Netonix Exploit?
-
AdamB - Member
- Posts: 11
- Joined: Sat Feb 14, 2015 6:00 pm
- Location: East Bay, CA
- Has thanked: 1 time
- Been thanked: 2 times
Re: Netonix Exploit?
As a security professional I'm not a huge fan of the response to a possible security issue being, 'Just don't put it on a routable address.' Obviously practicing defense in depth is a best practice across the industry, but that also means taking investigation of potential security issues in the software extremely seriously. Unpatched holes in IoT devices including switches, routers, etc, is a huge issue in our industry and the lackadaisical shown here contributes to the problem.
-
sirhc - Employee
- Posts: 7415
- Joined: Tue Apr 08, 2014 3:48 pm
- Location: Lancaster, PA
- Has thanked: 1608 times
- Been thanked: 1325 times
Re: Netonix Exploit?
AdamB wrote:As a security professional I'm not a huge fan of the response to a possible security issue being, 'Just don't put it on a routable address.' Obviously practicing defense in depth is a best practice across the industry, but that also means taking investigation of potential security issues in the software extremely seriously. Unpatched holes in IoT devices including switches, routers, etc, is a huge issue in our industry and the lackadaisical shown here contributes to the problem.
So in the past we had a security hole from a package we use to run our HTTP interface. Mind you the exploit did not allow someone to gain control of the switch but rather crash it by writing to the flash filling the flash to full and a factory default cleared it allowing it to be upgraded.
When the hole was exploited and the package authors released a patch we incorporated it in our next release.
This "potential" hole that Matt reported which has not been confirmed or verified by us or reported by another user report "as of yet".
If you are expecting us to provide 100% fool proof code then you live in a dream land because much larger companies with far more programmers are constantly being exploited and the best that can be done is patch them as they are discovered and confirmed. Large companies like Microsoft, Apple, Cisco, and such constantly release updates with security hole patches as they are discovered, exploited, and then verified and patched.
However my advice is solid and one that I practice as well as most service providers which is to secure my infrastructure devices from even being probed or being accessible to be exploited.
I keep my devices on un-routed outside my network IP space, and in the rare event I have no choice I use access control list to limit their exposure. If the device has a WWW routable IP then we provide an Access Control list feature but if the switch is behind a NAT and you port map to it for outside access then you have to secure the Access Control List in the router as the switch will see all outside probes as coming from the NAT router.
We said we would investigate and we are.
We said we would look for patches to any packages we use but do not write which we are.
We explained best practices to prevent probing and possible exploitation which is to limit access from the WWW via things like Access Control Lists and or putting sensitive infrastructure on private un-routable IPs and or the use of private VLANs.
I fail to see the lackadaisical response you claim I had. The complete transcript of my response to Matt has been declassified and available to read above. Now if you want to do an Adam Schiff parody of my response to Matt then call it lackadaisical then I guess so but there was definitely no Qid pro quo I can promise you that.
Just what action and advice would you have taken and given that differs from mine?
Support is handled on the Forums not in Emails and PMs.
Before you ask a question use the Search function to see it has been answered before.
To do an Advanced Search click the magnifying glass in the Search Box.
To upload pictures click the Upload attachment link below the BLUE SUBMIT BUTTON.
Before you ask a question use the Search function to see it has been answered before.
To do an Advanced Search click the magnifying glass in the Search Box.
To upload pictures click the Upload attachment link below the BLUE SUBMIT BUTTON.
-
Stephen - Employee
- Posts: 1033
- Joined: Sun Dec 24, 2017 8:56 pm
- Has thanked: 85 times
- Been thanked: 181 times
Re: Netonix Exploit?
Also should point out that it was stated here already:
viewtopic.php?f=17&t=5687
We will be making sure that all of the software packages used for interfacing to the switch, like ssh, http, etc will be up to date with the latest available for our platform.
Also, as a security professional, if you would be willing to report here reproducible way's of revealing potential exploit's. I guarantee that I would then use that information to work towards patches to such hole's.
viewtopic.php?f=17&t=5687
We will be making sure that all of the software packages used for interfacing to the switch, like ssh, http, etc will be up to date with the latest available for our platform.
Also, as a security professional, if you would be willing to report here reproducible way's of revealing potential exploit's. I guarantee that I would then use that information to work towards patches to such hole's.
- tophfro
- Member
- Posts: 2
- Joined: Thu Nov 15, 2018 3:37 pm
- Location: Lewisburg, PA
- Has thanked: 1 time
- Been thanked: 0 time
Re: Netonix Exploit?
I received an alert from my management gateway that one of the WS-26 units I have is trying (blocked by gateway) to contact an IP in Taiwan. It try’s multiple times a day. The switch isn’t publicly accessible, and was running v1.5.5 (I have since upgraded to 1.5.8). I’m planning to do a factory reset on the unit in hopes of wiping out the potential malware, but before I do that, is there some kind of system dump I can send that might help diagnose an issue?
-
Stephen - Employee
- Posts: 1033
- Joined: Sun Dec 24, 2017 8:56 pm
- Has thanked: 85 times
- Been thanked: 181 times
Re: Netonix Exploit?
Yes, send me the the log file from the switch, located in
If easier and SMTP is setup, you can also email the entire file to yourself and then PM it as a text file to me here.
Also copy and paste the output of these commands to a PM to me:
and also
By the way, v1.5.9rc1 does have the latest version of dropbear running on it if you would like to secure yourself from ssh attacks as much as possible.
- Code: Select all
/var/log/messages
If easier and SMTP is setup, you can also email the entire file to yourself and then PM it as a text file to me here.
Also copy and paste the output of these commands to a PM to me:
- Code: Select all
cmd
netstat -a -p
and also
- Code: Select all
cmd
ps
By the way, v1.5.9rc1 does have the latest version of dropbear running on it if you would like to secure yourself from ssh attacks as much as possible.
Who is online
Users browsing this forum: Google [Bot] and 20 guests