Depends what you mean by "expose". Some people could read that as "exposed to the Internet". I'm reading it as "exposed to anything".
This looks like a good fun for doing lateral movement inside a network. I know of lots of environments with SNMPv2 wide open for "internal" networks to access.
Plus SNMP is UDP-based, so likely the exploit will work with a one-way path and spoofed source addresses.
There’s no way ISPs can function without SNMP. I think network management is like a 1/3 of all traffic. We process billions and billions of traps daily. These are not on internet connected networks and some have dedicated channels.
SNMP is one of those good ideas in theory, bad ideas in practice.
Anyways, Cisco hasn’t done great engineering pretty much since the dotcom bust. They’re now essentially a giant PE firm that grows through acquisitions and then milks them dry. It’s a classic case of the accountants took over.
I was at a startup they acquired ~4 years ago, by now it's just about milked completely dry.
Even though our product is close to industry-leading, they laid off our product manager, then another one, the QA team, and half of the devs. Unsurprisingly the product is falling apart.
It's not a company that attempts to produce value, as with so many others the product is the stock price.
The MBAs are showing some kind of savings on a spreadsheet somewhere though, so I suppose all the sacrifices are worth it.
American tech sector is being destroyed so it can be replaced by _____ and their surveillance state. It's death by a thousand cuts, labor supply, education, taxes, regulation, finance, dependencies, versioning, operating systems, etc. all are being made obfuscated, complex and frustrating to slow advancement and ultimately unstable and impossible to maintain. Most of our tech stack already has surveillance built in and that is already being co-opted and we're well on our way of having it outsourced to a foreign state.
Cisco's old model (which worked very well for them) was to develop an outside startup and see if they gain traction while keeping at least some financial/control stake to democratize the risk and spend and then spin-in if it is succesful (or sell off).
I interviewed with Cisco once. They wanted me to do a take home interview. Implement an api, make a web app, host the GitHub repo somewhere, host the web app so it was publicly available for them to test, make sure I included full documentation and test suite. A fully tested and deployed full stack application, from scratch, as a “take home test”. I said “no, I don't work for free”.
That was by far the most egregious example I’ve encountered of “we are trying to get unpaid labor from our interview process.”
I think it's reasonable if one's applying as a full-stack developer, the app is something like a simple TODO list that isn't anything they'd actually use, and there isn't a high expectation of polish. Few hours of work at most, not days, and definitely not a first-interview thing. Expecting you to host it yourself is definitely unreasonable: they can build and run it themselves if they care that much, but eyeballing the source ought to be good enough in most cases.
Selfishly, I'm happy and grateful they bought out chez scheme, opened it up, and funded development. Do I understand why? No, and I'm not going to question it!
EDIT: it seems like it was an acquihire of Dybvig and the team working on chez for something under NDA.
SNMP v3 at least has some security in mind, but a lot of devices are just v1 or v2c which are basically unsecured. Allowing ANY write access via SNMP is a bad idea in my opinion, unless you segment it out into it's own secured management or out-of-band network. Even then... I'd be worried.
Network infrastructure security has a lot of unsolved gotchas and not a lot of industry desire to fix. Most of what everyone interacts with is in an abstracted or virtualized layer on top of the old plumbing.
SNMP v2c is still common in the embedded world because it's protected with a simple password so it just works out of the box. SNMPv3 requires key management and an established PKI, and there's no equivalent of Let's Encrypt for isolated use cases in small orgs.
I never looked into the guts of how this was implemented, but I worked on a product which had an SNMPv3 agent that was only restricted by a username and password. I could flash a PC with a fresh Ubuntu image, apt install Net-SNMP and start sending SNMPv3 requests without every futzing with any keys.
If I remember right, handling SNMPv3 traps required some messy key stuff so the agent still sent SNMPv2 traps, but there was no requirement for keys for GET/SET.
The "yet another mortal security flaw in Cisco..." stories never seem to end.
Daydream: Journalists start ending such articles with "This is the Nth critical security flaw for Cisco in just the past year. Network security professionals we spoke to agree that network equipment vendors X, Y, and Z all have far better track records than Cisco."
1/4 of "yes", for this particular article. The regular "brands X, Y and Z are better" part would get more traction in the C-suites. And hopefully on Wall Street.
If a magazine for parents of severe-peanut-allergy children ended every "may contain undisclosed peanut" recall article with a "Here's our current top 3 brands for child peanut safety: ...", would anyone refer to that as reeking of journalistic bias?
How 'bout if Consumer Reports published a "We Tested 17 kitchen garbage disposals" article, and their 1-paragraph summary of the worst-rated model said "buy one of our 3 top-rated models instead"?
(Yes, I know you're giving a "proper" response. And that very few journalists might say "buy X, Y, or Z instead" about a 900 lbs. gorilla like Cisco. Recall my "Daydream" disclaimer.)
You're secure if you don't expose SNMP. Can't believe there are that many devices out there with that exposed though.
> You're secure if you don't expose SNMP.
Depends what you mean by "expose". Some people could read that as "exposed to the Internet". I'm reading it as "exposed to anything".
This looks like a good fun for doing lateral movement inside a network. I know of lots of environments with SNMPv2 wide open for "internal" networks to access.
Plus SNMP is UDP-based, so likely the exploit will work with a one-way path and spoofed source addresses.
There’s no way ISPs can function without SNMP. I think network management is like a 1/3 of all traffic. We process billions and billions of traps daily. These are not on internet connected networks and some have dedicated channels.
How did the attacker get the community string?
1/3 is a absurd, more like 1/3000.
Most people never change it from "public" you know.
Bonus: if the "private" community is exposed on Cisco IOS, you can read and write the router's configuration.
It's damned if you do damned if you don't.
For smaller operations I think just disabling SNMP is safer due to constant bugs and issues.
On the other hand bigger operations, you gotta monitor your devices. But now you’re open to the can of worms.
good old SNMP v1 private/private
When I worked at a company that made some networking equipment SNMP was a constant problem, security, bugs that crash the device and so on.
It became clear to me over time that the pattern at that company was to direct the less great engineering resources to SNMP...
SNMP is one of those good ideas in theory, bad ideas in practice.
Anyways, Cisco hasn’t done great engineering pretty much since the dotcom bust. They’re now essentially a giant PE firm that grows through acquisitions and then milks them dry. It’s a classic case of the accountants took over.
Cisco employee here, this is spot on.
I was at a startup they acquired ~4 years ago, by now it's just about milked completely dry.
Even though our product is close to industry-leading, they laid off our product manager, then another one, the QA team, and half of the devs. Unsurprisingly the product is falling apart.
It's not a company that attempts to produce value, as with so many others the product is the stock price.
The MBAs are showing some kind of savings on a spreadsheet somewhere though, so I suppose all the sacrifices are worth it.
That's what MBAs did to Intel too
American tech sector is being destroyed so it can be replaced by _____ and their surveillance state. It's death by a thousand cuts, labor supply, education, taxes, regulation, finance, dependencies, versioning, operating systems, etc. all are being made obfuscated, complex and frustrating to slow advancement and ultimately unstable and impossible to maintain. Most of our tech stack already has surveillance built in and that is already being co-opted and we're well on our way of having it outsourced to a foreign state.
and couldn't even get the stock to be worth anything
Cisco's old model (which worked very well for them) was to develop an outside startup and see if they gain traction while keeping at least some financial/control stake to democratize the risk and spend and then spin-in if it is succesful (or sell off).
I interviewed with Cisco once. They wanted me to do a take home interview. Implement an api, make a web app, host the GitHub repo somewhere, host the web app so it was publicly available for them to test, make sure I included full documentation and test suite. A fully tested and deployed full stack application, from scratch, as a “take home test”. I said “no, I don't work for free”.
That was by far the most egregious example I’ve encountered of “we are trying to get unpaid labor from our interview process.”
I think it's reasonable if one's applying as a full-stack developer, the app is something like a simple TODO list that isn't anything they'd actually use, and there isn't a high expectation of polish. Few hours of work at most, not days, and definitely not a first-interview thing. Expecting you to host it yourself is definitely unreasonable: they can build and run it themselves if they care that much, but eyeballing the source ought to be good enough in most cases.
It's only ok if they pay you for your time.
Yeah, that's ridiculous. It's not just FAANGs that pull this crap.
FAANGS often start it and then everyone else thinks it's going to make their company great if they do it too.
Ah good ole MPLS (Mario, Prem, Luca, and I can't remember who was S)...
Soni
Sounds like something an equity or financial firm should do. I'm not sure why a networking company decided to make that their core competency.
Selfishly, I'm happy and grateful they bought out chez scheme, opened it up, and funded development. Do I understand why? No, and I'm not going to question it!
EDIT: it seems like it was an acquihire of Dybvig and the team working on chez for something under NDA.
SNMP v3 at least has some security in mind, but a lot of devices are just v1 or v2c which are basically unsecured. Allowing ANY write access via SNMP is a bad idea in my opinion, unless you segment it out into it's own secured management or out-of-band network. Even then... I'd be worried.
Network infrastructure security has a lot of unsolved gotchas and not a lot of industry desire to fix. Most of what everyone interacts with is in an abstracted or virtualized layer on top of the old plumbing.
SNMP v2c is still common in the embedded world because it's protected with a simple password so it just works out of the box. SNMPv3 requires key management and an established PKI, and there's no equivalent of Let's Encrypt for isolated use cases in small orgs.
SNMPv3 absolutely doesn’t require PKI nor key management, it works fine with shared keys.
You can take a look at an implementation of that, which I had built for entertainment: https://github.com/ayourtch/oside/blob/main/examples/snmpwal...
I never looked into the guts of how this was implemented, but I worked on a product which had an SNMPv3 agent that was only restricted by a username and password. I could flash a PC with a fresh Ubuntu image, apt install Net-SNMP and start sending SNMPv3 requests without every futzing with any keys.
If I remember right, handling SNMPv3 traps required some messy key stuff so the agent still sent SNMPv2 traps, but there was no requirement for keys for GET/SET.
A few years ago North Korea had some Cisco routers with all ports open to the Internet, wonder if they are vulnerable.
Sounds more like a honeypot.
Since a single, angry dude brought down much of their internet I'd not be certain
Are they baiting Winnie the Pooh?
Isn't that China?
That's the reference.
I think Cisco SNMP vulnerabilities have been appearing for 20 years or more. I wish someone would add a fuzzer to their release testing script.
I haven't seen a large increase in snmp scanning, but I'll keep watching... it's pretty low activity, usually.
I guess that `no snmp-server` is enough to be protected. Well, I hope so.
SNMP: It's an acronym and a homonym.
SNMP does not sound the same as any other word nor is it spelled the same as some different word. I can't figure out what you mean.
Sound out the first three letters. I find it a very fitting description myself.
I guess that makes it a hononym of a different acronym.
Thanks for explaining!
The "yet another mortal security flaw in Cisco..." stories never seem to end.
Daydream: Journalists start ending such articles with "This is the Nth critical security flaw for Cisco in just the past year. Network security professionals we spoke to agree that network equipment vendors X, Y, and Z all have far better track records than Cisco."
Cisco hasn't yet rolled out a version of Webex that runs on Ubuntu 24.
When I worked for Cisco via an acquisition every single person I knew refused to use Webex in lieu of Google Meet etc
The last paragraph of the article doesn't serve that purpose?
1/4 of "yes", for this particular article. The regular "brands X, Y and Z are better" part would get more traction in the C-suites. And hopefully on Wall Street.
Speaking (unofficially) as someone who works at one of the "other brands" that reeks of journalists having a bias.
If a magazine for parents of severe-peanut-allergy children ended every "may contain undisclosed peanut" recall article with a "Here's our current top 3 brands for child peanut safety: ...", would anyone refer to that as reeking of journalistic bias?
How 'bout if Consumer Reports published a "We Tested 17 kitchen garbage disposals" article, and their 1-paragraph summary of the worst-rated model said "buy one of our 3 top-rated models instead"?
(Yes, I know you're giving a "proper" response. And that very few journalists might say "buy X, Y, or Z instead" about a 900 lbs. gorilla like Cisco. Recall my "Daydream" disclaimer.)