Cisco SNMP ACL Bypass Script

Author: Martin Voelk
February 2, 2016

We all know that Cisco is one of the key players in the Routing & Switching market. Often Perimeter Routers are made up of Cisco models of all kind. We also know that SNMP is one of the most popular Network Management protocols.

In many Penetration Tests we come across scenarios where customers try to protect SNMP polling with Access Lists. This is a good way of thinking but then leaving RO communities to “public” and RW communities to “private” is not a good idea. IP spoofing and bypassing ACLs is a very very simple task to perform.

We still see that the majority of clients (especially in the Small and Medium sized arena) still use SNMPv2 instead of the much more secure authenticated and encrypted v3. We also see that Anti Spoofing features like Unicast RPF are rarely configured outside Enterprise networks (and even there they are often not).

A very smart tool has been developed and put on Github which enables ACL bypass. We advice to check your Cisco perimeter routers and test it out with that little neat tool. And please change your community strings to something better ūüôā

https://github.com/nccgroup/Cisco-SNMP-Slap

Share

Cisco OpenSSL Vulnerabilities

Author: Martin Voelk
March 22, 2015

Summary

Multiple Cisco products incorporate a version of the OpenSSL package affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or corrupt portions of OpenSSL process memory. On March 19, 2015, the OpenSSL Project released a security advisory detailing 13 distinct vulnerabilities. The following seven are actively under investigation and the vulnerabilities are referenced in this document as follows:

  • CVE-2015-0286:¬†OpenSSL ASN1_TYPE_cmp Denial of Service Vulnerability
  • CVE-2015-0287:¬†OpenSSL ASN.1 Structure Reuse Memory Corruption Vulnerability
  • CVE-2015-0289:¬†OpenSSL PKCS7 NULL Pointer Dereference Denial of Service Vulnerability
  • CVE-2015-0292:¬†OpenSSL Base64 Decoding Memory Corruption Vulnerability
  • CVE-2015-0293:¬†OpenSSL SSLv2 CLIENT-MASTER-KEY Denial of Service Vulnerability
  • CVE-2015-0209:¬†OpenSSL Elliptic Curve d2i_ECPrivateKey Denial of Service Vulnerability
  • CVE-2015-0288:¬†OpenSSL X.509 to PKCS#10 Denial of Service Vulnerability

The following six vulnerabilities do not affect any Cisco products:

  • CVE-2015-0291:¬†OpenSSL ClientHello sigalgs Denial of Service Vulnerability
  • CVE-2015-0290:¬†OpenSSL Multiblock Denial of Service Vulnerability
  • CVE-2015-0207:¬†OpenSSL DTLSv1_listen SSL Object Corruption Denial of Service Vulnerability
  • CVE-2015-0208:¬†OpenSSL Invalid Probabilistic Signature Scheme Parameters Denial of Service Vulnerability
  • CVE-2015-1787:¬†OpenSSL Empty ClientKeyExchange Denial of Service Vulnerability
  • CVE-2015-0285:¬†OpenSSL Handshake with Unseeded PRNG Predictable Value Vulnerability

This advisory will be updated as additional information becomes available.

Cisco will release free software updates that address these vulnerabilities.

Workarounds that mitigate these vulnerabilities may be available.

This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150320-openssl

Share