Home Tags Simple Network Management Protocol

Tag: Simple Network Management Protocol

BrandPost: Programming the Network: It’s a Whole New World

With Open IOS XE, Cisco is changing the game Old-school network engineers probably remember the Cisco 2500-series router.
It ran a slow Motorola 68000 CPU, the monolithic IOS operating system, and did one thing only:  route packets.Routers and switches have certainly sped up since then, and the operating system has been modernized, but networking hasn't changed much otherwise. We still use CLI and SNMP to manage our networks the same way we did in the 1990s.With Open IOS XE, however, Cisco is changing the game. We now support powerful programmable interfaces like NETCONF and YANG. We can easily on-board devices without tedious manual configuration, and we can host Python scripts and applications all directly on the box.To read this article in full or to leave a comment, please click here

BrandPost: The New Network – It’s for Developers!

With Open IOS XE, Cisco is changing the game Old-school network engineers probably remember the Cisco 2500-series router.
It ran a slow Motorola 68000 CPU, the monolithic IOS operating system, and did one thing only:  route packets.Routers and switches have certainly sped up since then, and the operating system has been modernized, but networking hasn't changed much otherwise. We still use CLI and SNMP to manage our networks the same way we did in the 1990s.With Open IOS XE, however, Cisco is changing the game. We now support powerful programmable interfaces like NETCONF and YANG. We can easily on-board devices without tedious manual configuration, and we can host Python scripts and applications all directly on the box.To read this article in full or to leave a comment, please click here

Network management vulnerability exposes cable modems to hacking

Hundreds of thousands of internet gateway devices around the world, primarily residential cable modems, are vulnerable to hacking because of a serious weakness in their Simple Network Management Protocol implementation.SNMP is used for automated network device identification, monitoring and remote configuration.
It is supported and enabled by default in many devices, including servers, printers, networking hubs, switches and routers.[ 18 surprising tips for security pros. | Discover how to secure your systems with InfoWorld's Security Report newsletter. ]Independent researchers Ezequiel Fernandez and Bertin Bervis recently found a way to bypass SNMP authentication on 78 models of cable modems that ISPs from around the world have provided to their customers.To read this article in full or to leave a comment, please click here

Cisco IOS and IOS XE Software Simple Network Management Protocol Subsystem...

A vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS and IOS XE Software could allow an authenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerability is...

DDoS attacks abusing exposed LDAP servers on the rise

Each DDoS (distributed denial-of-service) attack seem to be larger than the last, and recent advisories from Akamai and Ixia indicate that attackers are stepping up their game.

As attackers expand their arsenal of reflection methods to target CLDAP ...

Network Management Systems are a ‘treasure map’ for hackers

Payroll printer, HR's server - wahey... jackpot! Network Management Systems are far more easily attacked than previously reckoned, according to new research by Rapid7. The firm behind the popular Metasploit penetration testing tool warns that vulnerabilities in systems used to manage network elements (routers, servers, printers and more) offers attackers a “treasure map” of valuable - and perhaps non-obvious - enterprise targets, such as the printer that is responsible for payroll runs, or HR's central server containing personally identifiable information on the employee base. The new research from Rapid7 explores how it is often possible to attack various types of network management system (NMS) over the Simple Network Management Protocol (SNMP), a protocol used extensively by NMSes to manage and monitor a wide variety of networked devices.

Three distinct attack vectors are explored: Passively injecting Cross-Site Scripting (XSS) attacks over SNMP agent-provided data, which is passed unprocessed from the SNMP server service and rendered on an NMS web-based administration console. Actively injecting XSS attacks over SNMP trap alert messages, intended for NMS consoles. Format string processing on the NMS web management console, when format strings passed unprocessed from SNMP agent-provided data. The prevalence of the flaws is partly explained because Machine-to-machine communications “often escape the scrutiny afforded to more typical user-to-machine communication”, according to Deral Heiland, research lead at Rapid7.
Varied failures to inspect resulted in exposing NMS web-based administration consoles to persistent XSS and a format string exploit. Rapid7’s research team uncovered 13 vulnerabilities across products from nine different vendors, all of which came as a result of a lack of validation of machine-provided input.

All nine of the vendors were notified of these issues by Rapid7 well before the publication of paper on the research on Wednesday. Products accessed included Castle Rock SMNPc, CloudView NMS, Ipswitch WhatsUp Gold, ManageEngine OpUtils, Netikus EventSentry, Opmantek NMIS, Opsview Monitor, Paessler PRTG and Spiceworks Desktop. Users of these products are urged to ensure they are running the latest versions of the software. ®

Extra Bacon? No thanks: that’s the name name of a probably-NSA-sourced...

And none of you are patching it, not even UK government users Tens of thousands of Cisco ASA firewalls are vulnerable to an authentication bypass exploit thought to have been cooked up by the United States National Security Agency (NSA). The "Extra Bacon" exploit was one of many found as part of an Equation Group cache leaked by a hacking outfit calling itself the Shadow Brokers. Equation Group is thought to be an offensive NSA Tailored Access Operations unit. The leaked exploits and the tools stolen by Shadow Brokers are thought to have come from a compromised command and control staging server. Cisco has rushed out patches against the Extra Bacon exploit, while researchers extended the attack to compromise more modern ASA units. Now Rapid 7 engineering duo Derek Abdine and Bob Rudis say tens of thousands of ASA boxes appear still to be exposed to the attack judging by the time of last reboot. The pair scanned the 50,000 ASA devices Rapid 7 had previously catalogued to find the last time reboot times. About 12,000 refused to provide the information. Some 10,000 of the 38,000 ASA devices had rebooted within the 15 days since Cisco released its patch, meaning about 28,000 were un-patched. Those un-patched include four large US firms, a UK government agency and a financial services company, and a large Japanese telecommunications provider. Exploiting Extra Bacon while severe is complex and unreliable, and does not mean all un-patched vulnerable ASA boxes are at high risk. Attackers must reach vulnerable devices through UDP SNMP and know the SNMP community string, and have SSH access. "Even though there's a high probable loss magnitude from a successful exploit, the threat capability and threat event frequency for attacks would most likely be low in the vast majority of organisations that use these devices to secure their environments," Abdine and Rudis say. "Having said that, Extra Bacon is a pretty critical vulnerability in a core network security infrastructure device and Cisco patches are generally quick and safe to deploy, so it would be prudent for most organisations to deploy the patch as soon as they can obtain and test it." The pair caution those organisations which have considered the chance for exploitation to be low to fully understand their exposure. ®

Cisco SOHO switches patched for SOHOpeless vuln

Buggy defaults in SNMP This week's Cisco patch round includes a critical vuln in the kind of product least likely to get patched – a small business Ethernet switch. The Small Business 220 Series Smart Plus switches ship with a hard-coded SNMP community string, which means if it's visible to the Internet, a remote attacker can access its SNMP objects. While Cisco rates the vulnerability as critical, it also notes that SNMP is off by default on the devices; it's only if the management protocol is turned on that the devices are vulnerable. It's present on switches running firmware release,, and; new firmware is available. The same switches also have issues in their Web interface: a cross-site request forgery bug; a cross-site scripting issue; and a denial-of-service vulnerability. WebEx Meetings Player can be crashed by a remote attacker – in the author's experience it can be crashed just by trying to join a meeting, but whatever – and a new version is available. There are also a couple of minor DoS vulnerabilities in Switchzilla's wireless LAN controller software. ® Sponsored: 2016 Cyberthreat defense report

Cisco Wireless LAN Controller TSM SNMP Denial of Service Vulnerability

A vulnerability in the traffic stream metrics (TSM) implemented with the Inter-Access Point Protocol (IAPP) of the Cisco Wireless LAN Controller (WLC) could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition becaus...

Cisco starts patching firewall devices against NSA-linked exploit

Cisco Systems has started releasing security patches for a critical flaw in Adaptive Security Appliance (ASA) firewalls targeted by an exploit linked to the U.S. National Security Agency. The exploit, dubbed ExtraBacon, is one of the tools used by a group that the security industry calls the Equation, believed to be a cyberespionage team tied to the NSA. ExtraBacon was released earlier this month together with other exploits by one or more individuals who use the name Shadow Brokers.

The files were provided as a sample of a larger Equation group toolset the Shadow Brokers outfit has put up for auction. ExtraBacon exploits a buffer overflow vulnerability in the Simple Network Management Protocol (SNMP) implementation from Cisco's ASA software. It allows attackers to remotely execute rogue code on the affected devices, as long as they can send traffic to their SNMP interface.

This typically requires being on the same internal network as the targeted devices. Even though the ExtraBacon exploit was designed to work for versions 8.4(4) and earlier of the ASA software, other researchers demonstrated that it can be modified to also work on newer versions.

Cisco confirmed in an advisory that all versions of SNMP in Cisco ASA software contain the flaw. On Wednesday, the company updated its advisory to announce the availability of patched versions for different Cisco ASA branches, namely 9.1.7(9), 9.5(3), and 9.6.1(11). Devices using ASA software versions from the 8.x and 7.x branches should be migrated to version 9.1.7(9), according to the vendor.

Also, patched releases for the 9.0, 9.2, 9.3, and 9.4 branches are expected Thursday and Friday.

These will be 9.0.4(40), 9.2.4(14), 9.3.3(10) and 9.4.3(8). In addition to ASA software, which is used in different stand-alone devices and security modules for routers and switches, the Cisco Firepower Threat Defense (FTD) Software, the Cisco Firewall Services Module (FWSM), and Cisco PIX Firewalls are also affected by this vulnerability. Software version 6.0.1(2) was released for Cisco FTD, but Cisco Firewall Service Modules and Cisco PIX Firewalls have reached their end of life, and no patches will be provided for them. Security researchers have so far established links between the code in the tools leaked by Shadow Brokers and those previously found in the wild and attributed to the Equation group.

Furthermore, 14 files leaked by Shadow Brokers contain a 16-character string that NSA operatives are known to have used in their malware and which is listed in an NSA manual leaked by Edward Snowden, The Intercept reported. There is a second Equation exploit in the Shadow Brokers leak that targets ASA software.
It is called EpicBanana and exploits a vulnerability that Cisco claims was patched back in 2011 in version 8.4(3). Nevertheless, the company published a new advisory for the flaw in order to increase its visibility. A third exploit, BenignCertain, affects legacy Cisco PIX firewalls that are no longer supported.

Cisco investigated the exploit and said only versions 6.x and earlier of the PIX software are affected. Users who still have such devices on their networks should make sure they're running software versions 7.0 and later, which are not affected.

The Secret Behind the NSA Breach: Network Infrastructure Is the Next...

How the networking industry has fallen way behind in incorporating security measure to prevent exploits to ubiquitous routers, proxies, firewalls and switches. Advanced attackers are targeting organizations’ first line of defense--their firewalls—and turning them into a gateway into the network for mounting a data breach. On August 13, the shady “Shadow Brokers” group published several firewall exploits as proof that they had a full trove of cyber weapons. Whether intended to drive up bids for their “Equation Group Cyber Weapons Auction” (since removed), or to threaten other nation states, the recent disclosure raises the question: if organizations can’t trust their own firewalls, then what can they trust? Does the cache of cyber weapons exposed by Shadow Brokers signal a shift in attack methods and targets? We analyzed the dump and found working exploits for Cisco ASA, Fortinet FortiGate and Juniper SRX (formerly NetScreen) firewalls.

The names of the exploits provided by the Shadow Brokers match the code names described in Edward Snowden’s 2013 revelations of NSA snooping. The exploit names are not the only link to the NSA.

By analyzing the implementation of a cryptographic function, researchers at Kaspersky have found the same encryption constant used in malware attributed to the Equation Group (Kaspersky’s nickname for the NSA) and python code in the latest breach. Cyber Attacks with a Side of EXTRABACONResearching one of the Cisco ASA exploits (dubbed EXTRABACON) in our lab, we found that it’s a simple overflow using SNMP read access to the device.

The additional payload bundled with the exploit removes the password needed for SSH or telnet shell access, providing full control over the appliance.

The payload can also re-enable the original password to reduce the chance that the attacker will be detected. The python code handles multiple device versions and patches the payload for the version at hand.

This indicates the amount of operations the group had in the past as the developers probably modified the exploit on a case-by-case basis. We ran the exploit against a supported version of a Cisco ASA in our lab multiple times and it didn’t crash once, showing the prowess of the exploit developers. Our attempt yielded a shell without password protection: Networking Equipment in the CrosshairsWhile the exploits themselves are interesting in their own right, no one is addressing the elephant in the room: attackers increasingly target network infrastructure, including security as a means to infiltrate networks and maintain persistence. While the entire cybersecurity industry is focused on defending endpoints and servers, attackers have moved on to the next weak spot.

This advancement underscores the need to detect active network attackers because they can certainly—one way or another—penetrate any given network. Persisting and working from routers, proxies, firewalls or switches requires less effort than controlling end points; attackers don’t need to worry that an anti-virus agent will detect an unusual process, and networking devices are rarely updated or replaced. Most networks have the same routers and switches from a decade ago. Plus, few forensics tools are available to detect indicators of compromise on networking devices and attackers can gain an excellent vantage point within the network.  Network devices vendors have fallen behind operating system vendors in terms of implementing stronger security measures.

A wide range of networking equipment still run single-process operating systems without any exploit mitigation enabled (Cisco IOS, I’m looking at you) or exhibit the effects of little to no security quality assurance testing.
In recent years, endpoint and mobile operating systems have incorporated security techniques such as address space layout randomization (ASLR), data execution prevention (DEP), sandboxes, and other methods that made life harder for every exploit writer.

The affected networking devices provide none of these security mechanisms and it shows. Not the First and Definitely Not the LastThe Equation Group breach is not the first example of highly capable attackers targeting network devices.

The threat actor behind last year’s Hacking Team breach leveraged a vulnerability in a VPN device to obtain full access to their internal network without any obstacles.

The attacker moved from the networking device to endpoints without using a single piece of malware, only taking what he needed from endpoints remotely or running well known administrative tools.

This is a soft spot in every endpoint solution’s belly; a privileged attacker using credentials to access files is not considered malicious as long he doesn’t use any malicious software. Notice that as we have stated earlier, the attacker, quoted in pastebin, opted for an embedded exploit and not the other options, stating that it’s the easiest one: So, I had three options: look for a 0day in Joomla, look for a 0day in postfix, or look for a 0day in one of the embedded devices.

A 0day in an embedded device seemed like the easiest option, and after two weeks of work reverse engineering, I got a remote root exploit.
As always, nation state attacks are usually a step ahead of the entire industry on both the defensive and offensive. We will probably see the same methods employed by less sophisticated attackers as it becomes increasingly difficult to compromise endpoint devices and stay undetected. We have seen this happen before; cybercrime attackers stole techniques from Equation Group, as well as Stuxnet and Flame malware and Reign and other APTs and it will surely happen again with the Equation Group’s recently leaked exploits. In the meantime, here are four recommendations to help fortify network devices against attack: Recommendation 1: Patch your network devices promptly. Replace network devices that have reached their end of support date. Recommendation 2: Restrict access to devices management addresses to the minimum required, and block any unneeded, seemingly benign protocols including SNMP and NTP. Recommendation 3: Manage your device passwords as you would with your administrator accounts by periodically changing your passwords and defining a different password for each device.

Do not use a standard template for passwords.

For example, the password Rout3rPassw0rd192.168.1.1 might seem strong, but after compromising one device, the attacker will know all of the passwords. Recommendation 4: Deploy a network monitoring solution that can profile users and IP-connected devices to establish a baseline of normal behavior and then detect unusual activity originating from network devices.

Attackers have no way of knowing what “normal” looks like for any given network and network detection is the only generic way to stop attackers from compromising network devices. Related Content:   Yoni Allon is responsible for leading the LightCyber research team in monitoring and researching cybercriminal and cyberwarfare actions and ensuring that the LightCyber Magna platform accurately finds these behaviors through its detectors and machine learning. Mr.

Allon has ...
View Full Bio More Insights

NSA-linked Cisco exploit poses bigger threat than previously thought

Enlargereader comments 26 Share this story Recently released code that exploits Cisco System firewalls and has been linked to the National Security Agency can work against a much larger number of models than many security experts previously thought. An exploit dubbed ExtraBacon contains code that prevents it from working on newer versions of Cisco Adaptive Security Appliance (ASA), a line of firewalls that's widely used by corporations, government agencies, and other large organizations. When the exploit encounters 8.4(5) or newer versions of ASA, it returns an error message that prevents it from working. Now researchers say that with a nominal amount of work, they were able to modify ExtraBacon to make it work on a much newer version.

The finding means that ExtraBacon poses a bigger threat than many security experts may have believed. SilentSignal The newly modified exploit is the work of SilentSignal, a penetration testing firm located in Budapest, Hungary.
In an e-mail, SilentSignal researcher Balint Varga-Perke wrote: We first started to work on the exploit mainly to see how easy it would be to add support for other (newer) versions.

Turns out it is very easy, that implies two things: The leaked code is not as poor quality as some might suggest The lack of exploit mitigation techniques in the target Cisco software makes the life of attackers very easy As Ars previously reported, the zero-day exploit allows remote attackers who have already gained a foothold in a targeted network to take full control of a firewall.
It was one of more than a dozen highly advanced attacks that was part of a mysterious leak by a previously unknown group calling itself the ShadowBrokers. Researchers say digital fingerprints left inside the code all but prove the attacks belonged to the Equation Group, an elite hacking crew with ties to the NSA-sponsored Stuxnet and Flame malware that targeted Iran and the Middle East. Michael Toecker, an engineer at a firm called Context Industrial Security, has analyzed ExtraBacon and found that it was designed to work only with versions 8.4(4) and earlier of ASA. He provided the following screenshot to illustrate the restrictions. Enlarge Michael Toecker The success of the modified exploit "demonstrates just how persistent a vulnerability in code can be, how it moves into new versions unless it's found and eradicated," Toecker told Ars. "I don't know who built ExtraBacon, but thousands of users in the US are now vulnerable to the same exploit because nobody told Cisco their SNMP code was busted, and the vulnerable code continued into later versions." Toecker went on to say that the vulnerability of later ASA versions likely didn't take Cisco by surprise. Near the bottom of a post that Cisco published last week in response to the ShadowBrokers leak, the company's principal engineer, Omar Santos, reported that ExtraBacon caused ASA version 9.4(1) to seize up and stop working.
Such crashes are often the first sign of a bug that, when properly exploited, allows an attacker to remotely execute malicious code. Cisco engineers have released software that allows ASA customers to detect and stop ExtraBacon-powered attacks, but the company has yet to actually patch the underlying bug.

The ShadowBrokers release means that advanced attacks can be carried out by a much wider base of hackers than would normally be possible. "We have test equipment and custom firmware images that make debugging easier," Varga-Perke of SilentSignal said. "These are most likely available for malicious parties, too; we are quite confident that similar code exists in private hands." As Ars and Cisco have noted previously, the ExtraBacon exploit requires attackers to already have compromised parts of a targeted network.

That requirement and the bar Varga-Perke described for modifying ExtraBacon means it's probably prohibitively difficult for script kiddies to exploit newer versions of ASA.
Still, for more talented hackers, there's no longer any debate. People running ASA should make sure they've installed last week's exploit signature and the upcoming patch as soon as it's available.