Mailing List Archive

TIL: Maintenance Operations Protocol (MOP)
Hello,

Sorry for the noise if you are all aware of what MOP is but if you aren't aware of what it is and use Cisco products (especially in a multi-tenant environment) it may be a good idea to read about it and evaluate any impact it may or may not have on your environment.

Have a nice day =)

-Drew

_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: TIL: Maintenance Operations Protocol (MOP) [ In reply to ]
Was finally able to build the tools.

test@server:~# moprc -v -i eno1 00:0f:35:2b:xx:xx
Maintenance Version: 3.0.0

Console connected (press CTRL/D when finished)

Password:
% Password: timeout expired!
Password:
LAB>

You guys might already be aware of this and how nothing is logged at all when it is being used but I wasn't so that is why I am sharing.

-----Original Message-----
From: cisco-nsp <cisco-nsp-bounces@puck.nether.net> On Behalf Of Drew Weaver
Sent: Wednesday, August 4, 2021 11:44 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] TIL: Maintenance Operations Protocol (MOP)

Hello,

Sorry for the noise if you are all aware of what MOP is but if you aren't aware of what it is and use Cisco products (especially in a multi-tenant environment) it may be a good idea to read about it and evaluate any impact it may or may not have on your environment.

Have a nice day =)

-Drew

_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net https://urldefense.proofpoint.com/v2/url?u=https-3A__puck.nether.net_mailman_listinfo_cisco-2Dnsp&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=zQa94pcCjC_yZWa5aY25d-GmF_zJcpPx6NljzJjmLsQ&s=Dj-SYiDBF8iXH4hEKYK6n_kIBcLJzN71YePGy_p5Ljs&e=
archive at https://urldefense.proofpoint.com/v2/url?u=http-3A__puck.nether.net_pipermail_cisco-2Dnsp_&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=zQa94pcCjC_yZWa5aY25d-GmF_zJcpPx6NljzJjmLsQ&s=DmTHuOfSwL93svIlfL8uM4noCjBEc3oGDVEQjOyuHWA&e=
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: TIL: Maintenance Operations Protocol (MOP) [ In reply to ]
Drew Weaver wrote on 04/08/2021 16:43:
> Sorry for the noise if you are all aware of what MOP is but if you
> aren't aware of what it is and use Cisco products (especially in a
> multi-tenant environment) it may be a good idea to read about it and
> evaluate any impact it may or may not have on your environment.
MOP is one of those services that seems to disappear and reappear on
various cisco software versions and trains, almost at random. It would
be interesting to know how much of the old DECnet stack is needed to
keep this particular fossil alive.

It leaks link-local frames. This is harmful. We don't like it at IXPs.

"no mop enabled" disables it on a per interface basis - this is possibly
the only cisco command that uses "enabled" instead of "enable" for this
context, i.e. this is very ancient.

Nick
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: TIL: Maintenance Operations Protocol (MOP) [ In reply to ]
Yes, in my research I noticed that OS image age has nothing to do with it. Newer images with different trains have it enabled, older images in totally other trains as well.

Also even though it appears to emulate VTY simply configuring the transports doesn't disable it.

I mostly mentioned it because when I did some Googling I noticed it is referenced as being included in IOS XE.

It should be forcibly removed entirely in my opinion.

-----Original Message-----
From: Nick Hilliard <nick@foobar.org>
Sent: Wednesday, August 4, 2021 5:09 PM
To: Drew Weaver <drew.weaver@thenap.com>
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] TIL: Maintenance Operations Protocol (MOP)

Drew Weaver wrote on 04/08/2021 16:43:
> Sorry for the noise if you are all aware of what MOP is but if you
> aren't aware of what it is and use Cisco products (especially in a
> multi-tenant environment) it may be a good idea to read about it and
> evaluate any impact it may or may not have on your environment.
MOP is one of those services that seems to disappear and reappear on various cisco software versions and trains, almost at random. It would be interesting to know how much of the old DECnet stack is needed to keep this particular fossil alive.

It leaks link-local frames. This is harmful. We don't like it at IXPs.

"no mop enabled" disables it on a per interface basis - this is possibly the only cisco command that uses "enabled" instead of "enable" for this context, i.e. this is very ancient.

Nick
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [External] Re: TIL: Maintenance Operations Protocol (MOP) [ In reply to ]
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: TIL: Maintenance Operations Protocol (MOP) [ In reply to ]
Drew Weaver wrote on 05/08/2021 18:20:
> It should be forcibly removed entirely in my opinion.

Whatever about it being removed, it definitely shouldn't be enabled by
default, and there should be a command to disable it completely on all
interfaces.

It has the appearance of a feature which is kept alive because some
customer with a huge spend demands it in general-deployment release
trains (this is idle speculation and may be completely wrong btw).

Nick
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: TIL: Maintenance Operations Protocol (MOP) [ In reply to ]
On Thu, 5 Aug 2021 at 21:49, Nick Hilliard <nick@foobar.org> wrote:
> It has the appearance of a feature which is kept alive because some
> customer with a huge spend demands it in general-deployment release
> trains (this is idle speculation and may be completely wrong btw).

More precisely, who (which employee) should be doing this, there is no
ROI for pushing such a change, but there is a (tiny) possibility of
blowback, in a company that is not exactly a stranger to layoffs.

I don't think there are a lot of rewards for employees for fixing old
lingering software problems, if any, *especially* in IOS. It's
different if a specific BU is responsible for the code, but generic
code from decades ago, the BU responsible for the code path today
probably handles a million other things, some of them presumably do
actually make money.


What is right or technically correct is not always the priority.


lukas
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: TIL: Maintenance Operations Protocol (MOP) [ In reply to ]
Hi,

On Thu, Aug 05, 2021 at 10:40:20PM +0200, Lukas Tribus wrote:
> code from decades ago, the BU responsible for the code path today
> probably handles a million other things, some of them presumably do
> actually make money.

Yeah, like invent new license madness...

gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany gert@greenie.muc.de
Re: TIL: Maintenance Operations Protocol (MOP) [ In reply to ]
On Thu, 5 Aug 2021 at 22:47, Lukas Tribus <lukas@ltri.eu> wrote:
>
> On Thu, 5 Aug 2021 at 21:49, Nick Hilliard <nick@foobar.org> wrote:
> > It has the appearance of a feature which is kept alive because some
> > customer with a huge spend demands it in general-deployment release
> > trains (this is idle speculation and may be completely wrong btw).
>
> More precisely, who (which employee) should be doing this, there is no
> ROI for pushing such a change, but there is a (tiny) possibility of
> blowback, in a company that is not exactly a stranger to layoffs.
>
> I don't think there are a lot of rewards for employees for fixing old
> lingering software problems, if any, *especially* in IOS. It's
> different if a specific BU is responsible for the code, but generic
> code from decades ago, the BU responsible for the code path today
> probably handles a million other things, some of them presumably do
> actually make money.
>
>
> What is right or technically correct is not always the priority.

This is the job we do, right? (it's the job I do anyway). We find a
way to convince the powers that be, that this is a massive security
risk for example, or for example that our financial exposure because
of this exact feature is 1.21 gigawatts. Not let the uneducated powers
that be tell me it's fine to keep this feature they don't understand
:)

Cheers,
James.
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [External] Re: TIL: Maintenance Operations Protocol (MOP) [ In reply to ]
Okay my concern overall is not that it is in IOS 12. It's that it is in IOS XE and (possibly) other images.

Is there a list somewhere of what images support it? If not there probably should be.

-----Original Message-----
From: Hunter Fuller <hf0002@uah.edu>
Sent: Thursday, August 5, 2021 3:49 PM
To: Drew Weaver <drew.weaver@thenap.com>
Cc: Nick Hilliard <nick@foobar.org>; cisco-nsp@puck.nether.net
Subject: Re: [External] Re: [c-nsp] TIL: Maintenance Operations Protocol (MOP)

Right. I rarely say this, because I know how much legacy cruft is out there, but: there is basically zero chance anyone on earth wants this capability.

--
Hunter Fuller (they)
Router Jockey
VBH M-1A
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering

On Thu, Aug 5, 2021 at 12:24 PM Drew Weaver <drew.weaver@thenap.com> wrote:
>
> Yes, in my research I noticed that OS image age has nothing to do with it. Newer images with different trains have it enabled, older images in totally other trains as well.
>
> Also even though it appears to emulate VTY simply configuring the transports doesn't disable it.
>
> I mostly mentioned it because when I did some Googling I noticed it is referenced as being included in IOS XE.
>
> It should be forcibly removed entirely in my opinion.
>
> -----Original Message-----
> From: Nick Hilliard <nick@foobar.org>
> Sent: Wednesday, August 4, 2021 5:09 PM
> To: Drew Weaver <drew.weaver@thenap.com>
> Cc: cisco-nsp@puck.nether.net
> Subject: Re: [c-nsp] TIL: Maintenance Operations Protocol (MOP)
>
> Drew Weaver wrote on 04/08/2021 16:43:
> > Sorry for the noise if you are all aware of what MOP is but if you
> > aren't aware of what it is and use Cisco products (especially in a
> > multi-tenant environment) it may be a good idea to read about it and
> > evaluate any impact it may or may not have on your environment.
> MOP is one of those services that seems to disappear and reappear on various cisco software versions and trains, almost at random. It would be interesting to know how much of the old DECnet stack is needed to keep this particular fossil alive.
>
> It leaks link-local frames. This is harmful. We don't like it at IXPs.
>
> "no mop enabled" disables it on a per interface basis - this is possibly the only cisco command that uses "enabled" instead of "enable" for this context, i.e. this is very ancient.
>
> Nick
> _______________________________________________
> cisco-nsp mailing list cisco-nsp@puck.nether.net
> https://urldefense.proofpoint.com/v2/url?u=https-3A__puck.nether.net_m
> ailman_listinfo_cisco-2Dnsp&d=DwICaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A
> _CdpgnVfiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=r_nXzFBpL
> rNkdnViCf2_TAzyoKVrjvgzTYs0C4qVXIE&s=bOyNBC5BLAZdP2j55JaFDQFBruZRO2OZS
> 3UHflf_eiw&e= archive at
> https://urldefense.proofpoint.com/v2/url?u=http-3A__puck.nether.net_pi
> permail_cisco-2Dnsp_&d=DwICaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnV
> fiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=r_nXzFBpLrNkdnVi
> Cf2_TAzyoKVrjvgzTYs0C4qVXIE&s=iX2iEDTewXz03CuUxa1gbq8z7FCVRP0yxZyG_gOM
> 0Ic&e=
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: TIL: Maintenance Operations Protocol (MOP) [ In reply to ]
On Fri, 6 Aug 2021 at 09:59, James Bensley
<jwbensley+cisco-nsp@gmail.com> wrote:
> > What is right or technically correct is not always the priority.
>
> This is the job we do, right? (it's the job I do anyway). We find a
> way to convince the powers that be, that this is a massive security
> risk for example, or for example that our financial exposure because
> of this exact feature is 1.21 gigawatts. Not let the uneducated powers
> that be tell me it's fine to keep this feature they don't understand
> :)

I need the AM's to focus on the problems that actually do affect the
business case (which doesn't always work either), a specific default
that I don't like is not that. What I can do is have TAC file an
enhancement request, which is pretty much useless without internal
pressure.
If you are working for a shop so big that you can throw enhancement
requests at them without blinking great, but that depends on how much
you are spending I guess.

I'm no longer putting in hundreds of hours to fight losing battles,
which earlier in my carrier I did:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/Cisco-SA-20140828-CVE-2014-3347

cheers,
lukas
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: TIL: Maintenance Operations Protocol (MOP) [ In reply to ]
Hi,

On Fri, Aug 06, 2021 at 02:00:30PM +0200, Lukas Tribus wrote:
> I'm no longer putting in hundreds of hours to fight losing battles,
> which earlier in my carrier I did:
> https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/Cisco-SA-20140828-CVE-2014-3347

Ensuring that MOP is dead and stays buried might actually be worth a
PSIRT effort - any feature that is on-by-default and enables unauthorized
access to a device should be worth the fight.

gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany gert@greenie.muc.de
Re: TIL: Maintenance Operations Protocol (MOP) [ In reply to ]
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: TIL: Maintenance Operations Protocol (MOP) [ In reply to ]
AAA was unconfigured as I was testing on a lab router.

Whether or not it provides unauthorized access depends on whether you expect anyone that has something connected to that router to have access to the console or not.

At the very least it provides an opportunity and a vector.

It doesn't seem to log anything when you use it, too.

-----Original Message-----
From: Oliver Boehmer (oboehmer) <oboehmer@cisco.com>
Sent: Friday, August 6, 2021 11:48 AM
To: Gert Doering <gert@greenie.muc.de>; Lukas Tribus <lukas@ltri.eu>
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] TIL: Maintenance Operations Protocol (MOP)


On Fri, Aug 06, 2021 at 02:00:30PM +0200, Lukas Tribus wrote:
> I'm no longer putting in hundreds of hours to fight losing battles,
> which earlier in my carrier I did:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.cisco.com_security_center_content_CiscoSecurityAdvisory_Cisco-2DSA-2D20140828-2DCVE-2D2014-2D3347&d=DwIGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=C7uP5I5FPqc4m2MQRUF_ir9MYgYPqlHPppfTRkcOuGU&s=cqRIG75OwMpTMXCVJLn6A_Iq4_3cYPNbJBKRE0xMhSk&e=

Ensuring that MOP is dead and stays buried might actually be worth a
PSIRT effort - any feature that is on-by-default and enables unauthorized
access to a device should be worth the fight.

+1, and worth a PSIRT case right away.
But it doesn't provide unauthorized access, does it? Drew's test showed a password prompt (not sure what the AAA config looked like)..

oli

_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: TIL: Maintenance Operations Protocol (MOP) [ In reply to ]
For something that is answering by default, where brutes cannot be
blocked or ratelimited by CoPP or MLS kbobs? Control plane DDoS
anyone?

What other surprises are in it's codes?

I'm sure a (hopefully) whitehat would have fun with this one.

---
~Randy (K6RP)

On 08/06/2021 9:00 am, Drew Weaver wrote:
> AAA was unconfigured as I was testing on a lab router.
>
> Whether or not it provides unauthorized access depends on whether you
> expect anyone that has something connected to that router to have
> access to the console or not.
>
> At the very least it provides an opportunity and a vector.
>
> It doesn't seem to log anything when you use it, too.
>
> -----Original Message-----
> From: Oliver Boehmer (oboehmer) <oboehmer@cisco.com>
> Sent: Friday, August 6, 2021 11:48 AM
> To: Gert Doering <gert@greenie.muc.de>; Lukas Tribus <lukas@ltri.eu>
> Cc: cisco-nsp@puck.nether.net
> Subject: Re: [c-nsp] TIL: Maintenance Operations Protocol (MOP)
>
>
> On Fri, Aug 06, 2021 at 02:00:30PM +0200, Lukas Tribus wrote:
> > I'm no longer putting in hundreds of hours to fight losing
> battles,
> > which earlier in my carrier I did:
> >
> https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.cisco.com_security_center_content_CiscoSecurityAdvisory_Cisco-2DSA-2D20140828-2DCVE-2D2014-2D3347&d=DwIGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=C7uP5I5FPqc4m2MQRUF_ir9MYgYPqlHPppfTRkcOuGU&s=cqRIG75OwMpTMXCVJLn6A_Iq4_3cYPNbJBKRE0xMhSk&e=
>
> Ensuring that MOP is dead and stays buried might actually be worth
> a
> PSIRT effort - any feature that is on-by-default and enables
> unauthorized
> access to a device should be worth the fight.
>
> +1, and worth a PSIRT case right away.
> But it doesn't provide unauthorized access, does it? Drew's test
> showed a password prompt (not sure what the AAA config looked like)..
>
> oli
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: TIL: Maintenance Operations Protocol (MOP) [ In reply to ]
Yes,

Plus consider the fact that if you do a 'show users' it shows up as a VTY connection and if you set transports on your configuration interfaces (console) it ignores that and still works.

-Drew


-----Original Message-----
From: cisco-nsp <cisco-nsp-bounces@puck.nether.net> On Behalf Of Randy (K6RP)
Sent: Friday, August 6, 2021 12:13 PM
To: cisco-nsp <cisco-nsp@puck.nether.net>
Subject: Re: [c-nsp] TIL: Maintenance Operations Protocol (MOP)

For something that is answering by default, where brutes cannot be
blocked or ratelimited by CoPP or MLS kbobs? Control plane DDoS
anyone?

What other surprises are in it's codes?

I'm sure a (hopefully) whitehat would have fun with this one.

---
~Randy (K6RP)

On 08/06/2021 9:00 am, Drew Weaver wrote:
> AAA was unconfigured as I was testing on a lab router.
>
> Whether or not it provides unauthorized access depends on whether you
> expect anyone that has something connected to that router to have
> access to the console or not.
>
> At the very least it provides an opportunity and a vector.
>
> It doesn't seem to log anything when you use it, too.
>
> -----Original Message-----
> From: Oliver Boehmer (oboehmer) <oboehmer@cisco.com>
> Sent: Friday, August 6, 2021 11:48 AM
> To: Gert Doering <gert@greenie.muc.de>; Lukas Tribus <lukas@ltri.eu>
> Cc: cisco-nsp@puck.nether.net
> Subject: Re: [c-nsp] TIL: Maintenance Operations Protocol (MOP)
>
>
> On Fri, Aug 06, 2021 at 02:00:30PM +0200, Lukas Tribus wrote:
> > I'm no longer putting in hundreds of hours to fight losing
> battles,
> > which earlier in my carrier I did:
> >
> https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.cisco.com_s
> ecurity_center_content_CiscoSecurityAdvisory_Cisco-2DSA-2D20140828-2DC
> VE-2D2014-2D3347&d=DwIGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiM
> M&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=C7uP5I5FPqc4m2MQRUF_
> ir9MYgYPqlHPppfTRkcOuGU&s=cqRIG75OwMpTMXCVJLn6A_Iq4_3cYPNbJBKRE0xMhSk&
> e=
>
> Ensuring that MOP is dead and stays buried might actually be worth
> a
> PSIRT effort - any feature that is on-by-default and enables
> unauthorized
> access to a device should be worth the fight.
>
> +1, and worth a PSIRT case right away.
> But it doesn't provide unauthorized access, does it? Drew's test
> showed a password prompt (not sure what the AAA config looked like)..
>
> oli
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp@puck.nether.net
> https://urldefense.proofpoint.com/v2/url?u=https-3A__puck.nether.net_m
> ailman_listinfo_cisco-2Dnsp&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A
> _CdpgnVfiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=ZUHFdp0mN
> GBoAt2x7IibB5wtqmMT0eB8-LONI5uB814&s=GOpxtNUbb64MhC2AZqTgYHArDZFDggCDo
> LtGb8d0N1I&e= archive at
> https://urldefense.proofpoint.com/v2/url?u=http-3A__puck.nether.net_pi
> permail_cisco-2Dnsp_&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnV
> fiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=ZUHFdp0mNGBoAt2x
> 7IibB5wtqmMT0eB8-LONI5uB814&s=xdkRJ-gfUnCBgWmKNESTsXN95Wq2Tf2lcmCLOCfl
> F8M&e=
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net https://urldefense.proofpoint.com/v2/url?u=https-3A__puck.nether.net_mailman_listinfo_cisco-2Dnsp&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=ZUHFdp0mNGBoAt2x7IibB5wtqmMT0eB8-LONI5uB814&s=GOpxtNUbb64MhC2AZqTgYHArDZFDggCDoLtGb8d0N1I&e=
archive at https://urldefense.proofpoint.com/v2/url?u=http-3A__puck.nether.net_pipermail_cisco-2Dnsp_&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=ZUHFdp0mNGBoAt2x7IibB5wtqmMT0eB8-LONI5uB814&s=xdkRJ-gfUnCBgWmKNESTsXN95Wq2Tf2lcmCLOCflF8M&e=
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: TIL: Maintenance Operations Protocol (MOP) [ In reply to ]
By the way anyone trying to actually reproduce/test this just use Debian 10 because they have the DECnet for Linux tools in a deb already and it wouldn't compile on an RPM based system.

-Drew


-----Original Message-----
From: cisco-nsp <cisco-nsp-bounces@puck.nether.net> On Behalf Of Drew Weaver
Sent: Friday, August 6, 2021 12:18 PM
To: 'amps@djlab.com' <amps@djlab.com>; 'cisco-nsp' <cisco-nsp@puck.nether.net>
Subject: Re: [c-nsp] TIL: Maintenance Operations Protocol (MOP)

Yes,

Plus consider the fact that if you do a 'show users' it shows up as a VTY connection and if you set transports on your configuration interfaces (console) it ignores that and still works.

-Drew


-----Original Message-----
From: cisco-nsp <cisco-nsp-bounces@puck.nether.net> On Behalf Of Randy (K6RP)
Sent: Friday, August 6, 2021 12:13 PM
To: cisco-nsp <cisco-nsp@puck.nether.net>
Subject: Re: [c-nsp] TIL: Maintenance Operations Protocol (MOP)

For something that is answering by default, where brutes cannot be
blocked or ratelimited by CoPP or MLS kbobs? Control plane DDoS
anyone?

What other surprises are in it's codes?

I'm sure a (hopefully) whitehat would have fun with this one.

---
~Randy (K6RP)

On 08/06/2021 9:00 am, Drew Weaver wrote:
> AAA was unconfigured as I was testing on a lab router.
>
> Whether or not it provides unauthorized access depends on whether you
> expect anyone that has something connected to that router to have
> access to the console or not.
>
> At the very least it provides an opportunity and a vector.
>
> It doesn't seem to log anything when you use it, too.
>
> -----Original Message-----
> From: Oliver Boehmer (oboehmer) <oboehmer@cisco.com>
> Sent: Friday, August 6, 2021 11:48 AM
> To: Gert Doering <gert@greenie.muc.de>; Lukas Tribus <lukas@ltri.eu>
> Cc: cisco-nsp@puck.nether.net
> Subject: Re: [c-nsp] TIL: Maintenance Operations Protocol (MOP)
>
>
> On Fri, Aug 06, 2021 at 02:00:30PM +0200, Lukas Tribus wrote:
> > I'm no longer putting in hundreds of hours to fight losing
> battles,
> > which earlier in my carrier I did:
> >
> https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.cisco.com_s
> ecurity_center_content_CiscoSecurityAdvisory_Cisco-2DSA-2D20140828-2DC
> VE-2D2014-2D3347&d=DwIGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiM
> M&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=C7uP5I5FPqc4m2MQRUF_
> ir9MYgYPqlHPppfTRkcOuGU&s=cqRIG75OwMpTMXCVJLn6A_Iq4_3cYPNbJBKRE0xMhSk&
> e=
>
> Ensuring that MOP is dead and stays buried might actually be worth
> a
> PSIRT effort - any feature that is on-by-default and enables
> unauthorized
> access to a device should be worth the fight.
>
> +1, and worth a PSIRT case right away.
> But it doesn't provide unauthorized access, does it? Drew's test
> showed a password prompt (not sure what the AAA config looked like)..
>
> oli
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp@puck.nether.net
> https://urldefense.proofpoint.com/v2/url?u=https-3A__puck.nether.net_m
> ailman_listinfo_cisco-2Dnsp&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A
> _CdpgnVfiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=ZUHFdp0mN
> GBoAt2x7IibB5wtqmMT0eB8-LONI5uB814&s=GOpxtNUbb64MhC2AZqTgYHArDZFDggCDo
> LtGb8d0N1I&e= archive at
> https://urldefense.proofpoint.com/v2/url?u=http-3A__puck.nether.net_pi
> permail_cisco-2Dnsp_&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnV
> fiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=ZUHFdp0mNGBoAt2x
> 7IibB5wtqmMT0eB8-LONI5uB814&s=xdkRJ-gfUnCBgWmKNESTsXN95Wq2Tf2lcmCLOCfl
> F8M&e=
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net https://urldefense.proofpoint.com/v2/url?u=https-3A__puck.nether.net_mailman_listinfo_cisco-2Dnsp&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=ZUHFdp0mNGBoAt2x7IibB5wtqmMT0eB8-LONI5uB814&s=GOpxtNUbb64MhC2AZqTgYHArDZFDggCDoLtGb8d0N1I&e=
archive at https://urldefense.proofpoint.com/v2/url?u=http-3A__puck.nether.net_pipermail_cisco-2Dnsp_&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=ZUHFdp0mNGBoAt2x7IibB5wtqmMT0eB8-LONI5uB814&s=xdkRJ-gfUnCBgWmKNESTsXN95Wq2Tf2lcmCLOCflF8M&e=
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net https://urldefense.proofpoint.com/v2/url?u=https-3A__puck.nether.net_mailman_listinfo_cisco-2Dnsp&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=Kze-nkxcdJWnYbND1rBSuvGfJui-MR5_7Eu6PnlGR2I&s=0de2sd7YXD5wlULWOKCcZW2izjcefVOtmtZ2yfooXqE&e=
archive at https://urldefense.proofpoint.com/v2/url?u=http-3A__puck.nether.net_pipermail_cisco-2Dnsp_&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=Kze-nkxcdJWnYbND1rBSuvGfJui-MR5_7Eu6PnlGR2I&s=bCoD7EIDzcJkkDM0mdxFnGTp7HkE9RlOekA6KXoyeus&e=
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: TIL: Maintenance Operations Protocol (MOP) [ In reply to ]
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/