the NSA-sponsored Stuxnet and Flame malware that targeted Iran and the Middle East. Michael Toecker, an engineer at a firm called Context Industrial Security, has analyzed ExtraBacon and found that it was designed to work only with versions 8.4(4) and earlier of ASA. He provided the following screenshot to illustrate the restrictions. Enlarge Michael Toecker The success of the modified exploit "demonstrates just how persistent a vulnerability in code can be, how it moves into new versions unless it's found and eradicated," Toecker told Ars. "I don't know who built ExtraBacon, but thousands of users in the US are now vulnerable to the same exploit because nobody told Cisco their SNMP code was busted, and the vulnerable code continued into later versions." Toecker went on to say that the vulnerability of later ASA versions likely didn't take Cisco by surprise. Near the bottom of a post that Cisco published last week in response to the ShadowBrokers leak, the company's principal engineer, Omar Santos, reported that ExtraBacon caused ASA version 9.4(1) to seize up and stop working.
Such crashes are often the first sign of a bug that, when properly exploited, allows an attacker to remotely execute malicious code. Cisco engineers have released software that allows ASA customers to detect and stop ExtraBacon-powered attacks, but the company has yet to actually patch the underlying bug.

The ShadowBrokers release means that advanced attacks can be carried out by a much wider base of hackers than would normally be possible. "We have test equipment and custom firmware images that make debugging easier," Varga-Perke of SilentSignal said. "These are most likely available for malicious parties, too; we are quite confident that similar code exists in private hands." As Ars and Cisco have noted previously, the ExtraBacon exploit requires attackers to already have compromised parts of a targeted network.

That requirement and the bar Varga-Perke described for modifying ExtraBacon means it's probably prohibitively difficult for script kiddies to exploit newer versions of ASA.
Still, for more talented hackers, there's no longer any debate. People running ASA should make sure they've installed last week's exploit signature and the upcoming patch as soon as it's available.

Cisco, Fortinet Warn of Shadow Brokers' Zero-Day Flaw Risks

The Equation Group breach now appears to be very real, as tools emerge that have vendors scrambling. When news of an alleged breach of the National Security Agency-backed Equation Group first surfaced , there was much speculation about whether the sale by Shadow Brokers of pilfered tools was real or a hoax.

As it turns out, multiple security vendors are now confirming that at least some of the tools the Shadow Brokers are selling are real, with critical zero-day vulnerabilities now being exposed in the process.Among the tools exposed in the first batch that Shadow Brokers made available are two with somewhat interesting and unique names: EPICBANANAS and EXTRABACON.

The tools are designed to circumvent network security devices, including firewalls, from multiple vendors in an attempt to give an attacker access to a target network.Networking giant Cisco is among the targeted vendors and has confirmed that the two attack tools represent real risks of its Cisco ASA and PIX firewall products.

The EXTRABACON exploit is being labeled CVE-2016-6366 and is a Simple Network Management Protocol (SNMP) remote code execution vulnerability."The EXTRABACON exploit targets a buffer overflow vulnerability in the SNMP code of the Cisco ASA, Cisco PIX and Cisco Firewall Services Module," Omar Santos, principal engineer of Cisco's Product Security Incident Response Team (PSIRT), wrote in a blog post. "An attacker could exploit this vulnerability by sending crafted SNMP packets to an affected Cisco product." Santos also provides command-line details of how the exploit works against the ASA.

The EXTRABACON tool affects all versions of ASA software, and Cisco has now released intrusion-prevention System (IPS) rules that can detect the issue.

The clarity and detail that the Cisco PSIRT post provides is part of an effort the company announced in October 2015 to provide its customers with as much transparency and information as possible on Cisco vulnerabilities. The other critical issue uncovered by the Shadow Brokers sale is the EPICBANANA vulnerability, which now also is identified as CVE-2016-6367 and is an arbitrary code execution vulnerability in the command-line interface (CLI).
Santos explained that the way EPICBANANA works is it connects to a targeted device by way of Secure Shell (SSH) or Telnet."The attacker must source the attack from an IP address that is allowed by the SSH or telnet commands in the Cisco ASA," Santos wrote. "This is why it is a best practice to only allow SSH or telnet connections from trusted sources and on certain interfaces only (such as the management interface)."The exploits don't just affect Cisco. Network security vendor Fortinet has also issued an advisory for its FortiGates firmeware (FOS) to defend against the risk from tools exposed by the Shadow Brokers.
In the Fortinet case, though, the advisory is currently limited to Fortigate firmware released before 2012.Going a step further in helping confirm the validity of the Shadow Brokers' claims is the fact that Kaspersky Lab, the security group that first publicly identified the Equation Group, is now also seeing a connection.
Initially, when the Shadow Brokers announced that they had breached the Equation Group, Kaspersky Lab had only publicly commented that it was investigating the claims.

That investigation now points to solid links with the research that Kaspersky Labs itself had conducted regarding the Equation Group back in February 2015."While we cannot surmise the attacker's identity or motivation nor where or how this pilfered trove came to be, we can state that several hundred tools from the leak share a strong connection with our previous findings from the Equation group," a Kaspersky Lab Global Research and Analysis Team (GReAT) report stated.Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com.

Follow him on Twitter @TechJournalist.

Cisco Patches Zero-Day Firewall Flaw Exposed In Equation Group Hack

ShadowBrokers dump of Equation Group exploits uncovers previously unknown security hole as well as a known one. Cisco Systems yesterday released a security alert on flaws in its ASA and PIX firewalls that were publicly exposed via the recent online leak of files from the Equation Group (aka the National Security Agency). The so-called ShadowBrokers group -- thought by many experts to be a Russian-backed entity -- is holding an online auction of Equation Group exploits.  The first is a previously unknown security flaw.

Cisco in its security advisory said the ASA SNMP Remote Code Execution vulnerability is a “buffer overflow in the affected code area” that an intruder could use to execute arbitrary code remotely or to cause reload of the system. The second flaw that is one Cisco first announced in 2011 -- a ASA CLI Remote Code Execution vulnerability -- could allow a local attacker to call up invalid commands in an affected device and launch a denial-of-service attack or execute arbitrary code. For more information, see Cisco's advisory here. Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events.

For more information from the original source of the news item, please follow the link provided in this article.
View Full Bio More Insights

Cisco Addresses Zero-Day Firewall Flaw Exposed In Equation Group Hack

ShadowBrokers dump of Equation Group exploits uncovers previously unknown security hole as well as a known one. Cisco Systems yesterday released a security alert on flaws in its ASA and PIX firewalls that were publicly exposed via the recent online leak of files from the Equation Group (aka the National Security Agency). The so-called ShadowBrokers group -- thought by many experts to be a Russian-backed entity -- is holding an online auction of Equation Group exploits.  The first is a previously unknown security flaw.

Cisco in its security advisory said the ASA SNMP Remote Code Execution vulnerability is a “buffer overflow in the affected code area” that an intruder could use to execute arbitrary code remotely or to cause reload of the system. The second flaw that is one Cisco first announced in 2011 -- a ASA CLI Remote Code Execution vulnerability -- could allow a local attacker to call up invalid commands in an affected device and launch a denial-of-service attack or execute arbitrary code. For more information, see Cisco's advisory here. Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events.

For more information from the original source of the news item, please follow the link provided in this article.
View Full Bio More Insights

Fortinet follows Cisco in confirming Shadow Broker vuln

Versions after August 2012 are in the clear Whatever the source and whoever the backers, evidence is mounting that the Shadow Brokers vuln-dump is real: Fortinet has followed Cisco in confirming its place on the list. Cisco's confirmation said the EPICBANANA and EXTRABACON vulns listed in the drop were real.
It had fixed one in 2011, and the other, a new SNMP bug, is on the to-do list with Snort rules providing temporary protection. Fortinet's advisory has now landed, adding yet more credence to the dump. Fortinet's vulnerability only exists in pre-August 2012 versions of its FortiGate firmware.
Versions 4.3.8 and below; 4.2.12 and below; and 4.1.10 and below are affected by the cookie parser buffer overflow.
Versions 5.x are not affected. “This vulnerability, when exploited by a crafted HTTP request, can result in execution control being taken over”, the advisory says.
If a product can support 5.x firmware, that should be installed; if not, version 4.3.9 or above also fixes it. Kasperky Lab had already confirmed to El Reg that the archive seemed genuine, but old – it was apparently collected some time in 2013. That puts the collection of the archive before the White House's 2014 statement that it would quit hoarding vulns unless the NSA could convince it they were vital for intelligence-gathering. Although the Electronic Frontier Foundation sued the agency in 2014 in the belief it was still keeping zero-days to itself, earlier this month, Columbia University researcher Jason Healey claimed the total number in the hoard these days is around 50. ® Sponsored: Global DDoS threat landscape report