[c-nsp] How to disable ILMI/SNMP CSCvs33325
Gert Doering
gert at greenie.muc.de
Mon Sep 19 08:57:08 EDT 2022
Hi,
On Mon, Sep 19, 2022 at 03:47:09PM +0300, Hank Nussbacher via cisco-nsp wrote:
> On 19/09/2022 15:40, Gert Doering wrote:
> > On Mon, Sep 19, 2022 at 02:29:06PM +0300, Hank Nussbacher via cisco-nsp wrote:
> >> Recently Shodan has been showing how it probes all our IOS-XE routers
> >> via SNMP even though we have an ACL on all our SNMP. We then found that
> >> there is a bugid on the issue (ILMI can't be blocked by ACL):
> >> CSCvs33325
> >
> > Is that still a thing? Insane.
> Indeed.
Just for reference, here's the 2001 bug. With full PSIRT "get free
software upgrade" parts...
https://www.cisco.com/c/dam/en/us/support/docs/csa/cisco-sa-20010227-ios-snmp-ilmi.html
[..]
> > That said, I tried to reproduce it on our boxes, and neither the ASR920
> > nor the lone ASR1000 reponds to SNMP v1 or v2c queries with community
> > "ILMI", with nothing in the config to block it (same source host can
> > query with one of the configured SNMP communities). This is on IOS XE
> > 16.6.10 and 15.5(3)S10 respectively. Seems you need something extra.
>
> It is V3. Here is a Shodan snippet from one of dozens of alerts we get
> per day:
Good to know. Looking at shodan, I see that both types of devices here
are listed as well (ewww!).
So, need to figure out what the magic -v3 incantation of snmpget is
to make this work... (every time I tried v3 so far has led to
"more grey hair").
thanks for the heads up
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany gert at greenie.muc.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 630 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20220919/13c17625/attachment.sig>
More information about the cisco-nsp
mailing list