Cisco IOS SYNful Knock Implant

critical Nessus Plugin ID 86151

Synopsis

The remote host is infected with an implant that allows an attacker to take full control of the device.

Description

The remote host is infected by the SYNful Knock implant, a persistent backdoor introduced via a malicious IOS firmware image. A remote attacker can exploit the implant, via HTTP packets sent to the device's interface, to gain complete control of the affected device.

Solution

Follow your organization's procedures for responding to an infected host.

See Also

http://www.nessus.org/u?c31f83b9

http://www.nessus.org/u?99099f5d

https://zmap.io/synful/

https://blogs.cisco.com/security/synful-knock

https://tools.cisco.com/security/center/viewAlert.x?alertId=40411

https://tools.cisco.com/security/center/viewAlert.x?alertId=41007

Plugin Details

Severity: Critical

ID: 86151

File Name: cisco_synful_knock.nbin

Version: 1.33

Type: remote

Family: Backdoors

Published: 9/25/2015

Updated: 12/28/2022

Risk Information

CVSS Score Rationale: Score based on analysis of the vendor advisory.

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: manual

Vulnerability Information

CPE: cpe:/o:cisco:ios

Vulnerability Publication Date: 9/15/2015