Cisco IOS SYNful Knock Implant

Critical Nessus Plugin ID 86151

Synopsis

The remote host is infected with an implant that allows an attacker to take full control of the device.

Description

The remote host is infected by the SYNful Knock implant, a persistent backdoor introduced via a malicious IOS firmware image. A remote attacker can exploit the implant, via HTTP packets sent to the device's interface, to gain complete control of the affected device.

Solution

Follow your organization's procedures for responding to an infected host.

See Also

http://www.nessus.org/u?c31f83b9

http://www.nessus.org/u?99099f5d

https://zmap.io/synful/

https://blogs.cisco.com/security/synful-knock

https://tools.cisco.com/security/center/viewAlert.x?alertId=40411

https://tools.cisco.com/security/center/viewAlert.x?alertId=41007

Plugin Details

Severity: Critical

ID: 86151

File Name: cisco_synful_knock.nbin

Version: Revision: 1.10

Type: remote

Family: Backdoors

Published: 2015/09/25

Modified: 2018/07/19

Risk Information

Risk Factor: Critical

CVSSv2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: cpe:/o:cisco:ios

Vulnerability Publication Date: 2015/09/15