{"id":10169,"date":"2018-01-19T02:36:49","date_gmt":"2018-01-19T07:36:49","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/?p=10169"},"modified":"2018-09-18T16:10:29","modified_gmt":"2018-09-18T12:10:29","slug":"router-vulnerability-34c3","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/router-vulnerability-34c3\/10169\/","title":{"rendered":"Detected does not mean harmless"},"content":{"rendered":"<p>News about <a href=\"https:\/\/securelist.com\/threats\/vulnerability-glossary\/?utm_source=kdaily&amp;utm_medium=blog&amp;utm_campaign=termin-explanation\" target=\"_blank\" rel=\"noopener\">vulnerabilities<\/a> breaks almost every day. People discuss them on the Internet, developers release patches, and then everyone calms down. So it may appear that everything is OK and the problem is solved. That is not the case. Not all administrators install updates, especially when it comes to software for network equipment; updating that typically\u00a0 takes a lot of effort.<a href=\"https:\/\/me-en.kaspersky.com\/blog\/files\/2018\/03\/router-vulnerability-34c3.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-10170\" src=\"https:\/\/me-en.kaspersky.com\/blog\/files\/2018\/03\/router-vulnerability-34c3-1024x672.jpg\" alt=\"\" width=\"1024\" height=\"672\"><\/a><\/p>\n<p>Some system administrators do not think that their business will become the target of malefactors. Some scan official security advisories for the magic words \u201cno sign of exploitation in the wild\u201d and then relax, thinking that this vulnerability is just theoretical.<\/p>\n<p>Last year, several serious vulnerabilities in Cisco equipment were reported. One of the reports \u2014 SNMP Remote Code Execution Vulnerabilities in Cisco IOS and IOS XE operating systems (advisory ID: <a href=\"https:\/\/tools.cisco.com\/security\/center\/content\/CiscoSecurityAdvisory\/cisco-sa-20170629-snmp\" target=\"_blank\" rel=\"noopener nofollow\">cisco-sa-20170629-snmp<\/a>) \u2014 explained how an outsider could potentially gain full control over the system. The only thing they\u2019d need is an SNMP read-only community string (a kind of user ID or password) for the relevant system. The problem has been known since July 2017. Cisco, which takes vulnerabilities seriously, patched it promptly, so no exploitation attempts have been detected.<\/p>\n<p>Our colleague Artem Kondratenko, an expert pentester, conducted an external penetration test and discovered a Cisco router with the default SNMP community string. He decided to investigate how dangerous the vulnerability could be. So he set himself a goal: to obtain access to the internal network through that router. By the way, Kondratenko\u2019s discovery was not unique. Shodan lists 3,313 devices of the same model with the default community string.<\/p>\n<p>Let\u2019s set aside the technical details, though. If you want to get better acquainted with his research, check out Kondratenko\u2019s lecture at the <a href=\"https:\/\/media.ccc.de\/v\/34c3-8936-1-day_exploit_development_for_cisco_ios\" target=\"_blank\" rel=\"noopener nofollow\">Chaos Communications Congress<\/a>. What\u2019s important here is the final result. He demonstrated that this vulnerability can be used to get access to the system at a level 15 privilege, the highest possible for Cisco\u2019s IOS shell. So, despite there being no cases of exploitation in the wild \u2014 yet \u2014 ignoring the vulnerability would not be wise. It took Kondratenko only four weeks from the discovery of the vulnerable device to creating a proof of concept for exploiting cisco-sa-20170629-snmp.<\/p>\n<p>To be sure that your router will not be the first victim of this vulnerability, it is wise to:<\/p>\n<ol>\n<li>Make sure that your network equipment software is up to date;<\/li>\n<li>Not use a default community string in routers connected to the external network (better, avoid using default community strings at all);<\/li>\n<li>Watch for end-of-life announcements for your network devices \u2014 after that they will not be supported by manufacturers and are unlikely to receive any updates.<\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"<p>Is it possible to exploit a \u201ctheoretical\u201d vulnerability?<\/p>\n","protected":false},"author":700,"featured_media":10170,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1318,1917],"tags":[1617,1618,1627,1268,268],"class_list":{"0":"post-10169","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-34c3","10":"tag-ccc","11":"tag-chaos-communications-congress","12":"tag-exploits","13":"tag-vulnerabilities"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/router-vulnerability-34c3\/10169\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/router-vulnerability-34c3\/12248\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/router-vulnerability-34c3\/14439\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/router-vulnerability-34c3\/12667\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/router-vulnerability-34c3\/12340\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/router-vulnerability-34c3\/15149\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/router-vulnerability-34c3\/14932\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/router-vulnerability-34c3\/19491\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/router-vulnerability-34c3\/4640\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/router-vulnerability-34c3\/20747\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/router-vulnerability-34c3\/9946\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/router-vulnerability-34c3\/10031\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/router-vulnerability-34c3\/8801\/"},{"hreflang":"zh","url":"https:\/\/www.kaspersky.com.cn\/blog\/router-vulnerability-34c3\/9197\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/router-vulnerability-34c3\/19288\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/router-vulnerability-34c3\/19398\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/router-vulnerability-34c3\/19362\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/34c3\/","name":"34c3"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/10169","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/700"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=10169"}],"version-history":[{"count":3,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/10169\/revisions"}],"predecessor-version":[{"id":10732,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/10169\/revisions\/10732"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/10170"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=10169"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=10169"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=10169"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}