Hi Today we have a lot of customers report that their Cisco routers got a root access and the IOS got erased , is there any known vulnerability in cisco products thats they report in their Security alerts about this recently ? is there any one face the same issue ? Regards
http://tools.cisco.com/security/center/publicationListing.x On Mon, Apr 13, 2015 at 5:29 PM, Rashed Alwarrag <rali.ahmed@gmail.com> wrote:
Hi Today we have a lot of customers report that their Cisco routers got a root access and the IOS got erased , is there any known vulnerability in cisco products thats they report in their Security alerts about this recently ? is there any one face the same issue ?
Regards
On 04/13/2015 03:29 PM, Rashed Alwarrag wrote:
Hi Today we have a lot of customers report that their Cisco routers got a root access and the IOS got erased , is there any known vulnerability in cisco products thats they report in their Security alerts about this recently ? is there any one face the same issue ?
It would help if you could share the router type, IOS version, etc. --John
Regards
I will try to get those informations Thanks On Tuesday, April 14, 2015, John Schiel <jschiel@flowtools.net> wrote:
On 04/13/2015 03:29 PM, Rashed Alwarrag wrote:
Hi Today we have a lot of customers report that their Cisco routers got a root access and the IOS got erased , is there any known vulnerability in cisco products thats they report in their Security alerts about this recently ? is there any one face the same issue ?
It would help if you could share the router type, IOS version, etc.
--John
Regards
-- *Rashed Alwarrag *
On 04/13/2015 03:49 PM, Rashed Alwarrag wrote:
I will try to get those informations
If you follow Chris's suggestion, you might get faster resolution. http://tools.cisco.com/security/center/publicationListing.x --John
Thanks
On Tuesday, April 14, 2015, John Schiel <jschiel@flowtools.net <mailto:jschiel@flowtools.net>> wrote:
On 04/13/2015 03:29 PM, Rashed Alwarrag wrote:
Hi Today we have a lot of customers report that their Cisco routers got a root access and the IOS got erased , is there any known vulnerability in cisco products thats they report in their Security alerts about this recently ? is there any one face the same issue ?
It would help if you could share the router type, IOS version, etc.
--John
Regards
--
*Rashed Alwarrag *
On 13/04/2015 23:29, Rashed Alwarrag wrote:
Today we have a lot of customers report that their Cisco routers got a root access and the IOS got erased , is there any known vulnerability in cisco products thats they report in their Security alerts about this recently ? is there any one face the same issue ?
"show tech-support" might give you a list of the last commands issued on the devices. It's more likely to be a password compromise than a remote vuln. Nick
It's reported by different customers in different locations so I don't think it's password compromised Regards On Tuesday, April 14, 2015, Nick Hilliard <nick@foobar.org> wrote:
On 13/04/2015 23:29, Rashed Alwarrag wrote:
Today we have a lot of customers report that their Cisco routers got a root access and the IOS got erased , is there any known vulnerability in cisco products thats they report in their Security alerts about this recently ? is there any one face the same issue ?
"show tech-support" might give you a list of the last commands issued on the devices. It's more likely to be a password compromise than a remote vuln.
Nick
-- *Rashed Alwarrag *
On 13/04/2015 23:48, Rashed Alwarrag wrote:
It's reported by different customers in different locations so I don't think it's password compromised
Have you checked? If the routers had vty access open (ssh or telnet) and the passwords were easy to guess, then it's more likely that this was a password compromise. You can test this out by getting a copy of one of the configs and decrypting the access password. Or by asking your customers whether their passwords were dictionary or simple words. It's possible that there was a remotely accessible vulnerability, but ios isn't known for this. Nick
Still I don't have full information from them as it has been reported by different customers and all almost in the same time , I am trying to get some information about , I was just checking if there is known vulnerability has been announced recently regarding this Thanks you guys On Tuesday, April 14, 2015, Nick Hilliard <nick@foobar.org> wrote:
On 13/04/2015 23:48, Rashed Alwarrag wrote:
It's reported by different customers in different locations so I don't think it's password compromised
Have you checked? If the routers had vty access open (ssh or telnet) and the passwords were easy to guess, then it's more likely that this was a password compromise. You can test this out by getting a copy of one of the configs and decrypting the access password. Or by asking your customers whether their passwords were dictionary or simple words.
It's possible that there was a remotely accessible vulnerability, but ios isn't known for this.
Nick
-- *Rashed Alwarrag *
A whole pile of new vulnerabilities including remote code exploit were revealed against specific models about 3 weeks ago; I had not heard of any exploits, but, ... Which is why the models and IOS versions would be very useful. On Mon, Apr 13, 2015 at 2:59 PM, Rashed Alwarrag <rali.ahmed@gmail.com> wrote:
Still I don't have full information from them as it has been reported by different customers and all almost in the same time , I am trying to get some information about , I was just checking if there is known vulnerability has been announced recently regarding this
Thanks you guys
On Tuesday, April 14, 2015, Nick Hilliard <nick@foobar.org> wrote:
On 13/04/2015 23:48, Rashed Alwarrag wrote:
It's reported by different customers in different locations so I don't think it's password compromised
Have you checked? If the routers had vty access open (ssh or telnet) and the passwords were easy to guess, then it's more likely that this was a password compromise. You can test this out by getting a copy of one of the configs and decrypting the access password. Or by asking your customers whether their passwords were dictionary or simple words.
It's possible that there was a remotely accessible vulnerability, but ios isn't known for this.
Nick
--
*Rashed Alwarrag *
-- -george william herbert george.herbert@gmail.com
It's reported by different customers in different locations so I don't think it's password compromised
Have you checked? If the routers had vty access open (ssh or telnet) and the passwords were easy to guess, then it's more likely that this was a password compromise. You can test this out by getting a copy of one of the configs and decrypting the access password. Or by asking your customers whether their passwords were dictionary or simple words.
or if mayhaps the passwords were listed on the list of passwords discussed a few days ago: 353040 sshpsycho_passwords.txt http://blogs.cisco.com/security/talos/sshpsychos Once a password list gets published the scripties will update their list of password to brute force with all the other password lists they can find. Hence lists that exceed 353,000 passwords and growing ..
On Mon, Apr 13, 2015 at 05:03:02PM -0600, Keith Medcalf wrote:
It's reported by different customers in different locations so I don't think it's password compromised
Have you checked? If the routers had vty access open (ssh or telnet) and the passwords were easy to guess, then it's more likely that this was a password compromise. You can test this out by getting a copy of one of the configs and decrypting the access password. Or by asking your customers whether their passwords were dictionary or simple words.
or if mayhaps the passwords were listed on the list of passwords discussed a few days ago: ...
for some reason this brings up following memory of long ago. Had several people notify us in a short period that they all had been watching hackers try the "default cisco password" on several of our downstream customer's gear. Perked my interest when it got to me, umm, what default cisco password? Oh, the hackers were so successful getting in to tons of places that the researchers were watching the hackers connect to everywhere in addition to my downstreams with cisco/cisco that they had assumed it was the default.. (of course, this was long before Cisco shipped some piece of gear that actually did have default passwords (don't remember what any longer first started that)).
Hello, ask your customers, if they had VTY access secured properly. Brute-force password attacks against management interface (telnet, SSH) aren't rare these days and once you have management access, you can do anything independently on known code vulnerabilies. With regards, Daniel On 13.4.2015 23:29, Rashed Alwarrag wrote:
Hi Today we have a lot of customers report that their Cisco routers got a root access and the IOS got erased , is there any known vulnerability in cisco products thats they report in their Security alerts about this recently ? is there any one face the same issue ?
Regards
They may want to check if some network engineer got fired recently. Usually these sorts of things relate to a human problem rather than a technical attack. Stephen Mikulasik -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Rashed Alwarrag Sent: Monday, April 13, 2015 3:29 PM To: nanog@nanog.org Subject: Cisco Routers Vulnerability Hi Today we have a lot of customers report that their Cisco routers got a root access and the IOS got erased , is there any known vulnerability in cisco products thats they report in their Security alerts about this recently ? is there any one face the same issue ? Regards
Well, Its not like peoples are still using telnet/ssh/web with a password/enable on the net... anymore. We do PCI and it took the better part of 6 month for a Customer Network Engineer to get it right. ( The annoying part is that we cannot do the work for them, we can only hope they get a paper cut every time we sent out a report about that security risk ) But I'm still curious what was the attack vector... As for my ~20ish Cisco device in the wild, they're all pretty healthy. ----- Alain Hebert ahebert@pubnix.net PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443 On 04/13/15 17:51, Steve Mikulasik wrote:
They may want to check if some network engineer got fired recently. Usually these sorts of things relate to a human problem rather than a technical attack.
Stephen Mikulasik
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Rashed Alwarrag Sent: Monday, April 13, 2015 3:29 PM To: nanog@nanog.org Subject: Cisco Routers Vulnerability
Hi Today we have a lot of customers report that their Cisco routers got a root access and the IOS got erased , is there any known vulnerability in cisco products thats they report in their Security alerts about this recently ? is there any one face the same issue ?
Regards
Thus said Rashed Alwarrag on Tue, 14 Apr 2015:
Date: Tue, 14 Apr 2015 00:29:25 +0300 From: Rashed Alwarrag <rali.ahmed@gmail.com> To: nanog@nanog.org Subject: Cisco Routers Vulnerability
Hi Today we have a lot of customers report that their Cisco routers got a root access and the IOS got erased , is there any known vulnerability in cisco products thats they report in their Security alerts about this recently ? is there any one face the same issue ?
Another strong possibility is a disgruntled former employee or former contractor. -- Matthew Galgoci Network Operations Red Hat, Inc 919.754.3700 x44155 ------------------------------ “Whatever you do will be insignificant, but it is very important that you do it.” -- Mahatma Gandhi
participants (11)
-
Alain Hebert
-
Christopher Morrow
-
Daniel Suchy
-
Doug McIntyre
-
George Herbert
-
John Schiel
-
Keith Medcalf
-
Matthew Galgoci
-
Nick Hilliard
-
Rashed Alwarrag
-
Steve Mikulasik