-----BEGIN PGP SIGNED MESSAGE-----
Cisco Security Advisory: Cisco IOS Software Multiple SNMP Community String
Vulnerabilities
Revision 1.0: INTERIM
For Public Release 2001 February 28 11:00 US/Eastern (UTC+0500)
------------------------------------------------------------------------
Summary
Multiple Cisco IOS software and CatOS software releases contain several
independent but related vulnerabilities involving the unexpected creation
and exposure of SNMP community strings. These vulnerabilities can be
exploited to permit the unauthorized viewing or modification of affected
devices.
To remove the vulnerabilities, Cisco is offering free software upgrades for
all affected platforms. The defects are documented in DDTS records
CSCds32217, CSCds16384, CSCds19674, CSCdr59314, CSCdr61016, and CSCds49183.
In addition to specific workarounds for each vulnerability, affected
systems can be protected by preventing SNMP access.
This notice will be posted
at http://www.cisco.com/warp/public/707/ios-snmp-community-vulns-pub.shtml.
Affected Products
The vulnerabilities described in this notice are present in Cisco router
and switch products that are running certain releases of Cisco IOS software
or CatOS software. Only Cisco products running affected releases are
vulnerable. No other Cisco products are affected.
To determine the software running on a Cisco product, log in to the device
and display the system banner with the command "show version". Cisco IOS
software will identify itself as "Internetwork Operating System Software"
or simply "IOS (tm)". The image name will be displayed between parentheses,
usually on the next line of output, followed by "Version" and the IOS
release name. Other Cisco devices will not have the "show version" command
or will give different output.
The following example identifies a Cisco product running IOS release
12.0(3) with an installed image name of C2500-IS-L:
Cisco Internetwork Operating System Software IOS (tm)
2500 Software (C2500-IS-L), Version 12.0(3), RELEASE SOFTWARE
To determine if the Cisco product is affected, compare the information
obtained above to the lists of affected platforms and releases shown below.
Cisco devices that may be running an affected IOS software release include,
but are not limited to:
* 800, 1000, 1005, 1400, 1600, 1700, 2500, 2600, 3600, MC3810, 4000,
4500, 4700, 6200, 6400 NRP, 6400 NSP series Cisco routers.
* ubr900 and ubr920 universal broadband routers.
* Catalyst 2900 ATM, 2900XL, 2948g, 3500XL, 4232, 4840g, 5000 RSFC
series switches.
* 5200, 5300, 5800 series access servers.
* Catalyst 6000 MSM, 6000 Hybrid Mode, 6000 Native Mode, 6000 Supervisor
Module, Catalyst ATM Blade.
* RSM, 7000, 7010, 7100, 7200, ubr7200, 7500, 10000 ESR, and 12000 GSR
series Cisco routers.
* DistributedDirector.
* Catalyst 8510CSR, 8510MSR, 8540CSR, 8540MSR series switches.
Cisco products that do not run Cisco IOS software and are not affected by
the vulnerabilities described in this notice include, but are not limited
to:
* Cisco PIX firewall.
* Aironet and Cisco/Aironet wireless products
* CSS11000, Cache Engine, and LocalDirector products.
* VPN products such as the Altiga concentrator
* Host-based network management or access management products.
* Cisco IP Telephony and telephony management software (except those
that are hosted on a vulnerable IOS platform).
* Voice gateways and convergence products (except those that are hosted
on a vulnerable IOS platform).
* Optical switch products such as the ONS 15000 series.
Details
These vulnerabilities are the result of defects in the functions
responsible for Simple Network Management Protocol (SNMP), an Internet
standard for the remote administration of network devices. SNMP makes use
of one or more labels called "community strings" to delimit groups of
"objects" (variables) that can be viewed or modified on a device. The SNMP
data in such a group is organized in a tree structure called a Management
Information Base (MIB). A single device may have multiple MIBs connected
together into one large structure, and various community strings may
provide read-only or read-write access to different, possibly overlapping
portions of the larger data structure. An example of a read-only variable
might be a counter showing the total number of octets sent or received
through an interface. An example of a read-write variable might be the
speed of an interface, or the hostname of a device.
Community strings also provide a weak form of access control in earlier
versions of SNMP, v1 and v2c. (SNMPv3 provides much improved access control
using strong authentication and should be preferred over SNMPv1 and SNMPv2c
wherever it is supported.) If a community string is defined, then it must
be provided in any basic SNMP query if the requested operation is to be
permitted by the device. Community strings usually allow read-only or
read-write access to the entire device. In some cases, a given community
string will be limited to one group of read-only or read-write objects
described in an individual MIB.
In the absence of additional configuration options to constrain access,
knowledge of the single community string for the device is all that is
required to gain access to all objects, both read-only and read-write, and
to modify any read-write objects. The defects responsible for these
vulnerabilities are grouped here by function:
A read-only community string is unexpectedly added when a "snmp-server
community" command is entered in the configuration of a device where
"community" does not already exist on the device as a valid community
string. If deleted, this community string will reappear after the
device is reloaded. CSCdr61016 documents the defect in IOS for routers
and switch-routers and only affects IOS releases 12.0(7)T, 12.1(1)E
and 12.1(2). CSCds49183 refers to the equivalent defect affecting
products from the 2900XL and 3500XL series, and only affects IOS
releases 12.0(5)XU and 12.0(5)XW.
The defect arises from implementation of the SNMPv2 "informs"
functionality, which involves the exchange of read-only community
strings for the sharing of status information. When an affected device
processes a command defining a host to receive SNMP "traps" (logging
messages) such as the "snmp-server host" command, then the community
specified in the trap statement is also configured for general use if
it is not already defined in the saved configuration. This occurs even
if the community was previously removed and the configuration was
saved to memory prior to a system reload.
The read-write community string is exposed when the device is examined
via a "walk", or traversal, of the View-based Access Control MIB
(VACM) using the device's read-only community string. View-based
Access Control is a feature of SNMPv3 added to IOS in version
12.0(3)T. CSCds32217 describes the defect in IOS, CSCds16384 applies
to IOS running on 2900XL and 3500XL switches, and CSCds19674 documents
the defect in CatOS on Catalyst switches. Most IOS releases in 12.0
(after 12.0(3)T) as well as most 12.1 releases contain this
vulnerability, as well as 12.0(5.2)XU and 12.0(5)XW for the 2900XL and
3500XL switches, and CatOS releases 5.4(1) - 5.5(3)and 6.1(1) for the
Catalyst switches.
Implementation of new cable-industry standards for management of cable
modems introduced an undocumented read-write community string,
"cable-docsis", which was intended only for DOCSIS-compliant
cable-capable devices. It was inadvertently enabled by default for all
devices except DOCSIS-compatible cable modems and head end units in a
limited range of IOS releases. This defect is documented as
CSCdr59314. This vulnerability is confined to a very narrow set of IOS
releases based on 12.1(3) and 12.1(3)T, and it is fixed in 12.1(4) and
12.1(5)T releases and following.
Full details are provided in the software section below regarding the
status of each vulnerability in specific releases.
A separate Cisco Security Advisory has recently been announced regarding an
SNMP vulnerability due to an undocumented default "ILMI" read-write
community string in IOS. That advisory,
http://www.cisco.com/warp/public/707/ios-snmp-ilmi-vuln-pub.shtml, should
be consulted in tandem with this notice.
Impact
Knowledge of read-only community strings allows read access to information
stored on an affected device, leading to a failure of confidentiality.
Knowledge of read-write community strings allows remote configuration of
affected devices without authorization, possibly without the awareness of
the administrators of the device and resulting in a failure of integrity
and a possible failure of availability.
These vulnerabilities could be exploited separately or in combination to
gain access to or modify the configuration and operation of any affected
devices without authorization. Customers are urged to upgrade affected
systems to fixed releases of software, or to apply measures to protect such
systems against unauthorized use by restricting access to SNMP services
until such time as the devices can be upgraded.
Software Versions and Fixes
This security advisory represents a combination of multiple related product
security vulnerabilities. The affected trains and releases are not
identical for all of the defects, but there are significant groups of
releases where affected versions intersect with others. Unless otherwise
noted, each label displayed under "Availability of Fixed Releases"
identifies the release that resolves all of these defects for that specific
train.
Please note the following exceptions:
IOS software Major Release version 12.0 and IOS releases based on 11.x
or earlier are not affected by the vulnerabilities described in this
notice. All other releases of 12.0, such as 12.0DA, 12.0S or 12.0T,
may be affected.
CSCdr59314 is only present in certain 12.1(3) releases and does not
affect any other IOS releases.
Fixes for all six defects have been integrated into 12.2 prior to its
initial availability, and therefore all releases based on 12.2 and all
later versions are not vulnerable to the defects described in this
advisory.
The following table summarizes the IOS software releases that are known to
be affected, and the earliest estimated dates of availability for the
recommended fixed versions. Dates are always tentative and subject to
change.
Each row of the table describes a release train and the platforms or
products for which it is intended. If a given release train is vulnerable,
then the earliest possible releases that contain the fix and the
anticipated date of availability for each are listed in the "Rebuild",
"Interim", and "Maintenance" columns. A device running any release in the
given train that is earlier the release in a specific column (less than the
earliest fixed release) is known to be vulnerable, and it should be
upgraded at least to the indicated release or a later version (greater than
the earliest fixed release label).
When selecting a release, keep in mind the following definitions:
Maintenance
Most heavily tested and highly recommended release of any label
in a given row of the table.
Rebuild
Constructed from the previous maintenance or major release in the
same train, it contains the fix for a specific defect. Although
it receives less testing, it contains only the minimal changes
necessary to effect the repair.
Interim
Built at regular intervals between maintenance releases and
receive less testing. Interims should be selected only if there
is no other suitable release that addresses the vulnerability,
and interim images should be upgraded to the next available
maintenance release as soon as possible. Interim releases are not
available via manufacturing, and usually they are not available
for customer download from CCO without prior arrangement with the
Cisco TAC.
In all cases, customers should exercise caution to be certain the devices
to be upgraded contain sufficient memory and that current hardware and
software configurations will continue to be supported properly by the new
release. If the information is not clear, contact the Cisco TAC for
assistance as shown in the following section.
More information on IOS release names and abbreviations is available at
http://www.cisco.com/warp/public/620/1.html.
+===========================================================================+
Train Description of Image Availability of Fixed Releases*
or Platform
+===========================================================================+
Catalyst Software Releases Rebuild Interim** Maintenance
+===========================================================================+
5.5(3)
5.5
Available
6.1(2)
6.1
Available
+===========================================================================+
11.x-based Releases and Earlier Rebuild Interim** Maintenance
+===========================================================================+
11.x and Multiple releases and
earlier platforms Not Vulnerable
+===========================================================================+
12.0-based Releases Rebuild Interim** Maintenance
+===========================================================================+
General Deployment
12.0 release for all Not Vulnerable
platforms
+----------+------------------------+-----------+----------+----------------+
xDSL support: 6100, 12.1(5)DA1 12.1(6)DA
12.0DA 6200
Vulnerable to
CSCds32217 2001-Feb-28 Unscheduled
+----------+------------------------+-----------+----------+----------------+
General deployment 12.1(4)DB1
12.0DB release for all
platforms 2001-Feb-26
+----------+------------------------+-----------+----------+----------------+
General deployment 12.1(4)DC2
12.0DC release for all
platforms 2001-Feb-20
+----------+------------------------+-----------+----------+----------------+
12.0(15)S1 12.0(16)S
12.0S Core/ISP support: GSR,
RSP, c7200 2001-Feb-20 2001-Mar-12
+----------+------------------------+-----------+----------+----------------+
12.0(15)SC1
12.0SC Cable/broadband ISP:
ubr7200 2001-Feb-26
+----------+------------------------+-----------+----------+----------------+
12.0(14)SL1
12.0SL 10000 ESR: c10k
2001-Feb-26
+----------+------------------------+-----------+----------+----------------+
General deployment 12.0(11)ST2 12.0(15)ST
12.0ST release for all
platforms 2001-Feb-26 2001-Mar-05
+----------+------------------------+-----------+----------+----------------+
12.1(5c)E8
12.0SX Early Deployment (ED)
2001-Feb-26
+----------+------------------------+-----------+----------+----------------+
Early Deployment(ED): 12.1(7)
12.0T VPN, Distributed
Director, various
platforms 2001-Feb-26
+----------+------------------------+-----------+----------+----------------+
Catalyst switches:
cat8510c, cat8540c,
c6msm, ls1010,
12.0W5 cat8510m, cat8540m, Not Vulnerable
c5atm, c5atm, c3620,
c3640, c4500, c5rsfc,
c5rsm, c7200, rsp,
cat2948g, cat4232
+----------+------------------------+-----------+----------+----------------+
12.0WT Early deployment Not Vulnerable
release
+----------+------------------------+-----------+----------+----------------+
12.1(7)
12.0XA Early Deployment (ED):
limited platforms 2001-Feb-26
+----------+------------------------+-----------+----------+----------------+
12.1(7)
12.0XB Short-lived early
deployment release 2001-Feb-26
+----------+------------------------+-----------+----------+----------------+
12.1(7)
12.0XC Early Deployment (ED):
limited platforms 2001-Feb-26
+----------+------------------------+-----------+----------+----------------+
12.1(7)
12.0XD Early Deployment (ED):
limited platforms 2001-Feb-26
+----------+------------------------+-----------+----------+----------------+
12.1(5c)E8
12.0XE Early Deployment (ED):
limited platforms 2001-Feb-26
+----------+------------------------+-----------+----------+----------------+
12.1(7)
12.0XF Early Deployment (ED):
limited platforms 2001-Feb-26
+----------+------------------------+-----------+----------+----------------+
12.1(7)
12.0XG Early Deployment (ED):
limited platforms 2001-Feb-26
+----------+------------------------+-----------+----------+----------------+
12.0(4)XH5
12.0XH Early Deployment (ED):
limited platforms 2001-Mar-05
+----------+------------------------+-----------+----------+----------------+
12.1(7)
12.0XI Early Deployment (ED):
limited platforms 2001-Feb-26
+----------+------------------------+-----------+----------+----------------+
12.1(7)
12.0XJ Early Deployment (ED):
limited platforms 2001-Feb-26
+----------+------------------------+-----------+----------+----------------+
12.0(7)XK4
12.0XK Early Deployment (ED):
limited platforms 2001-Mar-05
+----------+------------------------+-----------+----------+----------------+
12.0(4)XH5
12.0XL Early Deployment (ED):
limited platforms 2001-Mar-05
+----------+------------------------+-----------+----------+----------------+
12.1(7)
12.0XM Short-lived early
deployment release 2001-Feb-26
+----------+------------------------+-----------+----------+----------------+
Indeterminate
12.0XN Early Deployment (ED):
limited platforms Unscheduled
+----------+------------------------+-----------+----------+----------------+
12.1WC
12.0XP Early Deployment (ED):
limited platforms 2001-Apr-12
+----------+------------------------+-----------+----------+----------------+
12.1(7)
12.0XQ Short-lived early
deployment release 2001-Feb-26
+----------+------------------------+-----------+----------+----------------+
12.1(5)T5
12.0XR Short-lived early
deployment release 2001-Mar-05
+----------+------------------------+-----------+----------+----------------+
12.1(5c)E8
12.0XS Short-lived early
deployment release 2001-Feb-26
+----------+------------------------+-----------+----------+----------------+
12.1WC
12.0XU Early Deployment (ED):
limited platforms 2001-Apr-12
+----------+------------------------+-----------+----------+----------------+
12.1(5)T5 12.1WC
12.0XV Short-lived early
deployment release 2001-Mar-05 2001-Apr-12
+===========================================================================+
12.1-based and Later Releases Rebuild Interim** Maintenance
+===========================================================================+
General deployment 12.1(5.1) 12.1(7)
12.1 release for all
platforms Available 2001-Feb-26
+----------+------------------------+-----------+----------+----------------+
12.1(7)AA
12.1AA Dial support
2001-Feb-26
+----------+------------------------+-----------+----------+----------------+
12.1(5)DA1 12.1(6)DA
12.1DA xDSL support: 6100,
6200 2001-Feb-28 Unscheduled
+----------+------------------------+-----------+----------+----------------+
12.1(4)CX
12.1CX Core/ISP support: GSR,
RSP, c7200 2001-Feb-20
+----------+------------------------+-----------+----------+----------------+
General deployment 12.1(4)DB1
12.1DB release for all
platforms 2001-Feb-26
+----------+------------------------+-----------+----------+----------------+
General deployment 12.1(4)DC2
12.1DC release for all
platforms 2001-Feb-26
+----------+------------------------+-----------+----------+----------------+
12.1(5c)E8
12.1E Core/ISP support: GSR,
RSP, c7200 2001-Feb-26
+----------+------------------------+-----------+----------+----------------+
12.1(5)EC1
12.1EC Core/ISP support: GSR,
RSP, c7200 2001-Feb-26
+----------+------------------------+-----------+----------+----------------+
12.1(5c)EX1
12.1EX Core/ISP support: GSR,
RSP, c7200 2001-Feb-20
+----------+------------------------+-----------+----------+----------------+
Early Deployment(ED): 12.1(5)T5
12.1T VPN, Distributed
Director, various
platforms 2001-Mar-05
+----------+------------------------+-----------+----------+----------------+
12.1(5)T5
12.1XA Early Deployment (ED):
limited platforms 2001-Mar-05
+----------+------------------------+-----------+----------+----------------+
12.1(5)T5
12.1XB Early Deployment (ED):
limited platforms 2001-Mar-05
+----------+------------------------+-----------+----------+----------------+
12.1(5)T5
12.1XC Early Deployment (ED):
limited platforms 2001-Mar-05
+----------+------------------------+-----------+----------+----------------+
12.1(5)T5
12.1XD Early Deployment (ED):
limited platforms 2001-Mar-05
+----------+------------------------+-----------+----------+----------------+
12.1(5)T5
12.1XE Early Deployment (ED):
limited platforms 2001-Mar-05
+----------+------------------------+-----------+----------+----------------+
Early Deployment (ED): 12.1(2)XF3
12.1XF 811 and 813 (c800
images) 2001-Mar-05
+----------+------------------------+-----------+----------+----------------+
Early Deployment (ED): 12.1(3)XG4
12.1XG 800, 805, 820, and
1600 2001-Mar-05
+----------+------------------------+-----------+----------+----------------+
12.1(2)XH1
12.1XH Early Deployment (ED):
limited platforms 2001-Mar-05
+----------+------------------------+-----------+----------+----------------+
12.1(3)XI6
12.1XI Early Deployment (ED):
limited platforms 2001-Mar-05
+----------+------------------------+-----------+----------+----------------+
Indeterminate
12.1XJ Early Deployment (ED):
limited platforms Unscheduled
+----------+------------------------+-----------+----------+----------------+
12.1(5)T5
12.1XK Early Deployment (ED):
limited platforms 2001-Mar-05
+----------+------------------------+-----------+----------+----------------+
12.1(3)XL1
12.1XL Early Deployment (ED):
limited platforms 2001-Mar-05
+----------+------------------------+-----------+----------+----------------+
12.1(5)XM1
12.1XM Short-lived early
deployment release 2001-Mar-05
+----------+------------------------+-----------+----------+----------------+
12.1(3)XP3
12.1XP Early Deployment (ED):
1700 and SOHO 2001-Mar-05
+----------+------------------------+-----------+----------+----------------+
12.1(3)XQ1
12.1XQ Short-lived early
deployment release 2001-Mar-05
+----------+------------------------+-----------+----------+----------------+
12.1(5)XR1
12.1XR Short-lived early
deployment release 2001-Feb-20
+----------+------------------------+-----------+----------+----------------+
12.1(5)XS
12.1XS Short-lived early
deployment release 2001-Mar-05
+----------+------------------------+-----------+----------+----------------+
12.1(3)XT2
12.1XT Early Deployment (ED):
1700 series 2001-Mar-05
+----------+------------------------+-----------+----------+----------------+
12.1(5)XU1
12.1XU Early Deployment (ED):
limited platforms 2001-Feb-15
+----------+------------------------+-----------+----------+----------------+
12.1(5)XV1
12.1XV Short-lived early
deployment release 2001-Mar-05
+----------+------------------------+-----------+----------+----------------+
12.1(5)XW2
12.1XW Short-lived early
deployment release 2001-Feb-26
+----------+------------------------+-----------+----------+----------------+
12.1(5)XX3
12.1XX Short-lived early
deployment release 2001-Feb-26
+----------+------------------------+-----------+----------+----------------+
12.1(5)XY4
12.1XY Short-lived early
deployment release 2001-Feb-26
+----------+------------------------+-----------+----------+----------------+
12.1(5)XZ2
12.1XZ Short-lived early
deployment release 2001-Feb-26
+----------+------------------------+-----------+----------+----------------+
12.1(5)YA1
12.1YA Short-lived early
deployment release 2001-Feb-28
+----------+------------------------+-----------+----------+----------------+
12.1(5)YB
12.1YB Short-lived early
deployment release 2001-Feb-13
+----------+------------------------+-----------+----------+----------------+
12.1(5)YC1
12.1YC Short-lived early
deployment release 2001-Feb-26
+----------+------------------------+-----------+----------+----------------+
12.1(5)YD
12.1YD Short-lived early
deployment release 2001-Mar-05
+===========================================================================+
Notes
* All dates are estimated and subject to change.
** Interim releases are subjected to less rigorous testing than regular
maintenance releases, and may have serious bugs.
+===========================================================================+
Obtaining Fixed Software
Cisco is offering free software upgrades to remedy this vulnerability for
all affected customers. Customers with service contracts may upgrade to any
software release. Customers without contracts may upgrade only within a
single row of the table above, except that any available fixed software
release will be provided to any customer who can use it and for whom the
standard fixed software release is not yet available. Customers may install
only the feature sets they have purchased.
Note that not all fixed software may be available as of the release date of
this notice.
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained via Cisco's Software Center at http://www.cisco.com/.
Customers without contracts or warranty status should get their upgrades by
contacting the Cisco Technical Assistance Center (TAC) as shown below:
* (800) 553-2447 (toll-free in North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for
additional TAC contact information, including instructions and e-mail
addresses for use in various languages.
Give the URL of this notice as evidence of your entitlement to a free
upgrade. Free upgrades for non-contract customers must be requested through
the TAC. Please do not contact either "psirt@cisco.com" or
"security-alert@cisco.com" for software upgrades; faster results will be
obtained by contacting the TAC directly.
Workarounds
All of the following workarounds must be configured while in enable mode on
the affected router or switch. Be sure to save the changes with the "write
memory" command after each configuration change.
The workaround for the vulnerability introduced by CSCdr61016 and
CSCds49183 is to configure community strings for the snmp-server hosts
prior to configuring the snmp-server hosts. This command should
include the desired access restrictions on this community string. In
the following example, "1.2.3.4" is the IP address of the host
intended to receive SNMP traps:
router#config term
! create access list
router(config)#access-list 66 deny any
! configure community string with access restrictions
router(config)#snmp-server community public ro 66
! configure snmp-server host
router(config)#snmp-server host 1.2.3.4 public
router(config)#exit
router#write memory
router#
If the "snmp-server community" command is entered after one or more
"snmp-server host" commands have been entered using the same community
string, then all of the "snmp-server host" commands must be re-entered
due to the otherwise unrelated defect CSCdr21997. This latter defect
prevents traps or informs from leaving the router using the community
string. The defect is present in some but not all of the same IOS
releases as CSCdr61016.
To permanently remove communities after definition of the "snmp-server
host" command, the associated "snmp-server host" commands that
correspond to those communities must also be removed.
The vulnerability described in CSCds32217 and CSCds16384 can be
remedied by using the "snmp-server view" command to block the ability
to poll the SNMP-VIEW-BASED-ACM-MIB. The result is a view that
restricts the ability to browse the SNMP-VIEW-BASED-ACM-MIB, and it
must be applied to all read-only community strings. For example:
router#config term
! create view
router(config)#snmp-server view novacm internet included
! block vacmSecurityToGroupEntry table
router(config)#snmp-server view novacm internet.6.3.16 excluded
! apply view to read-only security string
router(config)#snmp-server community public view novacm RO
router(config)#exit
router#write memory
router#
If the affected router or switch already contains more than one
read-write community string, then all read-write community strings
must be prevented from reading the SNMP-VIEW-BASED-ACM-MIB. For
read-write community strings that do not have a view applied, create a
new view and apply it to the community string. If a read-write
community string already has a view applied to it, then modify the
view to prevent access to the SNMP-VIEW-BASED-ACM-MIB. Both situations
are shown below.
If the following example is part of a pre-existing configuration:
router#show running-config
...
snmp-server view oldview internet included
snmp-server view oldview ipRouteTable excluded
snmp-server view oldview ipNetToMediaTable excluded
snmp-server view oldview at excluded
snmp-server community tech view oldview RW
snmp-server community private RW
...
then the following modifications will exclude the
SNMP-VIEW-BASED-ACM-MIB:
router#config term
! block vacmSecurityToGroupEntry table in existing view
router(config)#snmp-server view oldview internet.6.3.16 excluded
! create new view
router(config)#snmp-server view novacm internet included
router(config)#snmp-server view novacm internet.6.3.16 excluded
! apply new view
router(config)#snmp-server community private view novacm RW
router(config)#exit
router#write memory
router#
NOTE: For the fullest protection provided by this workaround, every
existing view on the affected switch or router must be modified in a
similar manner.
The vulnerability described in CSCds19674 for CatOS can be remedied by
using the "set snmp view" command to prevent access to the
SNMP-VIEW-BASED-ACM-MIB. For example:
switch#set snmp view defaultUserView 1.3.6.1.6.3.16.1.2 excluded
nonvolatile
If the "cable-docsis" community string is deleted from the
configuration, then CSCdr59314 causes it to automatically reappear
after the system is reloaded. The following workaround prohibits the
use of the "cable-docsis" community string by defining an access list
statement that completely denies any requests for it:
router#config term
! create access list
router(config)#access-list 66 deny any
! apply access restrictions to cable-docsis community string
router(config)#snmp-server community cable-docsis ro 66
router(config)#exit
router#write memory
router#
Exploitation and Public Announcements
CSCdr59314 was discovered internally and repaired. Cisco is aware of one
incident in which a customer's routers were modified without authorization
by using the "cable-docsis" community string. The vulnerability was brought
to the attention of the Cisco Product Security Incident Response Team when
the customer reported the incident. The other vulnerabilities were
initially reported by customers on one product or confirmed internally on
other products during repair.
Although Cisco has no knowledge of a specific program or script designed to
make use of these vulnerabilities, there are numerous off-the-shelf
programs and scripts available which could be used as-is or modified to
exploit any of the vulnerabilities described in this notice.
Cisco is not aware of any general discussion of these vulnerabilities in
public forums.
Status of This Notice: INTERIM
This is an interim security advisory. Cisco anticipates issuing updated
versions of this notice at irregular intervals as there are material
changes in the facts, and will continue to update this notice as necessary.
The reader is warned that this notice may contain inaccurate or incomplete
information. Although Cisco cannot guarantee the accuracy of all statements
in this notice, all of the facts have been checked to the best of our
ability. Cisco anticipates issuing monthly updates of this notice until it
reaches FINAL status.
A standalone copy or paraphrase of the text of this security advisory that
omits the distribution URL in the following section is an uncontrolled
copy, and may lack important information or contain factual errors.
Distribution
This notice will be posted
at http://www.cisco.com/warp/public/707/ios-snmp-community-vulns-pub.shtml.
In addition to Worldwide Web posting, a text version of this notice will be
clear-signed with the Cisco PSIRT PGP key and will be posted to the
following e-mail and Usenet news recipients:
* cust-security-announce@cisco.com
* bugtraq@securityfocus.com
* firewalls@lists.gnac.com
* first-teams@first.org (including CERT/CC)
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* comp.dcom.sys.cisco
* Various internal Cisco mailing lists
Future updates of this notice, if any, will be placed on Cisco's Worldwide
Web server, but may or may not be actively announced on mailing lists or
newsgroups. Users concerned about this problem are encouraged to check the
URL given above for any updates.
Revision History
Revision 1.0 2001-Feb-27 Initial public release
Cisco Product Security Incident Procedures
The page at
http://www.cisco.com/warp/public/707/sec_incident_response.shtml contains
instructions for reporting security vulnerabilities in Cisco products,
obtaining assistance with customer security incidents, registering to
receive security information from Cisco, and making press inquiries
regarding Cisco Security Advisories. This document is Cisco's complete
public statement regarding this product security vulnerability.
------------------------------------------------------------------------
Copyright 2001 by Cisco Systems, Inc. This notice may not be redistributed
in any form without the advance knowledge and consent of the Cisco Product
Security Incident Response Team.
------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.0.2
iQEVAwUBOp1Xq2iN3BRdFxkbAQGCsAf+OWvTnN93kHb+QsHX08BIf4SgHG5F+7vk
V5/IbH2Y4UHuS8W4v0DiAAikEQAFrW8fdV9nwU+KNc+CD0mzV+Rmm2jXsFGJoccK
n5dDiMTLxWYXtZtJozbrJNhxsXPkhVUhhxYjGv9Usk2qotVaZamgx1U0PB4coB0Z
3CrE50AGhcNZp6p7X5qg2fKurWYXEiD5egahpfsOUG6L46+hBd2hpbmfiuPwAVAM
Pufk7f2sbkrtmr2IBmoNg2DG5TiEwj3jXFrNtqSgtyBvPDllLmvIL6id0M/EAEsQ
3OGkgh/Eeyynz2KroZtxjFhxwiOs9PuRSCCyV0Xfb6SXnhrFcAlaig==
=MPWC
-----END PGP SIGNATURE-----
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:30 EDT