Cyble-Blogs-CISCO-Routers
On April 18, 2023, the Cybersecurity and Infrastructure Agency (CISA), the US Federal Bureau of Investigation (FBI) & UK National Cyber Security Centre released the cybersecurity advisory “APT28 Exploits Known Vulnerability to Carry Out Reconnaissance and Deploy Malware on Cisco Routers”.
The advisory covers details on the exploitation of SNMP vulnerabilities on unpatched Cisco Routers and deploying “Jaguar Tooth” malware in the year 2021. The vendor first disclosed this vulnerability in June 2017.
CVE-2017-6742 vulnerability is due to a buffer overflow condition in Simple Network Management Protocol (SNMP) subsystem. A malicious attacker could exploit this vulnerability by sending a crafted SNMP packet to an affected system. SNMP is intended to allow network administrators to monitor and configure network devices remotely.
CVE-2017-6742 vulnerability falls under the High severity category; Multiple vulnerabilities have been identified in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS and IOS XE Software. These vulnerabilities, affecting SNMP versions 1, 2c, and 3, could be exploited by an authenticated remote attacker to remotely execute code on an affected system or cause it to reload.
In order to exploit these vulnerabilities using SNMP Version 2c or earlier, the attacker needs to possess the SNMP read-only community string associated with the targeted system. On the other hand, to exploit these vulnerabilities using SNMP Version 3, the attacker must have valid user credentials for the affected system.
Devices enabling SNMP and not explicitly excluding the affected MIBs or OIDs should be considered vulnerable.
As mentioned by Cisco cybersecurity advisory, devices configured with any of the below MIBs are vulnerable:
Cisco IOS 12.0 through 12.4 and 15.0 through 15.6, and IOS XE 2.2 through 3.17 are the versions of Cisco IOS that are affected by CVE-2017-6742.
CISA also added the CVE-2017-6742 to their Known Exploited Vulnerability Catalog on April 19, 2023, as shown in the figure below.
Jaguar Tooth is a type of malware designed to target Cisco IOS routers, and it operates without persistence. Its capabilities include automatically gathering device information, sent out via Trivial File Transfer Protocol (TFTP), and allowing unauthorized backdoor access without authentication.
Jaguar Tooth alters the authentication mechanism of the system, enabling unauthorized access to any local account regardless of the password provided, both through Telnet and physical sessions. The malware accomplishes this by patching the “askpassword” and “ask_md5secret” functions, overriding their normal behavior and causing them to always return “true” without verifying the provided password.
Additionally, the malware generates a new process known as “Service Policy Lock” that performs automated data collection and exfiltration through TFTP. The gathered information encompasses various device details, such as:
Jaguar Tooth’s primary objective is to collect and transmit a range of device information obtained through specific Cisco IOS Command Line Interface (CLI) commands. These commands include:
One of the online scanners points out that ~77k internet-exposed Cisco routers are utilizing SNMP. The figure below shows the geographical representation of exposed assets. While investigating the exposure, it was found that the highest number of exposed assets belong to Russia, the United States & India.
Note: The above image does not indicate vulnerable products but rather shows the geographical representation of potentially vulnerable products. The count of exposed assets might vary depending on the online scanner and the query used to narrow down exposure.
The vendor recommends that administrators restrict SNMP access on affected systems to trusted users only. Additionally, administrators are advised to monitor the affected systems using the “show SNMP host” command in the command-line interface (CLI).
It is recommended to patch the vulnerabilities on high priority – Patch Link.
If successfully exploited, the vulnerability could grant the attacker the ability to execute arbitrary code, resulting in full control over the affected system, or potentially lead to a system reload Hence urgent patching of the affected product is recommended.
This specific occurrence brings attention to “State Actors targeting vulnerable internet exposed devices for reconnaissance & cyber espionage purposes.” As the affected products are widely used in multiple state and private organizations, it is advised that administrators should focus on timely patching of vulnerabilities and avoiding exposure of critical assets over the internet.
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170629-snmp
https://nvd.nist.gov/vuln/detail/CVE-2017-6742
Cyble analyzes an AI-driven phishing campaign that abuses browser permissions to capture victims images and…
Dark web intelligence helps organizations detect stolen credentials, leaked data, and cyber threats early, enabling…
ACSC, NCSC, and CERT Tonga warn of growing INC Ransom activity targeting healthcare and organizations…
Cyble has identified a new Linux threat named ClipXDaemon that targets cryptocurrency users by intercepting…
Middle East faces unprecedented hybrid warfare as Iran, US, and Israel clash through cyberattacks, missile…
ENISA’s Cybersecurity Exercise Methodology helps organizations align with NIS2 and the EU Cybersecurity Act while…
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.