Risks of OOB Access via IP KVM Devices

https://isc.sans.edu/diary/Risks%20of%20OOB%20Access%20via%20IP%20KVM%20Devices/32598

https://github.com/Adversis/tailsnitch

https://github.com/net-snmp/net-snmp/security/advisories/GHSA-4389-rwqf-q9gq

Title: SANS Stormcast – Tuesday, January 6 2026: IP KVM Risks; Tailsnitch; Net‑SNMP Vulnerability

Author / Handler on Duty: Guy Bruneau

Publication Date: January 6 2026

---

Podcast Overview

• Audio file: https://traffic.libsyn.com/securitypodcast/9754.mp3

• Topics covered:

  1. Risks of out‑of‑band (OOB) access via IP KVM devices

  2. Tailsnitch – a tool for reviewing TailScale configurations

  3. A critical vulnerability in Net‑SNMP’s snmptrapd daemon

Resources Mentioned

• Risks of OOB Access via IP KVM Devices – https://isc.sans.edu/diary/Risks%20of%20OOB%20Access%20via%20IP%20KVM%20Devices/32598

• Tailsnitch – https://github.com/Adversis/tailsnitch

• Net‑SNMP snmptrapd vulnerability (CVSS 9.8) – https://github.com/net-snmp/net-snmp/security/advisories/GHSA-4389-rwqf-q9gq

---

Podcast Transcript

Hello and welcome to the Tuesday, January 6, 2026 edition of the

SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich,

recording today from Jacksonville, Florida. And this episode is

brought to you by the SANS.edu graduate certificate program in

cybersecurity engineering.



I thought about a little sort of contest for the beginning of the

year. Let's see how often I'll say 2025 in the introduction. I

avoided it today, but we'll sort of revive something I've done in

the past. If you do find a mistake in the podcast, as simple as me

mentioning the wrong year, I'll actually give away some Internet

Storm Center stickers. Just send me an email or a message via the

Internet Storm Center contact form, and I'll set you up with a claim

code for a sticker.



The diary today was about something that I've observed more and more

in recent months, and that's people deploying nano KVMs. Nano KVMs,

they have become popular last year. I think beginning last year is

when they sort of first became available. And it's a very handy

device in that it allows you remote access to a machine via the web

browser. That's equivalent to having physical access to the machine,

including doing things like reboots, but definitely sort of getting a

keyboard and the mouse and the screen access to the remote machine.

So a real handy device.



What's the problem? Well, the problem is sort of your typical IoT

problem that these devices, of course, are now starting sort of

around $35. Some of the older devices like the Pi KVM will set you

back almost 10 times as much, sort of in the $200 range to get that

fully set up. Never mind things like Dell DRack cards and things

like that, that of course provide much more sophisticated access to

specific servers.



So the problem here is that since these devices are meant to give

you sort of emergency access to your devices, they're often exposed

to the internet. And that's like with all IoT devices where the

problems start. So I’ve summarized a couple of tips here in how to

better secure them. Probably the most useful thing here, and

luckily the Nano KVM and some of the competitors like Pi KVM also

support it, is TailScale. That's a VPN solution that's specifically

designed sort of for home systems and systems with dynamic IP

addresses to give you easy and straightforward access to those

remote systems in a reasonably secure manner.



Anyway, if you have one of these devices, if you have any other

feedback, let me know. There has also been quite a bit of talk about

the overall security of the software stack in these devices and

whether or not there may be some hidden back doors. I don't really

think there are any intentional back doors, but I think at this

point this is really sort of a matter of opinion. And if you do

give any device like this very direct physical access to your

systems, well, you better trust it. And that's really a decision

that you have to make yourself.



I linked to some of the other works of looking at the security of

these devices in the diary. And since I just mentioned TailScale, I

also ran today into an interesting GitHub project, **TailSnitch**.

The purpose of TailSnitch is to audit your TailScale configuration.

So if you're relying on TailScale to secure access to your

resources, then that's definitely a script that you probably should

take a quick look at and see if anything within your TailScale setup

is misconfigured. There are a couple of issues that you can run

into, like systems configured as routers that may give access to the

rest of your network. I'm not 100 % sure yet; I still have to run it

to see exactly what TailSnitch is looking for, but they're saying

they're checking for about 50 different configuration issues within

TailScale.



Let me also mention a vulnerability that I've actually not really

seen covered much: a vulnerability in the SNMP trap daemon. This is

a very commonly used piece of open‑source software that collects

information from SNMP traps. Sadly, it suffers from a buffer

overflow that can lead to remote code execution. It has a CVSS

score of 9.8, so definitely something that you should address. As I

say so often, this should not be exposed to the outside of your

network. Even internally, a vulnerability like this can cause

substantial damage because the SNMP trap daemon often runs on

network‑monitoring systems. An attacker could use it to gain access

to a more valuable system and then abuse that to obtain additional

SNMP configurations and passwords, potentially affecting the rest of

your network.



Thanks to the listener who actually alerted me to this vulnerability;

I would not have seen it otherwise.



And that's it for today. Thanks for listening, thanks for liking and

recommending this podcast, and talk to you again tomorrow. Bye.

---

End of article content.