nanog mailing list archives
Re: beware: being old sucks
From: borg--- via NANOG <nanog () lists nanog org>
Date: Sun, 31 Aug 2025 14:46:23 +0200 (CEST)
Uhm.. Okey, this is bad.. But, is it really an issue? Do really people keep theirs infra access on public Internet? So anyone can poke around or even if firewalling, ACLs are wide? Maybe I am paranoid myself, but I keep stuff in non-routable network via jumpbox. Jumpbox itself is accessed only via VPN. So, its a long way to start poking around on my SSH ports devices. And even if, It will be quickly noticed... ---------- Original message ---------- From: Dan Mahoney via NANOG <nanog () lists nanog org> To: North American Network Operators Group <nanog () lists nanog org> Cc: Dan Mahoney <danm () prime gushi org> Subject: Re: beware: being old sucks Date: Sun, 31 Aug 2025 02:40:12 -0700 Randy, Something else I recently discovered that relates to this issue: I think there˙˙s a serious flaw in the way ssh key hashes are done on IOS. I˙˙ve been in touch with Cisco CSIRT about it, and they˙˙ve approved publication, but in short, if you˙˙re using pubkey auth to a cisco device, you might want to rethink it. Short version: Unlike normal pubkeys, IOS only stores an md5 hash of your key to auth against, and you can thus use any key that matches that hash. Which an attacker now has. https://gushi.medium.com/what-i-learned-from-configuring-ssh-pubkey-auth-on-cisco-ios-cbeb1e5b3b77 (should not be paywalled, email me privately if it is)
On Aug 30, 2025, at 11:30, Randy Bush via NANOG <nanog () lists nanog org> wrote: a fellow nanogger wrote:I've only *just* gotten to the note from a week or more ago.+ tftp-server nvram:startup-config <<<<<<====== snmp-server community foo 98 snmp-server trap-source Vlan1 snmp-server location Ashburn VA USI, too, got this from a RANCID setup I built a long time ago.and here is the talos report, thanks joe https://blog.talosintelligence.com/static-tundra/ set `no vstack` in config. no, that is not the default.I'd told the owner that I didn't think he had control of his gear anymore, but this helped me to convince him to put a new switch in.moving this to nanog because i did not elaborate on a critical point. when you get this, presume the config of this trivial ancient devic has been snatched. did the device have any burned in users, a la username foo privilege 15 password 7 bar and that uid/pass is used on other, presumably more modern, devices, you need to change the passwords everywhere. same for other credentials, snmp, bgpmd5, ... randy _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog () lists nanog org/message/HJ64BOPTJ75K3EX5AEHR4E4LW5OZEEQG/
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog () lists nanog org/message/FKCDTX5WO74LJBAE5DDNDBW3V7J76AB7/ _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog () lists nanog org/message/MWGRSQXHKMIY7XCFPAMAEVA46CBVZZAO/
Current thread:
- beware: being old sucks Randy Bush via NANOG (Aug 21)
- Message not available
- Re: beware: being old sucks Randy Bush via NANOG (Aug 30)
- Re: beware: being old sucks Dan Mahoney via NANOG (Aug 31)
- Re: beware: being old sucks borg--- via NANOG (Aug 31)
- Re: beware: being old sucks Tom Beecher via NANOG (Aug 31)
- Re: beware: being old sucks Dan Mahoney via NANOG (Aug 31)
- Re: beware: being old sucks brent saner via NANOG (Aug 31)
- Re: beware: being old sucks Seth David Schoen via NANOG (Aug 31)
- Re: beware: being old sucks Tom Beecher via NANOG (Aug 31)
- RE: beware: being old sucks Gary Sparkes via NANOG (Aug 31)
- Re: preimage and collision attacks nanog--- via NANOG (Aug 31)
- Re: beware: being old sucks Randy Bush via NANOG (Aug 30)
- Message not available
- Re: beware: being old sucks nanog--- via NANOG (Aug 31)
- Re: beware: being old sucks Liudvikas Bukys via NANOG (Aug 31)
- Re: beware: being old sucks Tom Beecher via NANOG (Aug 31)