[c-nsp] How to disable ILMI/SNMP CSCvs33325
Gert Doering
gert at greenie.muc.de
Mon Sep 19 08:40:30 EDT 2022
HI,
On Mon, Sep 19, 2022 at 02:29:06PM +0300, Hank Nussbacher via cisco-nsp wrote:
> Recently Shodan has been showing how it probes all our IOS-XE routers
> via SNMP even though we have an ACL on all our SNMP. We then found that
> there is a bugid on the issue (ILMI can't be blocked by ACL):
> CSCvs33325
Is that still a thing? Insane.
It used to be an issue on IOS 15+ years ago... (on IOS, the issue was
"ILMI is a predefined community which cannot be deleted" - but you
*could* expose it, make it explicit, and then put an ACL on it).
That bug is amazing anyway. My suggestion would have been "escalate via
PSIRT", but the bug says "The Cisco PSIRT has evaluated this issue and
determined it does not meet the criteria for PSIRT ownership or involvement.
This issue will be addressed via normal resolution channels."
WAT?!
That said, I tried to reproduce it on our boxes, and neither the ASR920
nor the lone ASR1000 reponds to SNMP v1 or v2c queries with community
"ILMI", with nothing in the config to block it (same source host can
query with one of the configured SNMP communities). This is on IOS XE
16.6.10 and 15.5(3)S10 respectively. Seems you need something extra.
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany gert at greenie.muc.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 630 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20220919/0956dc51/attachment.sig>
More information about the cisco-nsp
mailing list