Threat Actors Exploiting SNMP Vulnerabilities in Cisco Routers
On April 18, 2023, the UK National Cyber Security Centre (NCSC) along with the United States FBI, NSA and CISA published a joint advisory describing how state-sponsored cyber actors were able to successfully exploit a known SNMP vulnerability (CVE-2017-6742) in Cisco IOS and Cisco IOS XE Software. This vulnerability was first disclosed in a security advisory on June 29, 2017. Fixed software was made available to all customers on that day. On January 11, 2018, Cisco updated the advisory, as the Cisco Product Security Incident Response Team (PSIRT) became aware of exploitation of the vulnerabilities described in the security advisory.
As described in the NCSC’s advisory the threat actor used weak SNMP community strings (including the default “public” community string) using an IP address unique to their infrastructure allowing them to perform reconnaissance and enumerate router interfaces.
Cisco has provided well-known advice for many years to restrict SNMP access only to trusted users. This applies to any management interface or service in the device. Exploitation of these vulnerabilities is best prevented by restricting access to trusted administrators and IP addresses. The management plane consists of functions that achieve the management goals of the network. This includes interactive management sessions that use SSH, NETCONF, and RESTCONF, as well as statistics-gathering with SNMP or NetFlow. NETCONF and RESTCONF provide significant security advantages over SNMP, including stronger authentication and encryption, more granular access control, better-structured data representation, and improved error handling and transaction support. While SNMP is still widely used for its simplicity and compatibility with older network devices, the security benefits of NETCONF and RESTCONF make them more suitable for modern network management.
When you consider the security of a network device, it is critical that the management plane be protected. Designed to prevent unauthorized direct communication to network devices, infrastructure access control lists (iACLs) are one of the most critical security controls that can be implemented in networks.
Details on how customers can apply mitigations and disable the affected MIBs are available in the security advisory.
Cisco Talos provided additional details about this specific campaign as well as observations of a larger issue of which this campaign is an example – a rising volume of attacks against aging networking appliances and software across all vendors. You can read their findings and recommendations in their a blog post also out today.
Infrastructure devices are critical components of any organization’s IT infrastructure. These devices are often the first line of defense against cyber-attacks and can help prevent unauthorized access to your network. Proper patch management for infrastructure devices reduces the risk of exploitation.
The following resources include numerous best practices on how to harden infrastructure devices, perform integrity assurance checks, and provide guidance on how to perform forensic investigations:
Cisco recognizes the technology vendor’s role in protecting customers and won’t shy away from our responsibility to constantly provide you with up-to-date information, as well as guidance on how to protect your network against cyber-attacks.
For additional guidance and information, visit the below resources:
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Instagram
Facebook
Twitter
LinkedIn
Share: