[c-nsp] https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snmp-x4LPhte Is vulnerability pre or post ACL?
Nick Hilliard
nick at foobar.org
Fri Sep 26 10:03:12 EDT 2025
Drew Weaver via cisco-nsp wrote on 26/09/2025 14:13:
> I assume that the ACL blocking access to hosts other than the NMS
> would be enough to prevent this from being super widely exploitable
> but its IOS so I am thinking in IOS terms.
the description says that you need to be authenticated before being able
to exploit this particular vuln. I.e. you need an snmp community or
snmpv3 username / password to make this work.
Having said that:
1. the "Workarounds" section doesn't include SNMP ACLs as a mitigation
measure
2. it's possible to retrieve an snmp engineid on several different
xe/nxos platforms without authentication, even if there's an ACL in
place (check out the "snmp-info.nse" script in nmap for this particular
hilarity). This suggests - but doesn't prove - that ACLs are handled
inside the IOS snmp engine, and that they are applied some time after
incoming snmp datagrams are parsed.
This isn't an answer to your question, but if I had concerns about
people having snmp credentials, I'd be thinking hard about an upgrade to
a fixed version.
Nick
More information about the cisco-nsp
mailing list