Skip to content
Make Your Internet Intelligence Blossom | Get 20% off Censys Search Teams or Solo annual plans with code Spring24 by 5/31 | Save Now
Blogs

CVE-2017-6742 Actively Exploited SNMP Vulnerability on Cisco Routers

Summary:

  • Russian-based hacker group APT28 (a.k.a. Fancy Bear) has been exploiting six-year-old SNMP vulnerabilities on unpatched Cisco Routers (CVE-2017-6742) in an international malware campaign since 2021 
  • Last Tuesday multiple U.S. and U.K. government agencies released a security advisory laying out the campaign’s exploitation tactics to help organizations defend against it
  • Censys found over 39,000 Cisco routers running public SNMP services mostly concentrated in Asia and Europe. Note that this count is of all Cisco devices with exposed SNMP, not necessarily vulnerable devices. Exposed SNMP can serve as an entry point for threat actors to conduct network reconnaissance, and should not be exposed on critical network infrastructure.

Introduction:

On April 18, 2023, the NCSC, NSA, CISA, and the FBI released a joint security advisory regarding the TTPs behind a 2021 malware campaign by APT28 (also known as Fancy Bear), a Russian state-sponsored threat actor group. The campaign targeted unpatched Cisco routers running exposed Simple Network Management protocol (SNMP) by exploiting multiple RCE vulnerabilities in SNMP (CVE-2017-6742) to deploy malware on these devices. As a result, several U.S. government assets and approximately 250 victims in Ukraine were compromised. These vulnerabilities are still being actively exploited.

SNMP was developed to enable remote monitoring of network devices. However, it can be used for malicious purposes to access internal network data. In the most severe scenarios, attackers can leverage SNMP to assume control over the device, create a comprehensive map of the entire network, and pinpoint other potential targets on the network. 

CVE-2017-6742 affects all versions of SNMP (1, 2c, and 3), and an attacker could exploit these vulnerabilities by sending a specially crafted SNMP packet to a vulnerable device via either IPv4 or IPv6. By leveraging tools like net-snmp, one can easily obtain routing tables, arp tables, and detailed information about the runtime. Poorly configured devices using default or easily guessable community strings are particularly open to such attacks. In addition to exploiting CVE-2017-6742, APT28 managed to access router information through the exploitation of weak SNMP community strings, including the default “public.” See the Jaguar Tooth malware analysis report for more detail on TTPs.

Per Cisco’s 2017 security advisory, the 9 SNMP Management Information Bases (MIBs) affected by this vulnerability are:

  • ADSL-LINE-MIB
  • ALPS-MIB
  • CISCO-ADSL-DMT-LINE-MIB
  • CISCO-BSTUN-MIB
  • CISCO-MAC-AUTH-BYPASS-MIB
  • CISCO-SLB-EXT-MIB
  • CISCO-VOICE-DNIS-MIB
  • CISCO-VOICE-NUMBER-EXPANSION-MIB
  • TN3270E-RT-MIB

“All of the MIBs listed above are enabled by default when SNMP is enabled. Some of the MIBs may not be present on all systems or versions but are enabled when present.” reads the advisory.

Regardless of whether your Cisco devices are vulnerable to this particular exploit, in general it’s important for both individuals and organizations to check if SNMP is enabled on their Cisco devices. SNMP is an example of a tool that is powerful for network management, but dangerous in the wrong hands. Cisco routers are often among an organization’s critical infrastructure assets and shouldn’t have public SNMP running. If the service must be public, administrators need to make sure that they have applied the latest Cisco patches and to mitigate the threat from this malware activity, especially now as the exploitation tactics have been published. 

Censys’s Perspective

Censys discovered an astonishing 39,000+ Cisco routers running public SNMP on the Internet. Note that these are potentially vulnerable devices — the specific versions of Cisco IOS that affected by CVE-2017-6742 are Cisco IOS 12.0 through 12.4 and 15.0 through 15.6 and IOS XE 2.2 through 3.17.  Identifying these exposed devices was trivial for us, as they would be for a threat actor. 

 

Geographic View of Cisco Routers exposing SNMP on the Internet (created with kepler.gl)

Here are the top ten countries where these devices have been observed:

Top 10 Countries with Cisco Routers Exposing SNMP
Country Host Count %
United States 4871 12.36%
Russia 3093 7.85%
India 2931 7.44%
France 1562 3.96%
Italy 1317 3.34%
Nigeria 1316 3.34%
Thailand 1261 3.20%
Brazil 1042 2.64%
United Arab Emirates 1007 2.55%
Chile 919 2.33%

 

The types of networks we see these devices running in are a mixture of telecommunications companies and ISPs. The network with the highest concentration of exposures is SOVAM-AS, belongs to PJSC VimpelCom, a major Russian telecom company.

Top 10 Autonomous Systems with Cisco Routers Exposing SNMP
Name ASN Host Count %
SOVAM-AS 3216 1203 3.05%
BOUYGTEL-ISP 5410 1079 2.74%
DU-AS1 15802 871 2.21%
BLUECRANE 328198 803 2.04%
CTC. CORP S.A. TELEFONICA EMPRESAS 37200 640 1.62%
SIMBANET-NIGERIA 16629 632 1.60%
COMCAST-7922 7922 565 1.43%
Skyvision-Guinee-AS 328244 553 1.40%
VTCNET 19881 538 1.36%
LVLT-3549 3549 494 1.25%

CVE-2017-6742 continues to be actively exploited in vulnerable Cisco devices. As network infrastructure attacks are on the rise, malware campaigns like this on critical network assets continue to pose a serious threat to organizations. We strongly encourage network defenders to check for exposures in their networks and patch as soon as possible to mitigate the risk of compromise.

What can be done?

  • Patch your Cisco devices and follow other mitigations as recommended in Cisco’s vendor advisory
  • Check for Cisco routers exposing SNMP on your networks using this Censys Search Query
  • Censys Exposure Management customers can use the following query to check for exposure in their asset inventory: risks.name=”Cisco Router with Public SNMP”
  • If your organization’s router’s approach in the Censys Search Query or the risk is present in Censys Exposure Management, network administrators should identify the specific software version and patch via the cli and cross reference with Cisco’s Software Checker to validate. Immediate patching is recommended if running a vulnerable version.
  • In general if you have a business need to use SNMP, please take steps to properly secure it. See CISA’s security recommendations for minimizing the risk of SNMP abuse

References:

 

About the Author

Himaja Motheram
Security Researcher
Himaja Motheram is a Security Researcher at Censys, working on answering interesting questions about the Internet using Censys Search data.
Attack Surface Management Solutions
Learn more