The NSA, the FBI, CISA and the manufacturer Cisco Systems themselves warn against the exploitation of a vulnerability (CVE-2017-6742), which has been known since 2017, in the SNMP implementation (Simple Network Management Protocol) in the network operating systems IOS and IOS-XE. These are used in routers and switches. The manufacturer assigns the priority “High” to the vulnerability. The source of the attacks is said to be the APT28 group, also known as Fancy Bear, which is also credited with attacking the German Bundestag. This is said to have installed malware on affected devices.
The attackers use a prepared SNMP message to execute arbitrary code on the attacked devices. This gives them full access to the devices. For versions up to SNMPv2c, you only need to have the appropriate read-only community string. With these versions, the community strings are transmitted in plain text. With SNMPv3, the user name and password would have to be known, and the newer versions also offer the option of encrypted transmission.
recommendations for action
Cisco had already released patches in 2017. Affected are systems that use a vulnerable version and have the following Management Information Bases (MIB) activated:
- ADSL-LINE-MIB
- ALPS-MIB
- CISCO-ADSL-DMT-LINE-MIB
- CISCO-BSTUN-MIB
- CISCO-MAC-AUTH-BYPASS-MIB
- CISCO-SLB-EXT-MIB
- CISCO-VOICE-DNIS-MIB
- CISCO-VOICE-NUMBER-EXPANSION-MIB
- TN3270E-RT-MIB
These are activated in the standard configuration of SNMP, insofar as the device supports the respective feature. Via the CLI command show snmp mib in privileged EXEC mode, customers can query the active MIBs. The affected versions can be found in the manufacturer’s security advisory or in the bug IDs referenced therein.
In addition to updating the affected systems, other countermeasures are recommended. These include the following:
- Deactivation of SNMP (if not required for management or monitoring)
- Use of encrypted SNMPv3 with strong passwords
- Use of a dedicated SNMP view to disable accessibility of the affected MIBs
- Restriction of availability of the SNMP service
Affected customers should replace both IOS/IOS-XE and the ROMMON image with those from the Cisco website, then check the checksum and revoke and recreate all keys used. Cisco also provides information to check the validity of the installed images. Recently, new vulnerabilities in IOS have become known.
(jvo)
