ios-snmp-community-vulns-pub.txt

         Security Advisory: Cisco IOS Software Multiple SNMP Community String Vulnerabilities
                                                   
Revision 1.1 INTERIM

  For Public Release 2001 February 28 11:00 US/Eastern (UTC-0500)
     ________________________________________________________________________________________
   
Summary

   Multiple Cisco IOS® Software and CatOS software releases contain several independent but
   related vulnerabilities involving the unexpected creation and exposure of SNMP community
   strings. These vulnerabilities can be exploited to permit the unauthorized viewing or
   modification of affected devices.
   
   To remove the vulnerabilities, Cisco is offering free software upgrades for all affected
   platforms. The defects are documented in DDTS records CSCds32217, CSCds16384, CSCds19674,
   CSCdr59314, CSCdr61016, and CSCds49183.
   
   In addition to specific workarounds for each vulnerability, affected systems can be protected
   by preventing SNMP access.
   
   This notice will be posted at
   http://www.cisco.com/warp/public/707/ios-snmp-community-vulns-pub.shtml.
   
Affected Products

   The vulnerabilities described in this notice are present in Cisco router and switch products
   that are running certain releases of Cisco IOS software or CatOS software. Only Cisco
   products running affected releases are vulnerable. No other Cisco products are affected.
   
   To determine the software running on a Cisco product, log in to the device and display the
   system banner with the command "show version". Cisco IOS software will identify itself as
   "Internetwork Operating System Software" or simply "IOS (tm)". The image name will be
   displayed between parentheses, usually on the next line of output, followed by "Version" and
   the IOS release name. Other Cisco devices will not have the "show version" command or will
   give different output.
   
   The following example identifies a Cisco product running IOS release 12.0(3) with an
   installed image name of C2500-IS-L:
Cisco Internetwork Operating System Software IOS (tm)
2500 Software (C2500-IS-L), Version 12.0(3), RELEASE SOFTWARE
       
   To determine if the Cisco product is affected, compare the information obtained above to the
   lists of affected platforms and releases shown below.
   
   Cisco devices that may be running an affected IOS software release include, but are not
   limited to:
     * 800, 1000, 1005, 1400, 1600, 1700, 2500, 2600, 3600, MC3810, 4000, 4500, 4700, 6200, 6400
       NRP, 6400 NSP series Cisco routers.
     * ubr900 and ubr920 universal broadband routers.
     * Catalyst 2900 ATM, 2900XL, 2948g, 3500XL, 4232, 4840g, 5000 RSFC series switches.
     * 5200, 5300, 5800 series access servers.
     * Catalyst 6000 MSM, 6000 Hybrid Mode, 6000 Native Mode, 6000 Supervisor Module, Catalyst
       ATM Blade.
     * RSM, 7000, 7010, 7100, 7200, ubr7200, 7500, 10000 ESR, and 12000 GSR series Cisco
       routers.
     * DistributedDirector.
     * Catalyst 8510CSR, 8510MSR, 8540CSR, 8540MSR series switches.
       
   Cisco products that do not run Cisco IOS software and are not affected by the vulnerabilities
   described in this notice include, but are not limited to:
     * Cisco PIX firewall.
     * Aironet and Cisco/Aironet wireless products.
     * CSS11000, Cache Engine, and LocalDirector products.
     * VPN products such as the Altiga concentrator.
     * Host-based network management or access management products.
     * Cisco IP Telephony and telephony management software (except those that are hosted on a
       vulnerable IOS platform).
     * Voice gateways and convergence products (except those that are hosted on a vulnerable IOS
       platform).
     * Optical switch products such as the ONS 15000 series.
       
Details

   These vulnerabilities are the result of defects in the functions responsible for Simple
   Network Management Protocol (SNMP), an Internet standard for the remote administration of
   network devices. SNMP makes use of one or more labels called "community strings" to delimit
   groups of "objects" (variables) that can be viewed or modified on a device. The SNMP data in
   such a group is organized in a tree structure called a Management Information Base (MIB). A
   single device may have multiple MIBs connected together into one large structure, and various
   community strings may provide read-only or read-write access to different, possibly
   overlapping portions of the larger data structure. An example of a read-only variable might
   be a counter showing the total number of octets sent or received through an interface. An
   example of a read-write variable might be the speed of an interface, or the hostname of a
   device.
   
   Community strings also provide a weak form of access control in earlier versions of SNMP, v1
   and v2c. (SNMPv3 provides much improved access control using strong authentication and should
   be preferred over SNMPv1 and SNMPv2c wherever it is supported.) If a community string is
   defined, then it must be provided in any basic SNMP query if the requested operation is to be
   permitted by the device. Community strings usually allow read-only or read-write access to
   the entire device. In some cases, a given community string will be limited to one group of
   read-only or read-write objects described in an individual MIB.
   
   In the absence of additional configuration options to constrain access, knowledge of the
   single community string for the device is all that is required to gain access to all objects,
   both read-only and read-write, and to modify any read-write objects. The defects responsible
   for these vulnerabilities are grouped here by function:
   A read-only community string is unexpectedly added when a "snmp-server community" command is
       entered in the configuration of a device where "community" does not already exist on the
       device as a valid community string. If deleted, this community string will reappear after
       the device is reloaded. CSCdr61016 documents the defect in IOS for routers and
       switch-routers and only affects IOS releases 12.0(7)T, 12.1(1)E and 12.1(2). CSCds49183
       refers to the equivalent defect affecting products from the 2900XL and 3500XL series, and
       only affects IOS releases 12.0(5)XU and 12.0(5)XW.
       The defect arises from implementation of the SNMPv2 "informs" functionality, which
       involves the exchange of read-only community strings for the sharing of status
       information. When an affected device processes a command defining a host to receive SNMP
       "traps" (logging messages) such as the "snmp-server host" command, then the community
       specified in the trap statement is also configured for general use if it is not already
       defined in the saved configuration. This occurs even if the community was previously
       removed and the configuration was saved to memory prior to a system reload.
       The read-write community string is exposed when the device is examined via a "walk", or
       traversal, of the View-based Access Control MIB (VACM) using the device's read-only
       community string. View-based Access Control is a feature of SNMPv3 added to IOS in
       version 12.0(3)T. CSCds32217 describes the defect in IOS, CSCds16384 applies to IOS
       running on 2900XL and 3500XL switches, and CSCds19674 documents the defect in CatOS on
       Catalyst switches. Most IOS releases in 12.0 (after 12.0(3)T) as well as most 12.1
       releases contain this vulnerability, as well as 12.0(5.2)XU and 12.0(5)XW for the 2900XL
       and 3500XL switches, and CatOS releases 5.4(1) - 5.5(3)and 6.1(1) for the Catalyst
       switches.
       Implementation of new cable-industry standards for management of cable modems introduced
       an undocumented read-write community string, "cable-docsis", which was intended only for
       DOCSIS-compliant cable-capable devices. It was inadvertently enabled by default for all
       devices except DOCSIS-compatible cable modems and head end units in a limited range of
       IOS releases. This defect is documented as CSCdr59314. This vulnerability is confined to
       a very narrow set of IOS releases based on 12.1(3) and 12.1(3)T, and it is fixed in
       12.1(4) and 12.1(5)T releases and following.
       
   Full details are provided in the software section below regarding the status of each
   vulnerability in specific releases.
   
   A separate Cisco Security Advisory has recently been announced regarding an SNMP
   vulnerability due to an undocumented default "ILMI" read-write community string in IOS. That
   advisory, http://www.cisco.com/warp/public/707/ios-snmp-ilmi-vuln-pub.shtml, should be
   consulted in tandem with this notice.
   
Impact

   Knowledge of read-only community strings allows read access to information stored on an
   affected device, leading to a failure of confidentiality. Knowledge of read-write community
   strings allows remote configuration of affected devices without authorization, possibly
   without the awareness of the administrators of the device and resulting in a failure of
   integrity and a possible failure of availability.
   
   These vulnerabilities could be exploited separately or in combination to gain access to or
   modify the configuration and operation of any affected devices without authorization.
   Customers are urged to upgrade affected systems to fixed releases of software, or to apply
   measures to protect such systems against unauthorized use by restricting access to SNMP
   services until such time as the devices can be upgraded.
   
Software Versions and Fixes

   This security advisory represents a combination of multiple related product security
   vulnera...