Active Exploitation of SNMP Vulnerabilities in Cisco IOS and IOS XE Software

There are reports of active exploitation of multiple known Simple Network Management Protocol (SNMP) vulnerabilities (CVE-2017-6736, CVE-2017-6737, CVE-2017-6738, CVE-2017-6739, CVE-2017-6740, CVE-2017-6742, CVE-2017-6743 and CVE-2017-6744) in Cisco IOS and Cisco IOS XE Software. These vulnerabilities are due to a buffer overflow condition in the SNMP subsystem of the affected software.

Successful exploitation of the vulnerabilities could allow an attacker to execute arbitrary code and obtain full control of the affected system or cause the affected system to reload.

These vulnerabilities affect all releases of Cisco IOS and IOS XE Software and all versions of SNMP, namely Versions 1, 2c, and 3. 

Users and administrators are advised to perform the following mitigation measures:

• Upgrade the routers to the latest versions. 

• Allow only trusted users to have SNMP access on affected systems.

• Monitor affected systems by using the command in the CLI.

• Disable the following Management Information Bases (MIBs) on devices:
  - ADSL-LINE-MIB
  - ALPS-MIB
  - CISCO-ADSL-DMT-LINE-MIB
  - CISCO-BSTUN-MIB
  - CISCO-MAC-AUTH-BYPASS-MIB
  - CISCO-SLB-EXT-MIB
  - CISCO-VOICE-DNIS-MIB
  - CISCO-VOICE-NUMBER-EXPANSION-MIB
  - TN3270E-RT-MIB

More information is available here:

https://blogs.cisco.com/security/threat-actors-exploiting-snmp-vulnerabilities-in-cisco-routers

https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20170629-snmp.html

https://www.ncsc.gov.uk/news/apt28-exploits-known-vulnerability-to-carry-out-reconnaissance-and-deploy-malware-on-cisco-routers

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-108