[c-nsp] How to disable ILMI/SNMP CSCvs33325
Hank Nussbacher
hank at interall.co.il
Mon Sep 19 08:47:09 EDT 2022
On 19/09/2022 15:40, Gert Doering wrote:
> HI,
>
> On Mon, Sep 19, 2022 at 02:29:06PM +0300, Hank Nussbacher via cisco-nsp wrote:
>> Recently Shodan has been showing how it probes all our IOS-XE routers
>> via SNMP even though we have an ACL on all our SNMP. We then found that
>> there is a bugid on the issue (ILMI can't be blocked by ACL):
>> CSCvs33325
>
> Is that still a thing? Insane.
Indeed.
>
> It used to be an issue on IOS 15+ years ago... (on IOS, the issue was
> "ILMI is a predefined community which cannot be deleted" - but you
> *could* expose it, make it explicit, and then put an ACL on it).
>
>
> That bug is amazing anyway. My suggestion would have been "escalate via
> PSIRT", but the bug says "The Cisco PSIRT has evaluated this issue and
> determined it does not meet the criteria for PSIRT ownership or involvement.
> This issue will be addressed via normal resolution channels."
>
> WAT?!
>
>
> That said, I tried to reproduce it on our boxes, and neither the ASR920
> nor the lone ASR1000 reponds to SNMP v1 or v2c queries with community
> "ILMI", with nothing in the config to block it (same source host can
> query with one of the configured SNMP communities). This is on IOS XE
> 16.6.10 and 15.5(3)S10 respectively. Seems you need something extra.
It is V3. Here is a Shodan snippet from one of dozens of alerts we get
per day:
Banner (snmp_v3)
Snmp:
Versions:
3
Engineid Format: mac
Engine Boots: 20
Engineid Data: 70:ca:9b:a9:2f:40
Enterprise: 9
Engine Time: 189 days, 9:15:11
-Hank
>
> gert
More information about the cisco-nsp
mailing list