Hi all, we recently performed a broad-scope security review of some commonly deployed open-source looking-glass software, and we discovered several bugs and misconfigurations which you may want to check if concerning your infrastructure. Firstly, affected software and issues are as follow: * mrlg4php - CVE-2014-3927: Remote command injection to router's console via "argument" parameter * cougar-lg - CVE-2014-3926: XSS in <title> via "addr" parameter - CVE-2014-3928: Unsafe configuration file path/ACL - CVE-2014-3929: Unsafe SSH keypairs path in default config * cistron-lg - CVE-2014-3930: Unsafe configuration file path/ACL * mrlg - CVE-2014-3931: Remote memory corruption in fastping (SUID binary) Some of these bugs (in particular 3927, 3928, 3929, 3930) may directly or indirectly result in exposed IPs, usernames, passwords, SSH private keys and remote command injection to router's console. Depending on the specific infrastructure setup, this may translate into an attacker having live access to routers CLI. During the study, we detected around 45 incidents somehow related to above bugs, which we have already reported to concerned NOC contacts, whois contacts and national FSIRTs for further handling. Advanced private disclosure to concerned entities was performed on 06/02. For specific details, full advisories are available for each issue: * http://www.s3.eurecom.fr/cve/CVE-2014-3926.txt * http://www.s3.eurecom.fr/cve/CVE-2014-3927.txt * http://www.s3.eurecom.fr/cve/CVE-2014-3928.txt * http://www.s3.eurecom.fr/cve/CVE-2014-3929.txt * http://www.s3.eurecom.fr/cve/CVE-2014-3930.txt * http://www.s3.eurecom.fr/cve/CVE-2014-3931.txt Apart from one case where the author is unreachable and one that as been marked as "wontfix", all the issues have been fixed by software authors. Incidents related to misconfigurations have been handled on a case-by-case basis, and no disclosure-delaying cases exist at this time (to the best of our knowledge). If you have any specific questions on the topic, feel free to ask either here on NANOG or by reaching me in private. Cheers, Luca & Mariano -- .''`. | ~<[ Luca BRUNO ~ (kaeso) ]>~ : :' : | Email: lucab (AT) debian.org ~ Debian Developer `. `'` | GPG Key ID: 0x3BFB9FB3 ~ Free Software supporter `- | HAM-radio callsign: IZ1WGT ~ Networking sorcerer