Troubleshooting feature on Cisco routers is open to data-slurp abuse

Infiltrate A default feature of Cisco routers can readily be abused to collect data, security researchers warn.

Embedded Packet Capture (EPC) was designed by Cisco as a troubleshooting and tracing tool. The feature allows network administrators to capture data packets flowing through a Cisco router.

Brazilian security researchers Joaquim Espinhara and Rafael Silva were able to abuse the feature and build a system to hoover up massive volumes of data.

Silva told El Reg that the hack was possible by exploiting the EPC feature rather than taking advantage of a vulnerability as such. Both Cisco and the researchers agree that abuse of the feature would need privileged user access (ie admin control), a hurdle that would-be abusers would need to overcome, through some other attack or social engineering ruse.

Nonetheless, because the troubleshooting feature is enabled by default it presents a risk, according to Silva.

"There is no disable mode for this feature. Because this feature is commonly used for troubleshooting network problems," Silva explained. "Cisco have to implement some features that would stop OR [make] difficult this approach to abusing EPC."

Pulling off the attack requires "medium knowledge", but given that and around $10k in cash "you build your mini-NSA to collect and use the Mimosa Framework", according to Silva, who has made it available on Github. The main limitation is that would-be attackers need to have full (Enable Mode) access to router or routers.

A proof-of-concept hack developed by the researchers uses multiple Cisco routers configured with default accounts to send data traffic (input, output or both) to a repository. Raw data packets captured in this way can be queried to extract the sort of information that hackers are typically interested in, such as user credentials, pre-shared keys and other sensitive information. The researchers plan to extend their research to develop other attacks.

Cisco told El Reg that it was aware of the research and ready to take action, if necessary.

We are aware of the Embedded Packet Capture-related presentation at the upcoming security conference. We’ve reached out to the presenters to understand more about their research and what implications, if any, it has for our customers. We have no reason to believe that a new security vulnerability will be disclosed, but stand ready to provide advice to customers in accordance with our Security Disclosure Policy.

EPC is viewed by Cisco as "a series of well-documented commands that require privileged user access... For that reason, our best advice to customers is to ensure appropriate user access controls are in place", a spokesman added.

Cisco's detailed guidance on the feature’s use can be found here.

The research – to be presented and demonstrated for the first time at the Infiltrate security conference in Miami on Thursday (16 April) – is most relevant to penetration testers. The researchers accompanied the presentation with the release of the Mimosa Framework 1.0 source code, a network kit exploitation framework that can be used to run attacks based on either exploited known vulnerabilities or brute-forcing weak passwords (think Metaspolit for networking kit).

Silva said: "With Mimosa, you can control a huge list of routers. Start the capture, stop the capture. export the captures and make some basic attacks like brute force and exploiting old CVEs."

Configuring routers to collect data and build a huge database is the sort of feature likely to be of interest to signals intelligence agencies, the ongoing Edward Snowden leaks (at least) would suggest.

Cisco introduced the feature around six years ago. Silva has no knowledge whether or not people might have abused the feature to harvest and subsequently analyse data. "I think that the NSA have better techniques to do this," he joked.

"Other vendors maybe have the same feature to capture and export the packets to a remote location," according to Silva, but such possible shortcomings is outside the scope of Espinhara and Silva's research.

Infiltrate is a two-day conference that's focused exclusively on offensive security. It features carefully chosen technical talks on the latest exploits and techniques. ®