Create Case

Does Extreme Networks have an official statement on US-CERT Alert TA18-106A?

  • Article Type:
  • Q & A
  • Article Number:
  • 000022999
  • Last Modified:
  • 4/27/2018

Question

Does Extreme Networks have an official statement on US-CERT Alert TA18-106A?

Environment

All Extreme Networks Products

Answer

Statement Regarding US-CERT Alert TA18-106A “Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices

The recent Alert “TA18-106A” from US-CERT (see: https://www.us-cert.gov/ncas/alerts/TA18-106A) regarding potential Russian state-sponsored targeting of network infrastructure devices is an important message about the current state of cyber activities. Extreme Networks takes these notices very seriously and feels this provides an excellent opportunity for customers to review the security posture of their networks and managed assets.

The key takeaway from the Alert is that secure configurations are paramount. That is, except for a vulnerability in the Smart Install (SMI) service from one of our competitors (and which Extreme Networks products do not run), the main avenues for exploitation reside in well-known protocols that are not designed for secure communications or administrative functions. For example, in the reconnaissance phase of exploitation, the following services are scanned and profiled: Telnet, SNMP, and HTTP. The US-CERT rightly identifies these protocols as having significant known security deficiencies that attackers utilize to infiltrate networks.

As mentioned in the “General Mitigations” section of the US-CERT Alert, Telnet should be replaced with SSHv2, SNMPv1/v2 should be replaced with SNMPv3, and HTTP should be replaced with HTTPS/TLS. In general, all unencrypted protocols should be replaced with encrypted protocols, and those encrypted protocols should be configured to use the strongest available encryption, features, and protections.

Further, it is imperative that all default administrative credentials be changed to strong versions known only to the customer, and access/segmentation policies should be in place that restrict management protocol communication to approved sources.

Another subtle item contained within the Alert is the impact of any identifying information that can be collected from the network during the reconnaissance phase. This can take many forms, and the Alert specifically mentions the use of “Login banners”. What might seem as innocuous information can be critical data to enable an attack. Customers should not include device details in any publicly available data, and should take efforts to assure this information is uniformly applied to all devices. Each device should appear like every other device.

Implementing these mitigations meet the core objective of the US-CERT Alert. But, it is just as critical to frequently verify that such mitigations are actively deployed and functioning in customer environments. The Information Governance Engine (IGE), that is part of Extreme Management Center (XMC), wraps automation around the verification of proper secure configurations of Extreme Networks products. Incorporating IGE as part of your management framework provides a means to accomplish this task on a continual basis.

In summary, there is no specific vulnerability mentioned in the US-CERT Alert that affects Extreme Networks products. The potential for exploitation is fundamentally derived from insecure configurations and deployments of network infrastructure devices. Extreme Networks constantly evaluates strategies for improving network and system security as the world of cyber security evolves, and we are committed to assisting customers with secure configurations and network deployments.

Additional notes

Feedback