When I first got into the weeds in my career, I started to deal with managing routers and switches. This was back when the world was flat and it was fairly commonplace to do so using telnet. I didn’t know any better at first. In short order I realized that this was passing information in the clear. That realization hit me in about a week on the job when I was running a snoop command on a Solaris box. A rather startling revelation for someone new to the field. Which begs the question, what are people who having been running networks for years using as rationale for allowing unencrypted communications to manage their networks?
*crickets*
Let’s be clear about this, there is no solid reason as to why network management should still be done over clear text protocols. As far back as November 2003 we had SSH support for version 2 available for Cisco IOS on routers and switches. Here we are almost twelve years later and still it is a trivial exercise to search for Cisco devices online that are using telnet.
When I say that I can find some online you inevitably want know "How many?” Well, a quick search revealed 378,802 devices running as Cisco routers that had telnet (tcp 23) available for the world to query. “But, you need a password” is a refrain that I’ve heard too often. Want to take an educated guess as to how many of those systems will allow access with the password “Cisco”. I’ll bet my morning coffee the number will be greater than one.
Here is a quick run down on how those numbers parse out globally. In the United States there were 70,114 in Russia I found 48,964, China 45,575, Mexico 43,457 and in Brazil 16,498. Is this a byproduct of lazy admins or a fundamental lack of understanding of the risks involved? I have heard some amazing responses to these questions in the past. One of my favourites was “we’re running a very old version of the Cisco IOS so we’re safe” or “We’re using a strong password so, we’re fine.”
This leads me to wonder where the disconnect is when trying to communicate the issues. Are we, as security practitioners, failing our organizations by not properly communicating the risks or do the networking folks not care? Always a head scratcher. To be fair, if a Cisco device is properly configured is is a tough one to break into. But, that is a big “if” statement. As an example, the aforementioned 378,802 devices that responded to telnet. Let’s take this a step further and look at the HTTP management interface. Again, historically at least, this was run over port 80. More configuration traffic being passed in the clear. A quick search revealed 413,187 devices using this protocol.
Example,
HTTP/1.1 401 Unauthorized
Date: Mon, 23 Mar 2015 18:38:07 GMT
Server: cisco-IOS
Connection: close
Accept-Ranges: none
WWW-Authenticate: Basic realm="level_15 or view_access"
OK, so a password required. Problem here is depending on the release revision on the device this may be open to an authentication bypass problem. In fact there are numerous Cisco related issues that have Metasploit modules readily available for a novice to exploit. I’ve used Metasploit to compromise a Cisco device in my lab and yes, it is that easy.
The last problem with network devices that drives me to distraction is the failure to properly deal with Simple Network Management Protocol or SNMP. Even today I run across systems that are using PUBLIC and PRIVATE as the their strings. For those of you who may not be familiar with this, it is the equivalent of using a password of “password”. An ill advised configuration item.
Here is an example of an SNMP accessible device,
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-ADVIPSERVICESK9-M), Version 12.3(13), RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by cisco Systems, Inc.
While I will bark away about people needing to keep on top of security patches for their servers, the same applies to networking devices. For the sake of clarity, I’m not picking on Cisco devices at all. I was just using them to make the point that your network needs patch love too. Case in point, if you will look in that last example that I cited, the date was 2005. That particular device has been running on the same code for 10 years.
Patch your systems. Ensure they’re properly configured and for love of all that is good and holy, use secure communication to manage the devices.
(Image used under CC from one individual)
