For smaller operations I think just disabling SNMP is safer due to constant bugs and issues.
On the other hand bigger operations, you gotta monitor your devices. But now you’re open to the can of worms.
Depends what you mean by "expose". Some people could read that as "exposed to the Internet". I'm reading it as "exposed to anything".
This looks like a good fun for doing lateral movement inside a network. I know of lots of environments with SNMPv2 wide open for "internal" networks to access.
Plus SNMP is UDP-based, so likely the exploit will work with a one-way path and spoofed source addresses.
How did the attacker get the community string?
Bonus: if the "private" community is exposed on Cisco IOS, you can read and write the router's configuration.
Daydream: Journalists start ending such articles with "This is the Nth critical security flaw for Cisco in just the past year. Network security professionals we spoke to agree that network equipment vendors X, Y, and Z all have far better track records than Cisco."
How 'bout if Consumer Reports published a "We Tested 17 kitchen garbage disposals" article, and their 1-paragraph summary of the worst-rated model said "buy one of our 3 top-rated models instead"?
(Yes, I know you're giving a "proper" response. And that very few journalists might say "buy X, Y, or Z instead" about a 900 lbs. gorilla like Cisco. Recall my "Daydream" disclaimer.)
I guess that makes it a hononym of a different acronym.
This is why zero trust networking makes sense. You can't assume the network layer is secure when the infrastructure itself is compromised.
duxup•4mo ago
It became clear to me over time that the pattern at that company was to direct the less great engineering resources to SNMP...
hylaride•4mo ago
Anyways, Cisco hasn’t done great engineering pretty much since the dotcom bust. They’re now essentially a giant PE firm that grows through acquisitions and then milks them dry. It’s a classic case of the accountants took over.
FuriouslyAdrift•4mo ago
Our_Benefactors•4mo ago
That was by far the most egregious example I’ve encountered of “we are trying to get unpaid labor from our interview process.”
FuriouslyAdrift•4mo ago
lawlessone•4mo ago
chuckadams•4mo ago
jacquesm•4mo ago
stuff4ben•4mo ago
lima•4mo ago
themafia•4mo ago
MangoToupe•4mo ago
EDIT: it seems like it was an acquihire of Dybvig and the team working on chez for something under NDA.
rubymancer•4mo ago
I was at a startup they acquired ~4 years ago, by now it's just about milked completely dry.
Even though our product is close to industry-leading, they laid off our product manager, then another one, the QA team, and half of the devs. Unsurprisingly the product is falling apart.
It's not a company that attempts to produce value, as with so many others the product is the stock price.
The MBAs are showing some kind of savings on a spreadsheet somewhere though, so I suppose all the sacrifices are worth it.
downrightmike•4mo ago
neuroelectron•4mo ago
iwontberude•4mo ago
FuriouslyAdrift•4mo ago
Network infrastructure security has a lot of unsolved gotchas and not a lot of industry desire to fix. Most of what everyone interacts with is in an abstracted or virtualized layer on top of the old plumbing.
elevation•4mo ago
ay•4mo ago
You can take a look at an implementation of that, which I had built for entertainment: https://github.com/ayourtch/oside/blob/main/examples/snmpwal...
mkipper•4mo ago
If I remember right, handling SNMPv3 traps required some messy key stuff so the agent still sent SNMPv2 traps, but there was no requirement for keys for GET/SET.