[Ipg-smz] Need to speak to security expert?

John Coggeshall john at coggeshall.org
Fri Jul 12 01:27:46 UTC 2019 

Yeah, see... it's not the string that bothers me it's where I found it.

This appears in my UART (serial) log between a ESP8266 Microcontroller, 
and a STM32 Microcontroller. The ESP8266 is a WiFi compatible unit that 
I have written all of the code for, the STM32 has no direct WiFi 
capabilities.  Neither device has anything at all to do with Cisco.

I have a Cisco switch installed on the network this ESP8266 has been 
connecting to. Other than the SDK I compile against, I said I have 
written all of the code  on that ESP8266 chip and I can assure you there 
is nothing that I am doing that would result in a telnet connection 
being made to a Cisco router.

So, what am I to think? What this *looks* like to me is that the ESP8266 
chip made a connection to my Cisco router by itself, and somehow the 
buffer for that ended up in my UART buffer stream and output to my 
serial log. Everything prior to the "Provided:" is my code, outputting 
an error because it was expecting a command from the STM32 it talks to 
and it didn't know what to make of this.

This is why I would like to speak to someone with some security 
background, because I'm having a hard time explaining what I'm seeing 
besides "This chip is making network connections on it's own and 
apparently trying to log into my Cisco switch".

John

Stephen Satchell via Ipg-smz wrote on 7/11/19 7:27 PM:
> On 7/11/19 2:31 PM, John Coggeshall via Ipg-smz wrote:
>> [DEBUG 2019-07-11 17:20:05] [STM32] Invalid / Unknown Command
>> Provided: � �    0-IPSERVICESK9-M), Version 12.2(55)SE3, RELEASE
>> SOFTWARE (fc1)
>> Technical Support: http://www.cisco.com/techsupport
>> Copyright
> As a Cisco router/switch jockey, I recognize this sequence.  Your device
> did a reload for some reason.  The two question-mark-in-circles is an
> RS-232 synchronization problem, whereas the rest afterwards is the
> standard banner.  If you are on IPSERVICESK9 in version 12.2(55)SE3,
> that suggests the source of this data is an Etherswitch.  Have you
> cascaded your equipment through the AUX port, perhaps?
>
> (In all my work, I either have a direct connection to the CONSOLE port,
> or I go through a router (2811) and a console serial card to talk to the
> devices.)
>
> The "Invalid/Unknown Command" can be a problem with the
> startup-configuration on your device.
>
> How did the device restart?  Could be a panic caused by your
> configuration, or you have this thing connected to the Internet edge
> directly and someone is using a well-know exploit to break in.
>
>

More information about the Ipg-smz mailing list