Detected does not mean harmless

Is it possible to exploit a “theoretical” vulnerability?

News about vulnerabilities breaks almost every day. People discuss them on the Internet, developers release patches, and then everyone calms down. So it may appear that everything is OK and the problem is solved. That is not the case. Not all administrators install updates, especially when it comes to software for network equipment; updating that typically  takes a lot of effort.

Some system administrators do not think that their business will become the target of malefactors. Some scan official security advisories for the magic words “no sign of exploitation in the wild” and then relax, thinking that this vulnerability is just theoretical.

Last year, several serious vulnerabilities in Cisco equipment were reported. One of the reports — SNMP Remote Code Execution Vulnerabilities in Cisco IOS and IOS XE operating systems (advisory ID: cisco-sa-20170629-snmp) — explained how an outsider could potentially gain full control over the system. The only thing they’d need is an SNMP read-only community string (a kind of user ID or password) for the relevant system. The problem has been known since July 2017. Cisco, which takes vulnerabilities seriously, patched it promptly, so no exploitation attempts have been detected.

Our colleague Artem Kondratenko, an expert pentester, conducted an external penetration test and discovered a Cisco router with the default SNMP community string. He decided to investigate how dangerous the vulnerability could be. So he set himself a goal: to obtain access to the internal network through that router. By the way, Kondratenko’s discovery was not unique. Shodan lists 3,313 devices of the same model with the default community string.

Let’s set aside the technical details, though. If you want to get better acquainted with his research, check out Kondratenko’s lecture at the Chaos Communications Congress. What’s important here is the final result. He demonstrated that this vulnerability can be used to get access to the system at a level 15 privilege, the highest possible for Cisco’s IOS shell. So, despite there being no cases of exploitation in the wild — yet — ignoring the vulnerability would not be wise. It took Kondratenko only four weeks from the discovery of the vulnerable device to creating a proof of concept for exploiting cisco-sa-20170629-snmp.

To be sure that your router will not be the first victim of this vulnerability, it is wise to:

  1. Make sure that your network equipment software is up to date;
  2. Not use a default community string in routers connected to the external network (better, avoid using default community strings at all);
  3. Watch for end-of-life announcements for your network devices — after that they will not be supported by manufacturers and are unlikely to receive any updates.