Back to Insights
Patch Now: Cisco Closes Nine Serious SNMP Holes in IOS, IOS-XE
July 15, 2017 | Networking and Network Devices
By Chris Gonsalves, IANS Director of Technology Research
Cisco Systems this week issued patches for a series of critical SNMP vulnerabilities in its popular IOS and IOS-XE network infrastructure software. The nine publicly disclosed security flaws could enable an unauthenticated attacker to run remote code on – or take control of -- target systems, Cisco officials said.
The patches are notable both for the serious nature of the vulnerabilities addressed as well as the claim by Cisco that the flaws have been publicly disclosed. The networking vendor did not say when or how the SNMP holes in IOS were made public, just that they were aware of their release, raising concerns that exploits targeting the vulnerabilities may already be available.
“Cisco is aware of external knowledge of these vulnerabilities, Cisco said in its advisory. “As a precaution, we are notifying customers about the potential for exploitation.”
“Organizations need to address these issues immediately,” said IANS Faculty Dave Shackleford, principal consultant at Voodoo Security in Roswell, Ga. “Based on Cisco’s somewhat vague statement about the 'potential for exploitation' given that external entities know about the issues, as well as some intelligence gleaned from industry folks known to the IANS faculty, there’s a very good chance exploits are available or imminent for these flaws, and any organization that doesn’t patch or implement workarounds may be in a bad way.”
The buffer-overflow vulnerabilities affect all versions of IOS and IOS-XE and Simple Network Management Protocol (SNMP) subsystem versions 1, 2c and 3. An attacker can exploit the flaws by sending a crafted SNMP packet to an affected device via IPv4 or IPv6. Cisco first acknowledged the SNMP flaws in late June, issuing workarounds to protect systems while patches were being developed.
“A successful exploit could allow the attacker to execute arbitrary code and obtain full control of the affected system or cause the affected system to reload,” Cisco said. This week's patches cover CVE-2017-6736 through CVE-2017-6744, inclusive.
The Cisco advisory lists nine Management Information Base (MIB) configurations known to be vulnerable, all of which are enabled by default when SNMP is present. They are:
On systems with SNMP Version 2c or earlier, the attacker must know the SNMP read-only community string -- a type of password that controls access to SNMP data. To exploit the vulnerabilities with SNMP Version 3, the attacker must have user credentials for the affected system.
“During pen tests, I run into way too many SNMP services using easy-to-guess community strings, and attackers will have no trouble targeting vulnerable systems with poor SNMP configurations,” Shackleford added. “I’d advise security and network teams to bump these issues to the top of the priority list.”
In addition to applying the new patches, Cisco officials recommend treating community strings with the same care as administrator-level credentials.
“These community strings, as with all passwords, should be chosen carefully to ensure they are not trivial,” Cisco advises. “They should also be changed at regular intervals and in accordance with network security policies. For example, the strings should be changed when a network administrator changes roles or leaves the organization.”
To help customers determine their exposure to vulnerabilities in Cisco IOS and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker, that identifies any Cisco Security Advisories that impact a specific software release and the earliest release that fixes the vulnerabilities described.
| Faculty Report
IANS Vulnerability and Breach Update: Q4 2016
Chris Poulin on Conscripted Cameras, Connected Cars and Learning to Love the IoT
Vulnerability Patching Policy Best Practices