[c-nsp] https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snmp-x4LPhte Is vulnerability pre or post ACL?

Drew Weaver drew.weaver at thenap.com
Fri Sep 26 10:06:25 EDT 2025 

Yes I was specifically asking about the deep inner workings of whether SNMP in IOS looks at the OID at all prior to the ACL.

It would appear that by them saying "use a community string" (duh) that they have somehow confirmed that it does not look at the OID at all prior to checking the community string but yes I was specifically asking whether or not anyone actually knows whether it looks at the OID at all prior to the ACL.

I'm not really *worried* about any of it, to your point but it would be nice to know.

Thanks,
-Drew


-----Original Message-----
From: Nick Hilliard <nick at foobar.org> 
Sent: Friday, September 26, 2025 10:03 AM
To: Drew Weaver <drew.weaver at thenap.com>
Cc: 'cisco-nsp at puck.nether.net' <cisco-nsp at puck.nether.net>
Subject: Re: [c-nsp] https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snmp-x4LPhte Is vulnerability pre or post ACL?

Drew Weaver via cisco-nsp wrote on 26/09/2025 14:13:
> I assume that the ACL blocking access to hosts other than the NMS 
> would be enough to prevent this from being super widely exploitable 
> but its IOS so I am thinking in IOS terms.
the description says that you need to be authenticated before being able to exploit this particular vuln. I.e. you need an snmp community or
snmpv3 username / password to make this work.

Having said that:

1. the "Workarounds" section doesn't include SNMP ACLs as a mitigation measure

2. it's possible to retrieve an snmp engineid on several different xe/nxos platforms without authentication, even if there's an ACL in place (check out the "snmp-info.nse" script in nmap for this particular hilarity). This suggests - but doesn't prove - that ACLs are handled inside the IOS snmp engine, and that they are applied some time after incoming snmp datagrams are parsed.

This isn't an answer to your question, but if I had concerns about people having snmp credentials, I'd be thinking hard about an upgrade to a fixed version.

Nick

More information about the cisco-nsp mailing list