“It requires an authenticated user, so at least it’s not an unauthenticated RCE (remote code execution),” said Shipley. The vulnerability has a high CVSS score of 7.7, “but [it’s] not the worst we’ve seen of late.”
Ed Dubrovsky, chief operating officer of US-based incident response firm Cypfer, also noted that a successful attacker would need to be authenticated.
Although many companies still use default credentials on the SNMP protocol level, he said, the requirement to have an additional device authentication to execute the denial of service or RCE means additional complexity for an attacker.
He added that the risk of this being exploited by an insider who has the necessary credentials is almost equal to that of an outsider. In fact, he said, if an outside attacker has the required authentication, an organization would really be in trouble.
The need, based on the CVE, for multi level authentication for both SNMP and a device means that the threat actor is not a script kiddie, but rather someone more motivated, likely with a more technical skill set, who can then also leverage that device access to move laterally to the high value systems, he said.
“At the end of the day, a Cisco device at the edge is likely to have no company data on it, and threat actors that are primarily motivated by financial gains need data and system access to exfiltrate and lock. APT [advanced persistent threat] and nation state actors present a different threat, of course, but it is probable that such environments would present additional layered defenses to further reduce the risk from this CVE.
