Cisco Routers Vulnerability

Rashed_Alwarrag1 · April 13, 2015, 9:29pm

Hi
Today we have a lot of customers report that their Cisco routers got a root
access and the IOS got erased , is there any known vulnerability in cisco
products thats they report in their Security alerts about this recently ?
is there any one face the same issue ?

Regards

Christopher_Morrow · April 13, 2015, 9:32pm

http://tools.cisco.com/security/center/publicationListing.x

John6 · April 13, 2015, 9:39pm

Hi
Today we have a lot of customers report that their Cisco routers got a root
access and the IOS got erased , is there any known vulnerability in cisco
products thats they report in their Security alerts about this recently ?
is there any one face the same issue ?

It would help if you could share the router type, IOS version, etc.

--John

Nick_Hilliard3 · April 13, 2015, 9:44pm

"show tech-support" might give you a list of the last commands issued on
the devices. It's more likely to be a password compromise than a remote vuln.

Nick

Daniel_Suchy · April 13, 2015, 9:48pm

Hello,
ask your customers, if they had VTY access secured properly. Brute-force
password attacks against management interface (telnet, SSH) aren't rare
these days and once you have management access, you can do anything
independently on known code vulnerabilies.

With regards,
Daniel

Rashed_Alwarrag1 · April 13, 2015, 9:48pm

It's reported by different customers in different locations so I don't
think it's password compromised

Regards

Rashed_Alwarrag1 · April 13, 2015, 9:49pm

I will try to get those informations

Thanks

Steve_Mikulasik · April 13, 2015, 9:51pm

They may want to check if some network engineer got fired recently. Usually these sorts of things relate to a human problem rather than a technical attack.

Stephen Mikulasik

John6 · April 13, 2015, 9:51pm

I will try to get those informations

If you follow Chris's suggestion, you might get faster resolution.

http://tools.cisco.com/security/center/publicationListing.x

--John

Nick_Hilliard3 · April 13, 2015, 9:55pm

Have you checked? If the routers had vty access open (ssh or telnet) and
the passwords were easy to guess, then it's more likely that this was a
password compromise. You can test this out by getting a copy of one of the
configs and decrypting the access password. Or by asking your customers
whether their passwords were dictionary or simple words.

It's possible that there was a remotely accessible vulnerability, but ios
isn't known for this.

Nick

Rashed_Alwarrag1 · April 13, 2015, 9:59pm

Still I don't have full information from them as it has been reported by
different customers and all almost in the same time , I am trying to get
some information about , I was just checking if there is known
vulnerability has been announced recently regarding this

Thanks you guys

George_Herbert · April 13, 2015, 10:09pm

A whole pile of new vulnerabilities including remote code exploit were
revealed against specific models about 3 weeks ago; I had not heard of any
exploits, but, ...

Which is why the models and IOS versions would be very useful.

Matthew_Galgoci · April 13, 2015, 10:39pm

Thus said Rashed Alwarrag on Tue, 14 Apr 2015:

Date: Tue, 14 Apr 2015 00:29:25 +0300
From: Rashed Alwarrag <rali.ahmed@gmail.com>
To: nanog@nanog.org
Subject: Cisco Routers Vulnerability

Hi
Today we have a lot of customers report that their Cisco routers got a root
access and the IOS got erased , is there any known vulnerability in cisco
products thats they report in their Security alerts about this recently ?
is there any one face the same issue ?

Another strong possibility is a disgruntled former employee or former
contractor.

Keith_Medcalf · April 13, 2015, 11:03pm

It's reported by different customers in different locations so I don't
think it's password compromised

Have you checked? If the routers had vty access open (ssh or telnet) and
the passwords were easy to guess, then it's more likely that this was a
password compromise. You can test this out by getting a copy of one of
the configs and decrypting the access password. Or by asking your customers
whether their passwords were dictionary or simple words.

or if mayhaps the passwords were listed on the list of passwords discussed a few days ago:

353040 sshpsycho_passwords.txt

http://blogs.cisco.com/security/talos/sshpsychos

Once a password list gets published the scripties will update their list of password to brute force with all the other password lists they can find. Hence lists that exceed 353,000 passwords and growing ..

Alain_Hebert · April 14, 2015, 1:11pm

Well,

Its not like peoples are still using telnet/ssh/web with a
password/enable on the net... anymore.

We do PCI and it took the better part of 6 month for a Customer
Network Engineer to get it right.
( The annoying part is that we cannot do the work for them, we can
only hope they get a paper cut every time we sent out a report about
that security risk )

But I'm still curious what was the attack vector...

As for my ~20ish Cisco device in the wild, they're all pretty healthy.

Doug_McIntyre · April 20, 2015, 2:26am

...

for some reason this brings up following memory of long ago.

Had several people notify us in a short period that they all had been
watching hackers try the "default cisco password" on several of our
downstream customer's gear. Perked my interest when it got to me, umm,
what default cisco password?

Oh, the hackers were so successful getting in to tons of places that
the researchers were watching the hackers connect to everywhere in
addition to my downstreams with cisco/cisco that they had assumed it
was the default..

(of course, this was long before Cisco shipped some piece of gear that
actually did have default passwords (don't remember what any longer
first started that)).