[c-nsp] How to disable ILMI/SNMP CSCvs33325

Gert Doering gert at greenie.muc.de
Wed Sep 21 04:30:34 EDT 2022


Hi,

On Wed, Sep 21, 2022 at 08:14:30AM +0300, Hank Nussbacher wrote:
> Indeed the SNMP leaks appear to be exactly CSCtw74132 which we did not 
> know about nor did Cisco TAC :-(

The more I dive into this, the more I want to return to my bed and
pull the blanket over my head...

So, the Cisco bug ID claims "this has been fixed in some versions",
but none of those are "ASR920 IOS trains" (except 03.9(00)E, which
is sort of weird).

The bug also claims "CVE ID CVE-2012-5719 has been assigned", but 
MITRE says "** RESERVED ** This candidate has been reserved by an
organization or individual that will use it when announcing a new
security problem", so it got never published...


That said, I then went to test our Junipers and Aristas, and they
all do the same silly shit - no SNMPv3 configured, strict ACLs for
all configured SNMP communities, and *still* SNMP engine discovery
works from arbitrary sources out there.  On the switches it's not
that annoying (management interface is in a well-isolated network
segment) but on the routers, customer-facing IPs are reachable
"from the world".

Sounds like a nice reflection attack in the coming...

*grumble*

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             gert at greenie.muc.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 630 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20220921/2b99438d/attachment.sig>


More information about the cisco-nsp mailing list