Incident Response, TDR, Vulnerability Management

Critical info on modems, load balancer, exposed via SNMP community string

Researchers have discovered critical information disclosure vulnerabilities in a load balancer and a couple of modems that can be exploited via the Simple Network Management Protocol (SNMP) public community string, which serves as a password for accepting requests.

The heart of the problem is in the Management Information Base (MIB), Deral Heiland, a senior security consultant at Rapid7, told in a Friday email correspondence, adding that the MIB can be accessed via SNMP queries to the devices.

“Vendors create custom MIB tables that contain information about the devices and certain configuration data,” Heiland said. “This becomes an issue when a vendor creates a MIB index table containing critical info such as password information, which is what has happened in these cases.” 

The Brocade ServerIron ADX 1016-2-PREM TrafficWork Version 12.5.00T403 application load balancer, the Ambit U10C019 and Ubee DDW3611 series of cable modems, and the Netopia 3347 series of DSL modems were observed to contain the vulnerabilities, according to a Friday post by Heiland.

The Brocade and Netopia devices have SNMP enabled by default, according to the post, which adds that 229,409 Ambit and Ubee devices and 224,544 Netopia devices are being exposed to the internet, with 187,000 devices seeming to be in the U.S.

Obtaining the MIB on devices enabled with the default community string of “public” or “private” is fairly simple, Heiland said, explaining an individual only needs to query the device for the information.

In the case of the aforementioned vulnerable devices, attackers could steal credentials from the device, access data stored in the device SNMP database, manipulate the behavior of the device and potentially leverage all that into gaining a foothold in a corporate or home network, Heiland said.

Heiland offered a number of suggestions to mitigate the threat, including changing the SNMP community strings from default of “public” and “private” to something more complex, configuring corporate firewalls so SNMP port 161 is not exposed to the internet, or simply disabling SNMP altogether if it is not needed.

While investigating the issue along with his research partner Matthew Kienow, Heiland learned that many devices exposed information, but that this data was typically public, or “benign,” according to the post.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.