Re: on topic - cisco snmp

[Ilker Temir <itemir () cisco com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is in response to the e-mail sent by Lee E. Rian. The original e-mail
is available at
http://lists.netsys.com/pipermail/full-disclosure/2003-June/010153.html

Hello Lee,

Thank you for notifying us about this issue. We have updated the examples at
http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a00800948e6.shtml
and excluded the MIBs that may create a security exposure.

We are always very interested in vulnerability reports regarding our
products and welcome the chance to work with security researchers. Such
reports should be directly sent to our team at psirt () cisco com or to
security-alert () cisco com for emergency response.

Thank you again,

Regards,
- --
Ilker Temir
Incident Manager, PSIRT
Cisco Systems, Inc.
+32 2 704-6031
http://www.cisco.com/go/psirt

On Fri, 6 Jun 2003 lee.e.rian () census gov wrote:

> If you follow Cisco's suggested work-around for SNMP causes high CPU
> utilization you might be exposing the write community string.
>
> http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a00800948e6.shtml
> has the following instructions:
>
>    To avoid performance issues, force the router to prematurely end queries
>    for the route table from the network management system server. Configure
>    the router to respond with a complete message as soon as it receives the
>    start of a request for the route table, as follows:
>    snmp-server view cutdown internet included
>    snmp-server view cutdown ipRouteTable excluded
>    snmp-server view cutdown ipNetToMediaTable excluded
>    snmp-server view cutdown at excluded
>    snmp-server community public view cutdown RO
>    snmp-server community private view cutdown RW
>
> The problem is that the View-based Access Control MIB is now included in
> the read-only view:
> snmpwalk -c public -v 2c c800 vacmAccessWriteViewName
> .iso.org.dod.internet.snmpV2.snmpModules.snmpVacmMIB.vacmMIBObjects.vacmAccessTable.vacmAccessEntry.vacmAccessWriteViewName."public"."".1.noAuthNoPriv
>  =
> .iso.org.dod.internet.snmpV2.snmpModules.snmpVacmMIB.vacmMIBObjects.vacmAccessTable.vacmAccessEntry.vacmAccessWriteViewName."public"."".2.noAuthNoPriv
>  =
> .iso.org.dod.internet.snmpV2.snmpModules.snmpVacmMIB.vacmMIBObjects.vacmAccessTable.vacmAccessEntry.vacmAccessWriteViewName."private"."".1.noAuthNoPriv
>  = cutdown
> .iso.org.dod.internet.snmpV2.snmpModules.snmpVacmMIB.vacmMIBObjects.vacmAccessTable.vacmAccessEntry.vacmAccessWriteViewName."private"."".2.noAuthNoPriv
>  = cutdown
>
> Fix is to remove the Vacm MIB from the view by adding
> snmp-server view cutdown internet.6.3.16 excluded
>
> c800#conf t
> Enter configuration commands, one per line.  End with CNTL/Z.
> c800(config)#snmp-server view cutdown internet.6.3.16 excluded
> c800(config)#end
> c800#
>
> snmpwalk -c public -v 2c c800 vacmAccessWriteViewName
> .iso.org.dod.internet.snmpV2.snmpModules.snmpVacmMIB.vacmMIBObjects.vacmAccessTable.vacmAccessEntry.vacmAccessWriteViewName
>  = No more variables left in this MIB View
>
>
> Lee
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (SunOS)

iD8DBQE+4ghz8/wE0ppYtwURAt9KAJ4/nBObOC6SVHINBsYJatKpAHHaKACfbX+t
Hg5j8KQWRDUdeH8JZGrG/Ts=
=5jZp
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html