Hacker News new | past | comments | ask | show | jobs | submit login

So then this vulnerability is pretty much only useful (1) for persisting onto networks you've already compromised (2) and only in cases where you can apply consultative effort to discover the SNMP community string?

Or maybe there are lots of overseas networks where they enable SNMP and leave the community string "public"?

(Also: how batshit crazy is it that the ASA will let you use "public" as your community string, let alone default to it?)




> So then this vulnerability is pretty much only useful (1) for persisting onto networks you've already compromised

No! For example, at one place I was employed at, the switches had different VLANs - one for private internal network, one which had external (direct) internet access, one for VoIP telephones, one for printers, one for servers and one for BYOD external consultants. Basically, compartmentalization - and everything was firewalled, and every cross-VLAN access had to be separately allowed.

So this exploit (or, for that matter any switch/router exploit) can be used not just for persisting, but for escalating privileges. Assume you have hacked a fax printer via the telephone line (hey, given that, I'm tempted to actually grab a modem and do some fuzzing with my fax printer...), you can then use its network connection to punch holes in the firewall and spread.


Yeah I guess, but I think that scenario is way less common than you think it is, only because almost nobody reliably segments networks. Once you're internal, you've usually got everything within a few hops.

Whereas persisting onto an ASA sounds like an actually widely useful capability! The ASAs don't get reimaged during incident response.


> Yeah I guess, but I think that scenario is way less common than you think it is, only because almost nobody reliably segments networks. Once you're internal, you've usually got everything within a few hops.

Indeed, yes, but entities large enough to afford dedicated teams to run hundreds of pieces of Cisco gear with proper segmentation etc. usually also tend to be those of most interest to any espionage outfit.

Last I heard, ex-employer switched from huge VLAN switches to dedicated, unconnected switches for each network part after Snowden. Given the leak here, I'd say their fear wasn't totally unjustified.


It seems like a massive oversight to implement segmentation like that and yet still allow the fax printer SNMP and telnet/SSH access to the firewall.

In environments I've seen, the network management network is the thing most likely to be isolated first.


You can learn the community string by monitoring traffic. The community string is included in each and every SNMPv2 PDU. SNMPv2 performs no handshake, so is vulnerable to trivial spoofing. Enterprises and ISPs reusing community strings on every device and never rotating them is not unheard of.


Yes, obviously you can sniff community strings, but that only helps if you're speaking SNMP over the Internet.

Again the case I'm making is that this particular bug is really only useful for persisting onto networks you've already compromised.


I would not be surprised if there are companies & organizations out there using SNMP monitoring tools to monitor cloud hosted systems in the same on-prem instance they're monitoring their on-prem systems from.

I'm thinking specifically of my old company, which used Nagios to monitor a few hundred VMs on AWS in addition to the several thousand servers & all the networking gear running locally.


That's what puts the P in APT, after all.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: