COMMAND
CISCO
SYSTEMS AFFECTED
CISCO
PROBLEM
Following is based on a Cisco Security Advisory. Multiple Cisco
IOS software and CatOS software releases contain several
independent but related vulnerabilities involving the unexpected
creation and exposure of SNMP community strings. These
vulnerabilities can be exploited to permit the unauthorized
viewing or modification of affected devices.
To remove the vulnerabilities, Cisco is offering free software
upgrades for all affected platforms. The defects are documented
in DDTS records CSCds32217, CSCds16384, CSCds19674, CSCdr59314,
CSCdr61016, and CSCds49183.
The vulnerabilities described in this notice are present in Cisco
router and switch products that are running certain releases of
Cisco IOS software or CatOS software. Only Cisco products
running affected releases are vulnerable.
These vulnerabilities are the result of defects in the functions
responsible for Simple Network Management Protocol (SNMP), an
Internet standard for the remote administration of network
devices. SNMP makes use of one or more labels called "community
strings" to delimit groups of "objects" (variables) that can be
viewed or modified on a device. The SNMP data in such a group is
organized in a tree structure called a Management Information
Base (MIB). A single device may have multiple MIBs connected
together into one large structure, and various community strings
may provide read-only or read-write access to different, possibly
overlapping portions of the larger data structure. An example of
a read-only variable might be a counter showing the total number
of octets sent or received through an interface. An example of a
read-write variable might be the speed of an interface, or the
hostname of a device.
Community strings also provide a weak form of access control in
earlier versions of SNMP, v1 and v2c. (SNMPv3 provides much
improved access control using strong authentication and should be
preferred over SNMPv1 and SNMPv2c wherever it is supported). If
a community string is defined, then it must be provided in any
basic SNMP query if the requested operation is to be permitted by
the device. Community strings usually allow read-only or
read-write access to the entire device. In some cases, a given
community string will be limited to one group of read-only or
read-write objects described in an individual MIB.
In the absence of additional configuration options to constrain
access, knowledge of the single community string for the device
is all that is required to gain access to all objects, both
read-only and read-write, and to modify any read-write objects.
The defects responsible for these vulnerabilities are grouped
here by function:
A read-only community string is unexpectedly added when a
"snmp-server community" command is entered in the
configuration of a device where "community" does not already
exist on the device as a valid community string. If deleted,
this community string will reappear after the device is
reloaded. CSCdr61016 documents the defect in IOS for routers
and switch-routers and only affects IOS releases 12.0(7)T,
12.1(1)E and 12.1(2). CSCds49183 refers to the equivalent
defect affecting products from the 2900XL and 3500XL series,
and only affects IOS releases 12.0(5)XU and 12.0(5)XW.
The defect arises from implementation of the SNMPv2 "informs"
functionality, which involves the exchange of read-only
community strings for the sharing of status information.
When an affected device processes a command defining a host
to receive SNMP "traps" (logging messages) such as the
"snmp-server host" command, then the community specified in
the trap statement is also configured for general use if it is
not already defined in the saved configuration. This occurs
even if the community was previously removed and the
configuration was saved to memory prior to a system reload.
The read-write community string is exposed when the device is
examined via a "walk", or traversal, of the View-based Access
Control MIB (VACM) using the device's read-only community
string. View-based Access Control is a feature of SNMPv3
added to IOS in version 12.0(3)T. CSCds32217 describes the
defect in IOS, CSCds16384 applies to IOS running on 2900XL
and 3500XL switches, and CSCds19674 documents the defect in
CatOS on Catalyst switches. Most IOS releases in 12.0 (after
12.0(3)T) as well as most 12.1 releases contain this
vulnerability, as well as 12.0(5.2)XU and 12.0(5)XW for the
2900XL and 3500XL switches, and CatOS releases 5.4(1) -
5.5(3)and 6.1(1) for the Catalyst switches.
Implementation of new cable-industry standards for management
of cable modems introduced an undocumented read-write
community string, "cable-docsis", which was intended only for
DOCSIS-compliant cable-capable devices. It was inadvertently
enabled by default for all devices except DOCSIS-compatible
cable modems and head end units in a limited range of IOS
releases. This defect is documented as CSCdr59314. This
vulnerability is confined to a very narrow set of IOS releases
based on 12.1(3) and 12.1(3)T, and it is fixed in 12.1(4)
and 12.1(5)T releases and following.
Full details are provided in the software section below regarding
the status of each vulnerability in specific releases.
A separate Cisco Security Advisory has recently been announced
regarding an SNMP vulnerability due to an undocumented default
"ILMI" read-write community string in IOS. That advisory:
http://oliver.efri.hr/~crv/security/bugs/Others/cisco47.html
http://www.cisco.com/warp/public/707/ios-snmp-ilmi-vuln-pub.shtml
should be consulted in tandem with this notice.
Knowledge of read-only community strings allows read access to
information stored on an affected device, leading to a failure of
confidentiality. Knowledge of read-write community strings
allows remote configuration of affected devices without
authorization, possibly without the awareness of the
administrators of the device and resulting in a failure of
integrity and a possible failure of availability.
These vulnerabilities could be exploited separately or in
combination to gain access to or modify the configuration and
operation of any affected devices without authorization.
Customers are urged to upgrade affected systems to fixed releases
of software, or to apply measures to protect such systems against
unauthorized use by restricting access to SNMP services until
such time as the devices can be upgraded.
SOLUTION
This security advisory represents a combination of multiple
related product security vulnerabilities. The affected trains
and releases are not identical for all of the defects, but there
are significant groups of releases where affected versions
intersect with others. Unless otherwise noted, each label
displayed under "Availability of Fixed Releases" identifies the
release that resolves all of these defects for that specific
train. Please note the following exceptions:
- IOS software Major Release version 12.0 and IOS releases based
on 11.x or earlier are not affected by the vulnerabilities
described in this notice. All other releases of 12.0, such as
12.0DA, 12.0S or 12.0T, may be affected.
- CSCdr59314 is only present in certain 12.1(3) releases and does
not affect any other IOS releases.
- Fixes for all six defects have been integrated into 12.2 prior
to its initial availability, and therefore all releases based
on 12.2 and all later versions are not vulnerable to the defects
described in this advisory.
The following table summarizes the IOS software releases that are
known to be affected, and the earliest estimated dates of
availability for the recommended fixed versions. Dates are always
tentative and subject to change.
+===========================================================================+
Train Description of Image Availability of Fixed Releases*
or Platform
+===========================================================================+
Catalyst Software Releases Rebuild Interim** Maintenance
+===========================================================================+
5.5(3)
5.5
Available
6.1(2)
6.1
Available
+===========================================================================+
11.x-based Releases and Earlier Rebuild Interim** Maintenance
+===========================================================================+
11.x and Multiple releases and
earlier platforms Not Vulnerable
+===========================================================================+
12.0-based Releases Rebuild Interim** Maintenance
+===========================================================================+
General Deployment
12.0 release for all Not Vulnerable
platforms
+----------+------------------------+-----------+----------+----------------+
xDSL support: 6100, 12.1(5)DA1 12.1(6)DA
12.0DA 6200
Vulnerable to
CSCds32217 2001-Feb-28 Unscheduled
+----------+------------------------+-----------+----------+----------------+
General deployment 12.1(4)DB1
12.0DB release for all
platforms 2001-Feb-26
+----------+------------------------+-----------+----------+----------------+
General deployment 12.1(4)DC2
12.0DC release for all
platforms 2001-Feb-20
+----------+------------------------+-----------+----------+----------------+
12.0(15)S1 12.0(16)S
12.0S Core/ISP support: GSR,
RSP, c7200 2001-Feb-20 2001-Mar-12
+----------+------------------------+-----------+----------+----------------+
12.0(15)SC1
12.0SC Cable/broadband ISP:
ubr7200 2001-Feb-26
+----------+------------------------+-----------+----------+----------------+
12.0(14)SL1
12.0SL 10000 ESR: c10k
2001-Feb-26
+----------+------------------------+-----------+----------+----------------+
General deployment 12.0(11)ST2 12.0(15)ST
12.0ST release for all
platforms 2001-Feb-26 2001-Mar-05
+----------+------------------------+-----------+----------+----------------+
12.1(5c)E8
12.0SX Early Deployment (ED)
2001-Feb-26
+----------+------------------------+-----------+----------+----------------+
Early Deployment(ED): 12.1(7)
12.0T VPN, Distributed
Director, various
platforms 2001-Feb-26
+----------+------------------------+-----------+----------+----------------+
Catalyst switches:
cat8510c, cat8540c,
c6msm, ls1010,
12.0W5 cat8510m, cat8540m, Not Vulnerable
c5atm, c5atm, c3620,
c3640, c4500, c5rsfc,
c5rsm, c7200, rsp,
cat2948g, cat4232
+----------+------------------------+-----------+----------+----------------+
12.0WT Early deployment Not Vulnerable
release
+----------+------------------------+-----------+----------+----------------+
12.1(7)
12.0XA Early Deployment (ED):
limited platforms 2001-Feb-26
+----------+------------------------+-----------+----------+----------------+
12.1(7)
12.0XB Short-lived early
deployment release 2001-Feb-26
+----------+------------------------+-----------+----------+----------------+
12.1(7)
12.0XC Early Deployment (ED):
limited platforms 2001-Feb-26
+----------+------------------------+-----------+----------+----------------+
12.1(7)
12.0XD Early Deployment (ED):
limited platforms 2001-Feb-26
+----------+------------------------+-----------+----------+----------------+
12.1(5c)E8
12.0XE Early Deployment (ED):
limited platforms 2001-Feb-26
+----------+------------------------+-----------+----------+----------------+
12.1(7)
12.0XF Early Deployment (ED):
limited platforms 2001-Feb-26
+----------+------------------------+-----------+----------+----------------+
12.1(7)
12.0XG Early Deployment (ED):
limited platforms 2001-Feb-26
+----------+------------------------+-----------+----------+----------------+
12.0(4)XH5
12.0XH Early Deployment (ED):
limited platforms 2001-Mar-05
+----------+------------------------+-----------+----------+----------------+
12.1(7)
12.0XI Early Deployment (ED):
limited platforms 2001-Feb-26
+----------+------------------------+-----------+----------+----------------+
12.1(7)
12.0XJ Early Deployment (ED):
limited platforms 2001-Feb-26
+----------+------------------------+-----------+----------+----------------+
12.0(7)XK4
12.0XK Early Deployment (ED):
limited platforms 2001-Mar-05
+----------+------------------------+-----------+----------+----------------+
12.0(4)XH5
12.0XL Early Deployment (ED):
limited platforms 2001-Mar-05
+----------+------------------------+-----------+----------+----------------+
12.1(7)
12.0XM Short-lived early
deployment release 2001-Feb-26
+----------+------------------------+-----------+----------+----------------+
Indeterminate
12.0XN Early Deployment (ED):
limited platforms Unscheduled
+----------+------------------------+-----------+----------+----------------+
12.1WC
12.0XP Early Deployment (ED):
limited platforms 2001-Apr-12
+----------+------------------------+-----------+----------+----------------+
12.1(7)
12.0XQ Short-lived early
deployment release 2001-Feb-26
+----------+------------------------+-----------+----------+----------------+
12.1(5)T5
12.0XR Short-lived early
deployment release 2001-Mar-05
+----------+------------------------+-----------+----------+----------------+
12.1(5c)E8
12.0XS Short-lived early
deployment release 2001-Feb-26
+----------+------------------------+-----------+----------+----------------+
12.1WC
12.0XU Early Deployment (ED):
limited platforms 2001-Apr-12
+----------+------------------------+-----------+----------+----------------+
12.1(5)T5 12.1WC
12.0XV Short-lived early
deployment release 2001-Mar-05 2001-Apr-12
+===========================================================================+
12.1-based and Later Releases Rebuild Interim** Maintenance
+===========================================================================+
General deployment 12.1(5.1) 12.1(7)
12.1 release for all
platforms Available 2001-Feb-26
+----------+------------------------+-----------+----------+----------------+
12.1(7)AA
12.1AA Dial support
2001-Feb-26
+----------+------------------------+-----------+----------+----------------+
12.1(5)DA1 12.1(6)DA
12.1DA xDSL support: 6100,
6200 2001-Feb-28 Unscheduled
+----------+------------------------+-----------+----------+----------------+
12.1(4)CX
12.1CX Core/ISP support: GSR,
RSP, c7200 2001-Feb-20
+----------+------------------------+-----------+----------+----------------+
General deployment 12.1(4)DB1
12.1DB release for all
platforms 2001-Feb-26
+----------+------------------------+-----------+----------+----------------+
General deployment 12.1(4)DC2
12.1DC release for all
platforms 2001-Feb-26
+----------+------------------------+-----------+----------+----------------+
12.1(5c)E8
12.1E Core/ISP support: GSR,
RSP, c7200 2001-Feb-26
+----------+------------------------+-----------+----------+----------------+
12.1(5)EC1
12.1EC Core/ISP support: GSR,
RSP, c7200 2001-Feb-26
+----------+------------------------+-----------+----------+----------------+
12.1(5c)EX1
12.1EX Core/ISP support: GSR,
RSP, c7200 2001-Feb-20
+----------+------------------------+-----------+----------+----------------+
Early Deployment(ED): 12.1(5)T5
12.1T VPN, Distributed
Director, various
platforms 2001-Mar-05
+----------+------------------------+-----------+----------+----------------+
12.1(5)T5
12.1XA Early Deployment (ED):
limited platforms 2001-Mar-05
+----------+------------------------+-----------+----------+----------------+
12.1(5)T5
12.1XB Early Deployment (ED):
limited platforms 2001-Mar-05
+----------+------------------------+-----------+----------+----------------+
12.1(5)T5
12.1XC Early Deployment (ED):
limited platforms 2001-Mar-05
+----------+------------------------+-----------+----------+----------------+
12.1(5)T5
12.1XD Early Deployment (ED):
limited platforms 2001-Mar-05
+----------+------------------------+-----------+----------+----------------+
12.1(5)T5
12.1XE Early Deployment (ED):
limited platforms 2001-Mar-05
+----------+------------------------+-----------+----------+----------------+
Early Deployment (ED): 12.1(2)XF3
12.1XF 811 and 813 (c800
images) 2001-Mar-05
+----------+------------------------+-----------+----------+----------------+
Early Deployment (ED): 12.1(3)XG4
12.1XG 800, 805, 820, and
1600 2001-Mar-05
+----------+------------------------+-----------+----------+----------------+
12.1(2)XH1
12.1XH Early Deployment (ED):
limited platforms 2001-Mar-05
+----------+------------------------+-----------+----------+----------------+
12.1(3)XI6
12.1XI Early Deployment (ED):
limited platforms 2001-Mar-05
+----------+------------------------+-----------+----------+----------------+
Indeterminate
12.1XJ Early Deployment (ED):
limited platforms Unscheduled
+----------+------------------------+-----------+----------+----------------+
12.1(5)T5
12.1XK Early Deployment (ED):
limited platforms 2001-Mar-05
+----------+------------------------+-----------+----------+----------------+
12.1(3)XL1
12.1XL Early Deployment (ED):
limited platforms 2001-Mar-05
+----------+------------------------+-----------+----------+----------------+
12.1(5)XM1
12.1XM Short-lived early
deployment release 2001-Mar-05
+----------+------------------------+-----------+----------+----------------+
12.1(3)XP3
12.1XP Early Deployment (ED):
1700 and SOHO 2001-Mar-05
+----------+------------------------+-----------+----------+----------------+
12.1(3)XQ1
12.1XQ Short-lived early
deployment release 2001-Mar-05
+----------+------------------------+-----------+----------+----------------+
12.1(5)XR1
12.1XR Short-lived early
deployment release 2001-Feb-20
+----------+------------------------+-----------+----------+----------------+
12.1(5)XS
12.1XS Short-lived early
deployment release 2001-Mar-05
+----------+------------------------+-----------+----------+----------------+
12.1(3)XT2
12.1XT Early Deployment (ED):
1700 series 2001-Mar-05
+----------+------------------------+-----------+----------+----------------+
12.1(5)XU1
12.1XU Early Deployment (ED):
limited platforms 2001-Feb-15
+----------+------------------------+-----------+----------+----------------+
12.1(5)XV1
12.1XV Short-lived early
deployment release 2001-Mar-05
+----------+------------------------+-----------+----------+----------------+
12.1(5)XW2
12.1XW Short-lived early
deployment release 2001-Feb-26
+----------+------------------------+-----------+----------+----------------+
12.1(5)XX3
12.1XX Short-lived early
deployment release 2001-Feb-26
+----------+------------------------+-----------+----------+----------------+
12.1(5)XY4
12.1XY Short-lived early
deployment release 2001-Feb-26
+----------+------------------------+-----------+----------+----------------+
12.1(5)XZ2
12.1XZ Short-lived early
deployment release 2001-Feb-26
+----------+------------------------+-----------+----------+----------------+
12.1(5)YA1
12.1YA Short-lived early
deployment release 2001-Feb-28
+----------+------------------------+-----------+----------+----------------+
12.1(5)YB
12.1YB Short-lived early
deployment release 2001-Feb-13
+----------+------------------------+-----------+----------+----------------+
12.1(5)YC1
12.1YC Short-lived early
deployment release 2001-Feb-26
+----------+------------------------+-----------+----------+----------------+
12.1(5)YD
12.1YD Short-lived early
deployment release 2001-Mar-05
+===========================================================================+
Notes
* All dates are estimated and subject to change.
** Interim releases are subjected to less rigorous testing than regular
maintenance releases, and may have serious bugs.
+===========================================================================+
All of the following workarounds must be configured while in
enable mode on the affected router or switch. Be sure to save
the changes with the "write memory" command after each
configuration change.
The workaround for the vulnerability introduced by CSCdr61016 and
CSCds49183 is to configure community strings for the snmp-server
hosts prior to configuring the snmp-server hosts. This command
should include the desired access restrictions on this community
string. In the following example, "1.2.3.4" is the IP address of
the host intended to receive SNMP traps:
router#config term
! create access list
router(config)#access-list 66 deny any
! configure community string with access restrictions
router(config)#snmp-server community public ro 66
! configure snmp-server host
router(config)#snmp-server host 1.2.3.4 public
router(config)#exit
router#write memory
router#
If the "snmp-server community" command is entered after one or
more "snmp-server host" commands have been entered using the same
community string, then all of the "snmp-server host" commands
must be re-entered due to the otherwise unrelated defect
CSCdr21997. This latter defect prevents traps or informs from
leaving the router using the community string. The defect is
present in some but not all of the same IOS releases as
CSCdr61016.
To permanently remove communities after definition of the
"snmp-server host" command, the associated "snmp-server host"
commands that correspond to those communities must also be
removed.
The vulnerability described in CSCds32217 and CSCds16384 can be
remedied by using the "snmp-server view" command to block the
ability to poll the SNMP-VIEW-BASED-ACM-MIB. The result is a
view that restricts the ability to browse the
SNMP-VIEW-BASED-ACM-MIB, and it must be applied to all read-only
community strings. For example:
router#config term
! create view
router(config)#snmp-server view novacm internet included
! block vacmSecurityToGroupEntry table
router(config)#snmp-server view novacm internet.6.3.16 excluded
! apply view to read-only security string
router(config)#snmp-server community public view novacm RO
router(config)#exit
router#write memory
router#
If the affected router or switch already contains more than one
read-write community string, then all read-write community strings
must be prevented from reading the SNMP-VIEW-BASED-ACM-MIB. For
read-write community strings that do not have a view applied,
create a new view and apply it to the community string. If a
read-write community string already has a view applied to it,
then modify the view to prevent access to the
SNMP-VIEW-BASED-ACM-MIB. Both situations are shown below.
If the following example is part of a pre-existing configuration:
router#show running-config
...
snmp-server view oldview internet included
snmp-server view oldview ipRouteTable excluded
snmp-server view oldview ipNetToMediaTable excluded
snmp-server view oldview at excluded
snmp-server community tech view oldview RW
snmp-server community private RW
...
then the following modifications will exclude the
SNMP-VIEW-BASED-ACM-MIB:
router#config term
! block vacmSecurityToGroupEntry table in existing view
router(config)#snmp-server view oldview internet.6.3.16 excluded
! create new view
router(config)#snmp-server view novacm internet included
router(config)#snmp-server view novacm internet.6.3.16 excluded
! apply new view
router(config)#snmp-server community private view novacm RW
router(config)#exit
router#write memory
router#
For the fullest protection provided by this workaround, every
existing view on the affected switch or router must be modified
in a similar manner.
The vulnerability described in CSCds19674 for CatOS can be
remedied by using the "set snmp view" command to prevent access to
the SNMP-VIEW-BASED-ACM-MIB. For example:
switch#set snmp view defaultUserView 1.3.6.1.6.3.16.1.2 excluded nonvolatile
If the "cable-docsis" community string is deleted from the
configuration, then CSCdr59314 causes it to automatically reappear
after the system is reloaded. The following workaround prohibits
the use of the "cable-docsis" community string by defining an
access list statement that completely denies any requests for it:
router#config term
! create access list
router(config)#access-list 66 deny any
! apply access restrictions to cable-docsis community string
router(config)#snmp-server community cable-docsis ro 66
router(config)#exit
router#write memory
router#