Thousands Of Network Devices Open To Password Theft

Hundreds of thousands of network machines are open to attacks that could leak their usernames and passwords, thanks to vulnerabilities in a much-used protocol.

The flaws reside in the read only community string “public” in the Simple Network Management Protocol (SNMP), used for configuring systems connected to the network. An attacker could “easily” get credentials for the affected machines, Rapid7 researchers said.

SNMP protocol flawed

They said Brocade’s ServerIron load balancer was vulnerable, claiming it would be trivial for hackers to get hold of sensitive information from the devices. “Unless SNMP is disabled, or the public community string is changed, an attacker can easily extract the passwords hashes for an offline brute force attack,” the researchers added in a blog post.

Rapid7 also singled out a number of vulnerable routers and modems: the Ambit U10C019 and Ubee DDW3611 series of cable modems, and the Netopia 3347 series of DSL modems.

In those cases, if the default settings were left alone, the devices were not vulnerable. Yet certain providers enable SNMP with the weakness left open.

Using the device search engine, Shodan, the researchers said there were 229,409 Ambit and 224,544 Netopia machines exposed to the internet.

“While it can certainly be argued that information disclosure vulnerabilities are simple to resolve and largely the result of poor system configuration and deployment practices, the fact remains that these issues can be exploited to gain access to sensitive information. In practice, the low-hanging fruit are often picked first,” the researchers added.

“The tested modems are currently end-of-life, which means that the chances of firmware updates to address these insecure defaults are quite unlikely to be released. Of course, just because something is end-of-life doesn’t mean it disappears from the Internet – causal Shodan browsing attests to that.

“Further, we cannot know if these configurations persist in current, supported offerings from the vendors, but you might want to check yours.”

The three vendors were notified in February. At the time of publication, none had responded to requests for comment.

What do you know about Internet security? Find out with our quiz!