5 Recommendations for Mitigating Exposure In Response to Cisco FXOS and NX-OS SNMP DoS Vulnerability
Cisco recently updated a May 2019 security advisory affecting Cisco FXOS and NX-OS software configured for the Simple Network Management Protocol (SNMP). This vulnerability affects a wide range of Cisco Firepower firewalls, as well as MDS and Nexus switches. It allows for a remote and unauthenticated attacker to cause a memory leak which, over time, can result in an affected device restarting.
The affected Cisco products are often used in critical data center environments where any downtime can cause an interruption to critical services and a loss of data. This security advisory has a large list of products and software versions that are affected. SNMP versions 1, 2c and 3 are all affected.
SNMP has been one of the most deployed management protocols for decades and can be configured with varying levels of security protections. However, at Optanix, we commonly see customer devices being configured with only a minimal level of protection around SNMP access.
As the aforementioned vulnerability seems to only require a malicious actor having IP reachability on UDP port 161 (used by the SNMP server running on a network device) and for SNMP to be enabled, we thought that this would be a good time to highlight the importance of securing SNMP. We have previously presented best practices for securing network device management functions. This post will focus on this security advisory and SNMP recommendations.
5 Recommendations for Mitigating Exposure
Optanix has several recommendations that can help mitigate some level of exposure on your Cisco network devices. Keep in mind that a device is never 100% safe from a security breach. These recommendations merely outline some of the steps you can take to reduce your exposure and increase security for your network devices. Below we describe five recommendations that relate to the features found to be vulnerable in the latest security advisories from Cisco.
Recommendation #1: Patch Your Network Device Immediately
If you are running an affected version of software and have the vulnerable features configured, we recommend reviewing the upgrade path within the advisory. Follow your change management procedures and patch as soon as you can once a target version of software has been identified.
Recommendation #2: Maintain a Regular and Frequent OS Patching Policy
Maintaining a regular and frequent OS patching policy is an effective proactive measure that you can take to secure your network devices. Hackers will quickly latch on to newly identified vulnerabilities and begin scanning for equipment that is affected whenever a security advisory is released to the public. By having a well-defined patching policy and change management procedure in place, you can narrow the time between when the advisory announcement is made and when your devices are no longer affected.
Recommendation #3: Configure an SNMP ACL
To limit the number of hosts on your network that have IP reachability to the SNMP process of your network device, you can configure an access-control-list (ACL). Because this vulnerability does not require a host to have the SNMP community string or credentials to trigger the condition, you cannot rely on security credentials to protect your network device.
When configuring an SNMP ACL, you must think of all the specific hosts or secured network management subnets that should be able to reach your network devices. The network device can filter out any SNMP traffic not from trusted systems once the ACL is associated with the SNMP process.
Recommendation #4: Secure Your Network Management Platforms
Organizations are using an increasing number of products to better manage their IT infrastructure. Products that help monitor, report on and automate your infrastructure can provide significant cost savings and increase productivity. However, these products are often given a wide range of access to your network devices and, if not treated with a high level of security, can be used as an entry point to your network to perform additional attacks such as the one highlighted in this post.
There are multiple best practices you can follow to secure your management platform. Here are a few:
- Weighing the security risk of IT management platform features against the business use case
- Configuring the IT management platform’s information access and handling
- Securing access and authorization to the IT management platform
- Controlling how the IT management platform communicates externally
Finally, in addition to maintaining a regular and frequent OS and application patching policy for your network devices (see recommendation #2), you should maintain one for your network management platforms as well.
Recommendation #5: Configure SNMP Version 3
Although configuring SNMP version 3 will not prevent the effects of this vulnerability, it should be a priority for organizations not currently using version 3 to migrate to it. The biggest security benefit is that version 3 can be configured to authenticate SNMP clients and encrypt SNMP traffic. This is important not just because you can enforce strong credential policies, much like you would for your user credentials, but also because your data is protected while in transit between the network device and SNMP client. SNMP can thus carry sensitive information. If your data is not encrypted, it can be viewed by any snooping device that is in the path between the network device being queried and the SNMP client.
Optanix maintains a security-first culture which we extend to all of our customer engagements. If you would like assistance with reviewing security advisories or implementing best practices, our team of enterprise networking professionals can help you. Optanix customers can get in touch by contacting your customer success manager (CSM) or by opening a service request (ESR) in the Optanix Platform. For prospective clients, please click here to engage with Optanix.