COMMAND

    CISCO

SYSTEMS AFFECTED

    CISCO

PROBLEM

    Following is based on a  Cisco Security Advisory.  Multiple  Cisco
    IOS  software   and  CatOS   software  releases   contain  several
    independent but related  vulnerabilities involving the  unexpected
    creation  and   exposure  of   SNMP  community   strings.    These
    vulnerabilities  can  be  exploited  to  permit  the  unauthorized
    viewing or modification of affected devices.

    To remove  the vulnerabilities,  Cisco is  offering free  software
    upgrades for all affected  platforms.  The defects  are documented
    in DDTS  records CSCds32217,  CSCds16384, CSCds19674,  CSCdr59314,
    CSCdr61016, and CSCds49183.

    The vulnerabilities described in this notice are present in  Cisco
    router and switch  products that are  running certain releases  of
    Cisco  IOS  software  or  CatOS  software.   Only  Cisco  products
    running affected releases are vulnerable.

    These vulnerabilities are the  result of defects in  the functions
    responsible  for  Simple  Network  Management  Protocol (SNMP), an
    Internet  standard  for  the  remote  administration  of   network
    devices.  SNMP makes use  of one or more labels  called "community
    strings" to delimit  groups of "objects"  (variables) that can  be
    viewed or modified on a device.  The SNMP data in such a group  is
    organized  in  a  tree  structure  called a Management Information
    Base (MIB).   A single  device may  have multiple  MIBs  connected
    together into one large  structure, and various community  strings
    may provide read-only or read-write access to different,  possibly
    overlapping portions of the larger data structure.  An example  of
    a read-only variable might be  a counter showing the total  number
    of octets sent or received through an interface.  An example of  a
    read-write variable  might be  the speed  of an  interface, or the
    hostname of a device.

    Community strings also  provide a weak  form of access  control in
    earlier  versions  of  SNMP,  v1  and  v2c.  (SNMPv3 provides much
    improved access control using strong authentication and should  be
    preferred over SNMPv1 and SNMPv2c  wherever it is supported).   If
    a community  string is  defined, then  it must  be provided in any
    basic SNMP query if the requested operation is to be permitted  by
    the  device.   Community   strings  usually  allow  read-only   or
    read-write access  to the  entire device.  In some  cases, a given
    community string  will be  limited to  one group  of read-only  or
    read-write objects described in an individual MIB.

    In the  absence of  additional configuration  options to constrain
    access, knowledge of  the single community  string for the  device
    is  all  that  is  required  to  gain  access to all objects, both
    read-only and  read-write, and  to modify  any read-write objects.
    The  defects  responsible  for  these  vulnerabilities are grouped
    here by function:

        A  read-only  community  string  is  unexpectedly added when a
        "snmp-server   community"   command   is   entered   in    the
        configuration of a device  where "community" does not  already
        exist on the device as a valid community string.  If  deleted,
        this  community  string  will  reappear  after  the  device is
        reloaded.  CSCdr61016 documents the defect in IOS for  routers
        and  switch-routers  and  only  affects IOS releases 12.0(7)T,
        12.1(1)E and  12.1(2).   CSCds49183 refers  to the  equivalent
        defect affecting products from  the 2900XL and 3500XL  series,
        and only affects IOS releases 12.0(5)XU and 12.0(5)XW.

        The defect arises from implementation of the SNMPv2  "informs"
        functionality,  which  involves  the  exchange  of   read-only
        community  strings  for  the  sharing  of  status information.
        When an affected  device processes a  command defining a  host
        to  receive  SNMP  "traps"  (logging  messages)  such  as  the
        "snmp-server host"  command, then  the community  specified in
        the trap statement is also configured for general use if it is
        not already defined in  the saved configuration.   This occurs
        even  if  the  community   was  previously  removed  and   the
        configuration was saved to memory prior to a system reload.

        The read-write community string is exposed when the device  is
        examined via a "walk", or traversal, of the View-based  Access
        Control  MIB  (VACM)  using  the  device's read-only community
        string.   View-based  Access  Control  is  a feature of SNMPv3
        added to  IOS in  version 12.0(3)T.  CSCds32217 describes  the
        defect in  IOS, CSCds16384  applies to  IOS running  on 2900XL
        and 3500XL  switches, and  CSCds19674 documents  the defect in
        CatOS on Catalyst switches.  Most IOS releases in 12.0  (after
        12.0(3)T)  as  well  as   most  12.1  releases  contain   this
        vulnerability, as  well as  12.0(5.2)XU and  12.0(5)XW for the
        2900XL  and  3500XL  switches,  and  CatOS  releases  5.4(1) -
        5.5(3)and 6.1(1) for the Catalyst switches.

        Implementation of new cable-industry standards for  management
        of  cable   modems  introduced   an  undocumented   read-write
        community string, "cable-docsis", which was intended only  for
        DOCSIS-compliant cable-capable devices.  It was  inadvertently
        enabled by  default for  all devices  except DOCSIS-compatible
        cable modems  and head  end units  in a  limited range  of IOS
        releases.   This  defect  is  documented  as CSCdr59314.  This
        vulnerability is confined to a very narrow set of IOS releases
        based on  12.1(3) and  12.1(3)T, and  it is  fixed in  12.1(4)
        and 12.1(5)T releases and following.

    Full details are provided in the software section below  regarding
    the status of each vulnerability in specific releases.

    A separate  Cisco Security  Advisory has  recently been  announced
    regarding an  SNMP vulnerability  due to  an undocumented  default
    "ILMI" read-write community string in IOS.  That advisory:

        http://oliver.efri.hr/~crv/security/bugs/Others/cisco47.html
        http://www.cisco.com/warp/public/707/ios-snmp-ilmi-vuln-pub.shtml

    should be consulted in tandem with this notice.

    Knowledge of  read-only community  strings allows  read access  to
    information stored on an affected device, leading to a failure  of
    confidentiality.   Knowledge   of  read-write  community   strings
    allows   remote   configuration   of   affected   devices  without
    authorization,   possibly   without    the   awareness   of    the
    administrators  of  the  device  and  resulting  in  a  failure of
    integrity and a possible failure of availability.

    These  vulnerabilities  could  be   exploited  separately  or   in
    combination  to  gain  access  to  or modify the configuration and
    operation  of   any  affected   devices  without    authorization.
    Customers are urged to upgrade affected systems to fixed  releases
    of software, or to apply measures to protect such systems  against
    unauthorized  use  by  restricting  access  to SNMP services until
    such time as the devices can be upgraded.

SOLUTION

    This  security  advisory  represents  a  combination  of  multiple
    related  product  security  vulnerabilities.   The affected trains
    and releases are not identical  for all of the defects,  but there
    are  significant  groups  of  releases  where  affected   versions
    intersect  with  others.   Unless  otherwise  noted,  each   label
    displayed under  "Availability of  Fixed Releases"  identifies the
    release  that  resolves  all  of  these  defects for that specific
    train.  Please note the following exceptions:
    - IOS software Major Release  version 12.0 and IOS releases  based
      on  11.x  or  earlier  are  not  affected by the vulnerabilities
      described in this notice.   All other releases of 12.0,  such as
      12.0DA, 12.0S or 12.0T, may be affected.
    - CSCdr59314 is only present in certain 12.1(3) releases and  does
      not affect any other IOS releases.
    - Fixes for all six  defects have been integrated into  12.2 prior
      to its  initial availability,  and therefore  all releases based
      on 12.2 and all later versions are not vulnerable to the defects
      described in this advisory.

    The following table summarizes the IOS software releases that  are
    known  to  be  affected,  and  the  earliest  estimated  dates  of
    availability for the recommended fixed versions.  Dates are always
    tentative and subject to change.

    +===========================================================================+
       Train      Description of Image     Availability of Fixed Releases*
                      or Platform
    +===========================================================================+
         Catalyst Software Releases        Rebuild   Interim**   Maintenance
    +===========================================================================+
                                                                5.5(3)
        5.5
                                                                Available
    
                                                                6.1(2)
        6.1
                                                                Available
    +===========================================================================+
       11.x-based Releases and Earlier     Rebuild   Interim**   Maintenance
    +===========================================================================+
      11.x and  Multiple releases and
      earlier   platforms                Not Vulnerable
    +===========================================================================+
             12.0-based Releases           Rebuild   Interim**   Maintenance
    +===========================================================================+
                General Deployment
        12.0    release for all          Not Vulnerable
                platforms
    +----------+------------------------+-----------+----------+----------------+
                xDSL support: 6100,      12.1(5)DA1             12.1(6)DA
       12.0DA   6200
                Vulnerable to
                CSCds32217               2001-Feb-28            Unscheduled
    +----------+------------------------+-----------+----------+----------------+
                General deployment       12.1(4)DB1
       12.0DB   release for all
                platforms                2001-Feb-26
    +----------+------------------------+-----------+----------+----------------+
                General deployment       12.1(4)DC2
       12.0DC   release for all
                platforms                2001-Feb-20
    +----------+------------------------+-----------+----------+----------------+
                                         12.0(15)S1             12.0(16)S
       12.0S    Core/ISP support: GSR,
                RSP, c7200               2001-Feb-20            2001-Mar-12
    +----------+------------------------+-----------+----------+----------------+
                                         12.0(15)SC1
       12.0SC   Cable/broadband ISP:
                ubr7200                  2001-Feb-26
    +----------+------------------------+-----------+----------+----------------+
                                         12.0(14)SL1
       12.0SL   10000 ESR: c10k
                                         2001-Feb-26
    +----------+------------------------+-----------+----------+----------------+
                General deployment       12.0(11)ST2            12.0(15)ST
       12.0ST   release for all
                platforms                2001-Feb-26            2001-Mar-05
    +----------+------------------------+-----------+----------+----------------+
                                         12.1(5c)E8
       12.0SX   Early Deployment (ED)
                                         2001-Feb-26
    +----------+------------------------+-----------+----------+----------------+
                Early Deployment(ED):                           12.1(7)
       12.0T    VPN, Distributed
                Director, various
                platforms                                       2001-Feb-26
    +----------+------------------------+-----------+----------+----------------+
                Catalyst switches:
                cat8510c, cat8540c,
                c6msm, ls1010,
       12.0W5   cat8510m, cat8540m,      Not Vulnerable
                c5atm, c5atm, c3620,
                c3640, c4500, c5rsfc,
                c5rsm, c7200, rsp,
                cat2948g, cat4232
    +----------+------------------------+-----------+----------+----------------+
       12.0WT   Early deployment         Not Vulnerable
                release
    +----------+------------------------+-----------+----------+----------------+
                                                                12.1(7)
       12.0XA   Early Deployment (ED):
                limited platforms                               2001-Feb-26
    +----------+------------------------+-----------+----------+----------------+
                                                                12.1(7)
       12.0XB   Short-lived early
                deployment release                              2001-Feb-26
    +----------+------------------------+-----------+----------+----------------+
                                                                12.1(7)
       12.0XC   Early Deployment (ED):
                limited platforms                               2001-Feb-26
    +----------+------------------------+-----------+----------+----------------+
                                                                12.1(7)
       12.0XD   Early Deployment (ED):
                limited platforms                               2001-Feb-26
    +----------+------------------------+-----------+----------+----------------+
                                         12.1(5c)E8
       12.0XE   Early Deployment (ED):
                limited platforms        2001-Feb-26
    +----------+------------------------+-----------+----------+----------------+
                                                                12.1(7)
       12.0XF   Early Deployment (ED):
                limited platforms                               2001-Feb-26
    +----------+------------------------+-----------+----------+----------------+
                                                                12.1(7)
       12.0XG   Early Deployment (ED):
                limited platforms                               2001-Feb-26
    +----------+------------------------+-----------+----------+----------------+
                                         12.0(4)XH5
       12.0XH   Early Deployment (ED):
                limited platforms        2001-Mar-05
    +----------+------------------------+-----------+----------+----------------+
                                                                12.1(7)
       12.0XI   Early Deployment (ED):
                limited platforms                               2001-Feb-26
    +----------+------------------------+-----------+----------+----------------+
                                                                12.1(7)
       12.0XJ   Early Deployment (ED):
                limited platforms                               2001-Feb-26
    +----------+------------------------+-----------+----------+----------------+
                                         12.0(7)XK4
       12.0XK   Early Deployment (ED):
                limited platforms        2001-Mar-05
    +----------+------------------------+-----------+----------+----------------+
                                         12.0(4)XH5
       12.0XL   Early Deployment (ED):
                limited platforms        2001-Mar-05
    +----------+------------------------+-----------+----------+----------------+
                                                                12.1(7)
       12.0XM   Short-lived early
                deployment release                              2001-Feb-26
    +----------+------------------------+-----------+----------+----------------+
                                                                Indeterminate
       12.0XN   Early Deployment (ED):
                limited platforms                               Unscheduled
    +----------+------------------------+-----------+----------+----------------+
                                                                12.1WC
       12.0XP   Early Deployment (ED):
                limited platforms                               2001-Apr-12
    +----------+------------------------+-----------+----------+----------------+
                                                                12.1(7)
       12.0XQ   Short-lived early
                deployment release                              2001-Feb-26
    +----------+------------------------+-----------+----------+----------------+
                                         12.1(5)T5
       12.0XR   Short-lived early
                deployment release       2001-Mar-05
    +----------+------------------------+-----------+----------+----------------+
                                         12.1(5c)E8
       12.0XS   Short-lived early
                deployment release       2001-Feb-26
    +----------+------------------------+-----------+----------+----------------+
                                                                12.1WC
       12.0XU   Early Deployment (ED):
                limited platforms                               2001-Apr-12
    +----------+------------------------+-----------+----------+----------------+
                                         12.1(5)T5              12.1WC
       12.0XV   Short-lived early
                deployment release       2001-Mar-05            2001-Apr-12
    +===========================================================================+
        12.1-based and Later Releases      Rebuild   Interim**   Maintenance
    +===========================================================================+
                General deployment                   12.1(5.1)  12.1(7)
        12.1    release for all
                platforms                            Available  2001-Feb-26
    +----------+------------------------+-----------+----------+----------------+
                                                                12.1(7)AA
       12.1AA   Dial support
                                                                2001-Feb-26
    +----------+------------------------+-----------+----------+----------------+
                                         12.1(5)DA1             12.1(6)DA
       12.1DA   xDSL support: 6100,
                6200                     2001-Feb-28            Unscheduled
    +----------+------------------------+-----------+----------+----------------+
                                                                12.1(4)CX
       12.1CX   Core/ISP support: GSR,
                RSP, c7200                                      2001-Feb-20
    +----------+------------------------+-----------+----------+----------------+
                General deployment       12.1(4)DB1
       12.1DB   release for all
                platforms                2001-Feb-26
    +----------+------------------------+-----------+----------+----------------+
                General deployment       12.1(4)DC2
       12.1DC   release for all
                platforms                2001-Feb-26
    +----------+------------------------+-----------+----------+----------------+
                                         12.1(5c)E8
       12.1E    Core/ISP support: GSR,
                RSP, c7200               2001-Feb-26
    +----------+------------------------+-----------+----------+----------------+
                                         12.1(5)EC1
       12.1EC   Core/ISP support: GSR,
                RSP, c7200               2001-Feb-26
    +----------+------------------------+-----------+----------+----------------+
                                         12.1(5c)EX1
       12.1EX   Core/ISP support: GSR,
                RSP, c7200               2001-Feb-20
    +----------+------------------------+-----------+----------+----------------+
                Early Deployment(ED):    12.1(5)T5
       12.1T    VPN, Distributed
                Director, various
                platforms                2001-Mar-05
    +----------+------------------------+-----------+----------+----------------+
                                         12.1(5)T5
       12.1XA   Early Deployment (ED):
                limited platforms        2001-Mar-05
    +----------+------------------------+-----------+----------+----------------+
                                         12.1(5)T5
       12.1XB   Early Deployment (ED):
                limited platforms        2001-Mar-05
    +----------+------------------------+-----------+----------+----------------+
                                         12.1(5)T5
       12.1XC   Early Deployment (ED):
                limited platforms        2001-Mar-05
    +----------+------------------------+-----------+----------+----------------+
                                         12.1(5)T5
       12.1XD   Early Deployment (ED):
                limited platforms        2001-Mar-05
    +----------+------------------------+-----------+----------+----------------+
                                         12.1(5)T5
       12.1XE   Early Deployment (ED):
                limited platforms        2001-Mar-05
    +----------+------------------------+-----------+----------+----------------+
                Early Deployment (ED):   12.1(2)XF3
       12.1XF   811 and 813 (c800
                images)                  2001-Mar-05
    +----------+------------------------+-----------+----------+----------------+
                Early Deployment (ED):   12.1(3)XG4
       12.1XG   800, 805, 820, and
                1600                     2001-Mar-05
    +----------+------------------------+-----------+----------+----------------+
                                         12.1(2)XH1
       12.1XH   Early Deployment (ED):
                limited platforms        2001-Mar-05
    +----------+------------------------+-----------+----------+----------------+
                                         12.1(3)XI6
       12.1XI   Early Deployment (ED):
                limited platforms        2001-Mar-05
    +----------+------------------------+-----------+----------+----------------+
                                                                Indeterminate
       12.1XJ   Early Deployment (ED):
                limited platforms                               Unscheduled
    +----------+------------------------+-----------+----------+----------------+
                                         12.1(5)T5
       12.1XK   Early Deployment (ED):
                limited platforms        2001-Mar-05
    +----------+------------------------+-----------+----------+----------------+
                                         12.1(3)XL1
       12.1XL   Early Deployment (ED):
                limited platforms        2001-Mar-05
    +----------+------------------------+-----------+----------+----------------+
                                         12.1(5)XM1
       12.1XM   Short-lived early
                deployment release       2001-Mar-05
    +----------+------------------------+-----------+----------+----------------+
                                         12.1(3)XP3
       12.1XP   Early Deployment (ED):
                1700 and SOHO            2001-Mar-05
    +----------+------------------------+-----------+----------+----------------+
                                         12.1(3)XQ1
       12.1XQ   Short-lived early
                deployment release       2001-Mar-05
    +----------+------------------------+-----------+----------+----------------+
                                         12.1(5)XR1
       12.1XR   Short-lived early
                deployment release       2001-Feb-20
    +----------+------------------------+-----------+----------+----------------+
                                                                12.1(5)XS
       12.1XS   Short-lived early
                deployment release                              2001-Mar-05
    +----------+------------------------+-----------+----------+----------------+
                                         12.1(3)XT2
       12.1XT   Early Deployment (ED):
                1700 series              2001-Mar-05
    +----------+------------------------+-----------+----------+----------------+
                                         12.1(5)XU1
       12.1XU   Early Deployment (ED):
                limited platforms        2001-Feb-15
    +----------+------------------------+-----------+----------+----------------+
                                         12.1(5)XV1
       12.1XV   Short-lived early
                deployment release       2001-Mar-05
    +----------+------------------------+-----------+----------+----------------+
                                         12.1(5)XW2
       12.1XW   Short-lived early
                deployment release       2001-Feb-26
    +----------+------------------------+-----------+----------+----------------+
                                         12.1(5)XX3
       12.1XX   Short-lived early
                deployment release       2001-Feb-26
    +----------+------------------------+-----------+----------+----------------+
                                         12.1(5)XY4
       12.1XY   Short-lived early
                deployment release       2001-Feb-26
    +----------+------------------------+-----------+----------+----------------+
                                         12.1(5)XZ2
       12.1XZ   Short-lived early
                deployment release       2001-Feb-26
    +----------+------------------------+-----------+----------+----------------+
                                         12.1(5)YA1
       12.1YA   Short-lived early
                deployment release       2001-Feb-28
    +----------+------------------------+-----------+----------+----------------+
                                                                12.1(5)YB
       12.1YB   Short-lived early
                deployment release                              2001-Feb-13
    +----------+------------------------+-----------+----------+----------------+
                                         12.1(5)YC1
       12.1YC   Short-lived early
                deployment release       2001-Feb-26
    +----------+------------------------+-----------+----------+----------------+
                                                                12.1(5)YD
       12.1YD   Short-lived early
                deployment release                              2001-Mar-05
    +===========================================================================+
                                   Notes
    
     * All dates are estimated and subject to change.
    
     ** Interim releases are subjected to less rigorous testing than regular
     maintenance releases, and may have serious bugs.
    +===========================================================================+

    All  of  the  following  workarounds  must  be configured while in
    enable mode on  the affected router  or switch.   Be sure to  save
    the  changes   with  the   "write  memory"   command  after   each
    configuration change.

    The workaround for the vulnerability introduced by CSCdr61016 and
    CSCds49183 is to configure  community strings for the  snmp-server
    hosts prior to  configuring the snmp-server  hosts.  This  command
    should include the desired  access restrictions on this  community
    string.  In the following example, "1.2.3.4" is the IP address  of
    the host intended to receive SNMP traps:

        router#config term
           ! create access list
        router(config)#access-list 66 deny any
           ! configure community string with access restrictions
        router(config)#snmp-server community public ro 66
           ! configure snmp-server host
        router(config)#snmp-server host 1.2.3.4 public
        router(config)#exit
        router#write memory
        router#

    If the  "snmp-server community"  command is  entered after  one or
    more "snmp-server host" commands have been entered using the  same
    community  string,  then  all  of  the "snmp-server host" commands
    must  be  re-entered  due   to  the  otherwise  unrelated   defect
    CSCdr21997.   This latter  defect prevents  traps or  informs from
    leaving the  router using  the community  string.   The defect  is
    present  in  some  but  not  all  of  the  same  IOS  releases  as
    CSCdr61016.

    To  permanently  remove  communities   after  definition  of   the
    "snmp-server  host"  command,  the  associated  "snmp-server host"
    commands  that  correspond  to  those  communities  must  also  be
    removed.

    The vulnerability  described in  CSCds32217 and  CSCds16384 can be
    remedied  by  using  the  "snmp-server  view" command to block the
    ability  to  poll  the  SNMP-VIEW-BASED-ACM-MIB.   The result is a
    view    that    restricts    the    ability    to    browse    the
    SNMP-VIEW-BASED-ACM-MIB, and it must  be applied to all  read-only
    community strings.  For example:

        router#config term
           ! create view
        router(config)#snmp-server view novacm internet included
           ! block vacmSecurityToGroupEntry table
        router(config)#snmp-server view novacm internet.6.3.16 excluded
           ! apply view to read-only security string
        router(config)#snmp-server community public view novacm RO
        router(config)#exit
        router#write memory
        router#

    If the affected  router or switch  already contains more  than one
    read-write community string, then all read-write community strings
    must be prevented from  reading the SNMP-VIEW-BASED-ACM-MIB.   For
    read-write  community  strings  that  do  not have a view applied,
    create a  new view  and apply  it to  the community  string.  If a
    read-write  community  string  already  has  a view applied to it,
    then   modify    the    view   to    prevent    access   to    the
    SNMP-VIEW-BASED-ACM-MIB.  Both situations are shown below.

    If the following example is part of a pre-existing configuration:

        router#show running-config
        ...
        snmp-server view oldview internet included
        snmp-server view oldview ipRouteTable excluded
        snmp-server view oldview ipNetToMediaTable excluded
        snmp-server view oldview at excluded
        snmp-server community tech view oldview RW
        snmp-server community private RW
        ...

    then    the    following    modifications    will    exclude   the
    SNMP-VIEW-BASED-ACM-MIB:

        router#config term
           ! block vacmSecurityToGroupEntry table in existing view
        router(config)#snmp-server view oldview internet.6.3.16 excluded
           ! create new view
        router(config)#snmp-server view novacm internet included
        router(config)#snmp-server view novacm internet.6.3.16 excluded
           ! apply new view
        router(config)#snmp-server community private view novacm RW
        router(config)#exit
        router#write memory
        router#

    For  the  fullest  protection  provided  by this workaround, every
    existing view on  the affected switch  or router must  be modified
    in a similar manner.

    The  vulnerability  described  in  CSCds19674  for  CatOS  can  be
    remedied by using the "set snmp view" command to prevent access to
    the SNMP-VIEW-BASED-ACM-MIB.  For example:

        switch#set snmp view defaultUserView 1.3.6.1.6.3.16.1.2 excluded nonvolatile

    If  the  "cable-docsis"  community  string  is  deleted  from  the
    configuration, then CSCdr59314 causes it to automatically reappear
    after the system is reloaded.  The following workaround  prohibits
    the  use  of  the  "cable-docsis"  community string by defining an
    access list statement that completely denies any requests for it:

        router#config term
           ! create access list
        router(config)#access-list 66 deny any
           ! apply access restrictions to cable-docsis community string
        router(config)#snmp-server community cable-docsis ro 66
        router(config)#exit
        router#write memory
        router#