Hundreds of thousands of network machines are open to attacks that could leak their usernames and passwords, thanks to vulnerabilities in a much-used protocol.
The flaws reside in the read only community string “public” in the Simple Network Management Protocol (SNMP), used for configuring systems connected to the network. An attacker could “easily” get credentials for the affected machines, Rapid7 researchers said.
They said Brocade’s ServerIron load balancer was vulnerable, claiming it would be trivial for hackers to get hold of sensitive information from the devices. “Unless SNMP is disabled, or the public community string is changed, an attacker can easily extract the passwords hashes for an offline brute force attack,” the researchers added in a blog post.
Rapid7 also singled out a number of vulnerable routers and modems: the Ambit U10C019 and Ubee DDW3611 series of cable modems, and the Netopia 3347 series of DSL modems.
In those cases, if the default settings were left alone, the devices were not vulnerable. Yet certain providers enable SNMP with the weakness left open.
Using the device search engine, Shodan, the researchers said there were 229,409 Ambit and 224,544 Netopia machines exposed to the internet.
“While it can certainly be argued that information disclosure vulnerabilities are simple to resolve and largely the result of poor system configuration and deployment practices, the fact remains that these issues can be exploited to gain access to sensitive information. In practice, the low-hanging fruit are often picked first,” the researchers added.
“The tested modems are currently end-of-life, which means that the chances of firmware updates to address these insecure defaults are quite unlikely to be released. Of course, just because something is end-of-life doesn’t mean it disappears from the Internet – causal Shodan browsing attests to that.
“Further, we cannot know if these configurations persist in current, supported offerings from the vendors, but you might want to check yours.”
The three vendors were notified in February. At the time of publication, none had responded to requests for comment.
What do you know about Internet security? Find out with our quiz!
German foreign minister warns Russia will face consequences for “absolutely intolerable” cyberattack on ruling party,…
Google is reportedly laying off at least 200 staff from its “Core” organisation, including key…
Investor appeasement? Apple unveils huge $110 billion share buyback program, as sales of iPhone decline…
Tesla retreats from pioneering gigacasting manufacturing process, amid cost cutting and challenges at EV giant
No skynet please. After the US, UK and France pledge human only control of nuclear…
Microsoft's AI investments continue in south east Asia, after investments in Japan, Malaysia, Indonesia, as…
