[c-nsp] How to disable ILMI/SNMP CSCvs33325
Hank Nussbacher
hank at interall.co.il
Wed Sep 21 01:14:30 EDT 2022
On 20/09/2022 15:54, Simon Leinen wrote:
> Gert Doering via cisco-nsp writes:
>> Hi,
>> On Mon, Sep 19, 2022 at 03:47:09PM +0300, Hank Nussbacher via cisco-nsp wrote:
>>> On 19/09/2022 15:40, Gert Doering wrote:
>> https://www.cisco.com/c/dam/en/us/support/docs/csa/cisco-sa-20010227-ios-snmp-ilmi.html
>
>> [..]
>>>> That said, I tried to reproduce it on our boxes, and neither the ASR920
>>>> nor the lone ASR1000 reponds to SNMP v1 or v2c queries with community
>>>> "ILMI", with nothing in the config to block it (same source host can
>>>> query with one of the configured SNMP communities). This is on IOS XE
>>>> 16.6.10 and 15.5(3)S10 respectively. Seems you need something extra.
>>>
>>> It is V3. Here is a Shodan snippet from one of dozens of alerts we get
>>> per day:
>
>> Good to know. Looking at shodan, I see that both types of devices here
>> are listed as well (ewww!).
>
>> So, need to figure out what the magic -v3 incantation of snmpget is
>> to make this work... (every time I tried v3 so far has led to
>> "more grey hair").
>
> Yeah, I'd like to reproduce/understand that too. I actually remember
> both ILMI (in ATM, sigh) and SNMPv3. One of SNMPv3's distinguishing
> features is that it DOESN'T use community strings anymore. So I'm a bit
> confused as to what the problem is. Is there some implicit mapping from
> SNMPv1/2c communities to SNMPv3 usernames/passwords? Or are the Shodan
> reports referring to information leaks from SNMPv3 engine-ID discovery?
> (e.g. CSCtw74132)
Indeed the SNMP leaks appear to be exactly CSCtw74132 which we did not
know about nor did Cisco TAC :-(
Good to know the people here are more knowledgeable than Cisco :-)
Regards,
Hank
>
> Cheers,
More information about the cisco-nsp
mailing list