Tutorial - Cisco IOS SNMP Access

Cisco IOS SNMP Access

CAN 1999-0517

Impact

SNMP vulnerabilities in Cisco IOS and CatOS operating systems could allow a remote attacker to view or change configuration information on the affected device.

Background

The Simple Network Management Protocol (SNMP) is a widespread protocol allowing network administrators to obtain information on and even configure various network devices remotely. It is very common on all but the most basic networking hardware (hubs, switches, routers, etc), and many other networked devices (networked printers, terminal servers, etc). Many workstations/PCs also have SNMP clients running on them as well, and most network management packages (commercial and non-commercial) make extensive use of SNMP for information gathering.

Most devices that provide SNMP allow enormous amounts of data to be accessed over it. The exact information available depends on the type of device, its manufacturer and model, but generally include details of the hardware and OS type, information on the various network interfaces, statistics on the various network protocols, and general and vendor-specific details about what the device does and is doing. The volume of data available is generally too much to be useful to a systems administrator without some management code to sort through it. The security risks of allowing a potential intruder access to this information depends largely on what type of device it is, but realize that if the data is known to the device, it is probably accessible via SNMP.

Many devices allow themselves to be configured remotely via SNMP as well. Devices which do so generally can be completely configured in such a manner. This can definitely be of use to systems administrators, but also is an obvious security concern.

Despite its popularity, SNMP v1 and v2 have rather basic access control, using passwords called community strings. Most devices are set up with two community strings, a read community for viewing information and a set or write community for changing configurations. Many devices come out of the box with SNMP operational and a read community string of "public". Write access often has to be turned on manually, but not always. Needless to say, care should be taken with both settings.

The Problems

Cisco routers running older versions of the IOS or CatOS operating system could be affected by one or more problems which expose community strings or enable built-in community strings which are known to attackers. These strings could allow the attacker to view or modify configuration information using SNMP.

If this vulnerability is detected, the router is affected by one or more of the following problems:

The community community string is created whenever the snmp-server host command is entered, and persists after the device is rebooted, even if the community string is deleted.
If the read-only community string is known, the write community string can be acquired by traversing the View-based Access Control MIB.
cable-docsis is an undocumented read/write community string which is present in some routers. It was intended only for DOCSIS-compliant cable-capable devices, but was inadvertently enabled for other devices.

Resolution

Upgrade to a fixed version of the IOS or CatOS software. See the Cisco advisory to find out which version to use for your device.

Alternatively, workarounds are available to fix some of the vulnerabilities. See the advisory for specific instructions on working around the vulnerabilities.

Some SNMP clients will allow you to restrict which hosts can send some or all write SNMP commands from, and possibly which hosts can get information as well. It is recommended that you configure such if available.

Where can I read more about this?

For more information on these vulnerabilities, see the Cisco advisory. For more information on SNMP, see Cisco's SNMP Reference.