By the way anyone trying to actually reproduce/test this just use Debian 10 because they have the DECnet for Linux tools in a deb already and it wouldn't compile on an RPM based system.
-Drew -----Original Message----- From: cisco-nsp <[email protected]> On Behalf Of Drew Weaver Sent: Friday, August 6, 2021 12:18 PM To: '[email protected]' <[email protected]>; 'cisco-nsp' <[email protected]> Subject: Re: [c-nsp] TIL: Maintenance Operations Protocol (MOP) Yes, Plus consider the fact that if you do a 'show users' it shows up as a VTY connection and if you set transports on your configuration interfaces (console) it ignores that and still works. -Drew -----Original Message----- From: cisco-nsp <[email protected]> On Behalf Of Randy (K6RP) Sent: Friday, August 6, 2021 12:13 PM To: cisco-nsp <[email protected]> Subject: Re: [c-nsp] TIL: Maintenance Operations Protocol (MOP) For something that is answering by default, where brutes cannot be blocked or ratelimited by CoPP or MLS kbobs? Control plane DDoS anyone? What other surprises are in it's codes? I'm sure a (hopefully) whitehat would have fun with this one. --- ~Randy (K6RP) On 08/06/2021 9:00 am, Drew Weaver wrote: > AAA was unconfigured as I was testing on a lab router. > > Whether or not it provides unauthorized access depends on whether you > expect anyone that has something connected to that router to have > access to the console or not. > > At the very least it provides an opportunity and a vector. > > It doesn't seem to log anything when you use it, too. > > -----Original Message----- > From: Oliver Boehmer (oboehmer) <[email protected]> > Sent: Friday, August 6, 2021 11:48 AM > To: Gert Doering <[email protected]>; Lukas Tribus <[email protected]> > Cc: [email protected] > Subject: Re: [c-nsp] TIL: Maintenance Operations Protocol (MOP) > > > On Fri, Aug 06, 2021 at 02:00:30PM +0200, Lukas Tribus wrote: > > I'm no longer putting in hundreds of hours to fight losing > battles, > > which earlier in my carrier I did: > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.cisco.com_s > ecurity_center_content_CiscoSecurityAdvisory_Cisco-2DSA-2D20140828-2DC > VE-2D2014-2D3347&d=DwIGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiM > M&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=C7uP5I5FPqc4m2MQRUF_ > ir9MYgYPqlHPppfTRkcOuGU&s=cqRIG75OwMpTMXCVJLn6A_Iq4_3cYPNbJBKRE0xMhSk& > e= > > Ensuring that MOP is dead and stays buried might actually be worth > a > PSIRT effort - any feature that is on-by-default and enables > unauthorized > access to a device should be worth the fight. > > +1, and worth a PSIRT case right away. > But it doesn't provide unauthorized access, does it? Drew's test > showed a password prompt (not sure what the AAA config looked like).. > > oli > > _______________________________________________ > cisco-nsp mailing list [email protected] > https://urldefense.proofpoint.com/v2/url?u=https-3A__puck.nether.net_m > ailman_listinfo_cisco-2Dnsp&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A > _CdpgnVfiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=ZUHFdp0mN > GBoAt2x7IibB5wtqmMT0eB8-LONI5uB814&s=GOpxtNUbb64MhC2AZqTgYHArDZFDggCDo > LtGb8d0N1I&e= archive at > https://urldefense.proofpoint.com/v2/url?u=http-3A__puck.nether.net_pi > permail_cisco-2Dnsp_&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnV > fiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=ZUHFdp0mNGBoAt2x > 7IibB5wtqmMT0eB8-LONI5uB814&s=xdkRJ-gfUnCBgWmKNESTsXN95Wq2Tf2lcmCLOCfl > F8M&e= _______________________________________________ cisco-nsp mailing list [email protected] https://urldefense.proofpoint.com/v2/url?u=https-3A__puck.nether.net_mailman_listinfo_cisco-2Dnsp&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=ZUHFdp0mNGBoAt2x7IibB5wtqmMT0eB8-LONI5uB814&s=GOpxtNUbb64MhC2AZqTgYHArDZFDggCDoLtGb8d0N1I&e= archive at https://urldefense.proofpoint.com/v2/url?u=http-3A__puck.nether.net_pipermail_cisco-2Dnsp_&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=ZUHFdp0mNGBoAt2x7IibB5wtqmMT0eB8-LONI5uB814&s=xdkRJ-gfUnCBgWmKNESTsXN95Wq2Tf2lcmCLOCflF8M&e= _______________________________________________ cisco-nsp mailing list [email protected] https://urldefense.proofpoint.com/v2/url?u=https-3A__puck.nether.net_mailman_listinfo_cisco-2Dnsp&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=Kze-nkxcdJWnYbND1rBSuvGfJui-MR5_7Eu6PnlGR2I&s=0de2sd7YXD5wlULWOKCcZW2izjcefVOtmtZ2yfooXqE&e= archive at https://urldefense.proofpoint.com/v2/url?u=http-3A__puck.nether.net_pipermail_cisco-2Dnsp_&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=Kze-nkxcdJWnYbND1rBSuvGfJui-MR5_7Eu6PnlGR2I&s=bCoD7EIDzcJkkDM0mdxFnGTp7HkE9RlOekA6KXoyeus&e= _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
