Bugtraq mailing list archives

Re: snmp problems still alive...


From: drajnovi () CISCO COM (Damir Rajnovic)
Date: Fri, 10 Mar 2000 18:23:30 +0000


Hello,

Not so long ago there was discussion on this list regarding
problems with SNMP and this is our contribution to it.

With this I will fulfill a request of the customer who brought
this to our attention.

Cheers,

Gaus
---------
Simple Network Management Protocol Version 3 (SNMPv3) is an
interoperable standards-based protocol for network management.
This version is first introduced in Cisco IOS 12.0(3)T.

In all images which implement the new SNMPv3 engine (12.0(3)T
and above and images based on this), the new SNMP engine now
requires that a community string be defined (if used).

Example: If user enters this command:

snmp-server host <ip-address> foonly

then the community string must be defined first with the
command:

snmp-server community <community> [ro|rw]

e.g.

snmp-server community foonly ro

If this required line is not present, then it will be inserted
automatically, using the password defined in snmp-server host
command. The automatically generated snmp-server community line
can not be erased from configuration file. It will be
automatically generated every time.

This requirement was not well documented, but it is indeed a
requirement of the new engine and it is intended behavior. The
updated documentation can be found at

http://www.cisco.com/univercd/cc/td/doc/product/software/
ios120/120newft/120t/120t3/snmp3.htm

(URL is wrapped)

In the case where the customer wishes to use a unique community
string with the "snmp-server host" command but does NOT want
that string to be valid for SNMP polling, simply define that
community string with an access-list which specifies "deny any"

e.g.

snmp-server community foonly ro 10
snmp-server host <ip-address> foonly
access-list 10 deny any

If the administrator is not aware of this and if the configuration
is not carefully inspected after every change, this may lead to
using a weak password for the community string. When snmptrap
daemons do not require a community string, the administrator may
be tempted to use easily guessable passwords.

==============
Damir Rajnovic <psirt () cisco com>, PSIRT Incident Manager, Cisco Systems
<http://www.cisco.com/warp/public/707/sec_incident_response.shtml>
Phone: +44 7715 546 033
4 The Square, Stockley Park, Uxbridge, MIDDLESEX UB11 1BN, GB
==============
There is no insolvable problems. Question remains: can you
accept the solution?


Current thread: