Cisco Security Advisory-
Multiple Cisco IOS® Software and CatOS software releases contain several independent but related vulnerabilities involving the unexpected creation and exposure of SNMP community strings. These vulnerabilities can be exploited to permit the unauthorized viewing or modification of affected devices.
To remove the vulnerabilities, Cisco is offering free software upgrades for all affected platforms. The defects are documented in DDTS records CSCds32217, CSCds16384, CSCds19674, CSCdr59314, CSCdr61016, and CSCds49183.
In addition to specific workarounds for each vulnerability, affected systems can be protected by preventing SNMP access.
This notice will be posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20010228-ios-snmp-community.
-
This section provides details on affected products.
Vulnerable Products
The vulnerabilities described in this notice are present in Cisco router and switch products that are running certain releases of Cisco IOS software or CatOS software. Only Cisco products running affected releases are vulnerable. No other Cisco products are affected.
To determine the software running on a Cisco product, log in to the device and display the system banner with the command "show version". Cisco IOS software will identify itself as "Internetwork Operating System Software" or simply "IOS (tm)". The image name will be displayed between parentheses, usually on the next line of output, followed by "Version" and the IOS release name. Other Cisco devices will not have the "show version" command or will give different output.
The following example identifies a Cisco product running IOS release 12.0(3) with an installed image name of C2500-IS-L:
Cisco Internetwork Operating System Software IOS (tm) 2500 Software (C2500-IS-L), Version 12.0(3), RELEASE SOFTWARE
To determine if the Cisco product is affected, compare the information obtained above to the lists of affected platforms and releases shown below.
Cisco devices that may be running an affected IOS software release include, but are not limited to:
-
800, 1000, 1005, 1400, 1600, 1700, 2500, 2600, 3600, MC3810, 4000,
4500, 4700, 6200, 6400 NRP, 6400 NSP series Cisco routers.
-
ubr900 and ubr920 universal broadband routers.
-
Catalyst 2900 ATM, 2900XL, 2948g, 3500XL, 4232, 4840g, 5000 RSFC
series switches.
-
5200, 5300, 5800 series access servers.
-
Catalyst 6000 MSM, 6000 Hybrid Mode, 6000 Native Mode, 6000
Supervisor Module, Catalyst ATM Blade.
-
RSM, 7000, 7010, 7100, 7200, ubr7200, 7500, 10000 ESR, and 12000 GSR
series Cisco routers.
-
DistributedDirector.
-
Catalyst 8510CSR, 8510MSR, 8540CSR, 8540MSR series switches.
Products Confirmed Not Vulnerable
Cisco products that do not run Cisco IOS software and are not affected by the vulnerabilities described in this notice include, but are not limited to:
-
Cisco PIX firewall.
-
Aironet and Cisco/Aironet wireless products.
-
CSS11000, Cache Engine, and LocalDirector products.
-
VPN products such as the Altiga concentrator.
-
Host-based network management or access management products.
-
Cisco IP Telephony and telephony management software (except those
that are hosted on a vulnerable IOS platform).
-
Voice gateways and convergence products (except those that are hosted
on a vulnerable IOS platform).
-
Optical switch products such as the ONS 15000 series.
No other Cisco products are currently known to be affected by these vulnerabilities.
-
800, 1000, 1005, 1400, 1600, 1700, 2500, 2600, 3600, MC3810, 4000,
4500, 4700, 6200, 6400 NRP, 6400 NSP series Cisco routers.
-
These vulnerabilities are the result of defects in the functions responsible for Simple Network Management Protocol (SNMP), an Internet standard for the remote administration of network devices. SNMP makes use of one or more labels called "community strings" to delimit groups of "objects" (variables) that can be viewed or modified on a device. The SNMP data in such a group is organized in a tree structure called a Management Information Base (MIB). A single device may have multiple MIBs connected together into one large structure, and various community strings may provide read-only or read-write access to different, possibly overlapping portions of the larger data structure. An example of a read-only variable might be a counter showing the total number of octets sent or received through an interface. An example of a read-write variable might be the speed of an interface, or the hostname of a device.
Community strings also provide a weak form of access control in earlier versions of SNMP, v1 and v2c. (SNMPv3 provides much improved access control using strong authentication and should be preferred over SNMPv1 and SNMPv2c wherever it is supported.) If a community string is defined, then it must be provided in any basic SNMP query if the requested operation is to be permitted by the device. Community strings usually allow read-only or read-write access to the entire device. In some cases, a given community string will be limited to one group of read-only or read-write objects described in an individual MIB.
In the absence of additional configuration options to constrain access, knowledge of the single community string for the device is all that is required to gain access to all objects, both read-only and read-write, and to modify any read-write objects. The defects responsible for these vulnerabilities are grouped here by function:
-
The defect arises from implementation of the SNMPv2 "informs"
functionality, which involves the exchange of read-only community strings for
the sharing of status information. When an affected device processes a command
defining a host to receive SNMP "traps" (logging messages) such as the
"snmp-server host" command, then the community
specified in the trap statement is also configured for general use if it is not
already defined in the saved configuration. This occurs even if the community
was previously removed and the configuration was saved to memory prior to a
system reload.
-
The read-write community string is exposed when the device is
examined via a "walk", or traversal, of the View-based Access Control MIB
(VACM) using the device's read-only community string. View-based Access Control
is a feature of SNMPv3 added to IOS in version 12.0(3)T. CSCds32217 describes
the defect in IOS, CSCds16384 applies to IOS running on 2900XL and 3500XL
switches, and CSCds19674 documents the defect in CatOS on Catalyst switches.
Most IOS releases in 12.0 (after 12.0(3)T) as well as most 12.1 releases
contain this vulnerability, as well as 12.0(5.2)XU and 12.0(5)XW for the 2900XL
and 3500XL switches, and CatOS releases 5.4(1) - 5.5(2) and 6.1(1) for the
Catalyst switches.
-
Implementation of new cable-industry standards for management of
cable modems introduced an undocumented read-write community string,
"cable-docsis", which was intended only for DOCSIS-compliant cable-capable
devices. It was inadvertently enabled by default for all devices except
DOCSIS-compatible cable modems and head end units in a limited range of IOS
releases. This defect is documented as CSCdr59314. This vulnerability is
confined to a very narrow set of IOS releases based on 12.1(3) and 12.1(3)T,
and it is fixed in 12.1(4) and 12.1(5)T releases and following.
Full details are provided in the software section below regarding the status of each vulnerability in specific releases.
A separate Cisco Security Advisory has recently been announced regarding an SNMP vulnerability due to an undocumented default "ILMI" read-write community string in IOS. That advisory, https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20010227-ios-snmp-ilmi, should be consulted in tandem with this notice.
-
The defect arises from implementation of the SNMPv2 "informs"
functionality, which involves the exchange of read-only community strings for
the sharing of status information. When an affected device processes a command
defining a host to receive SNMP "traps" (logging messages) such as the
"snmp-server host" command, then the community
specified in the trap statement is also configured for general use if it is not
already defined in the saved configuration. This occurs even if the community
was previously removed and the configuration was saved to memory prior to a
system reload.
-
All of the following workarounds must be configured while in enable mode on the affected router or switch. Be sure to save the changes with the "write memory" command after each configuration change.
The workaround for the vulnerability introduced by CSCdr61016 and CSCds49183 is to configure community strings for the snmp-server hosts prior to configuring the snmp-server hosts. This command should include the desired access restrictions on this community string. In the following example, "1.2.3.4" is the IP address of the host intended to receive SNMP traps:
router#config term ! create access list router(config)#access-list 66 deny any ! configure community string with access restrictions router(config)#snmp-server community public ro 66 ! configure snmp-server host router(config)#snmp-server host 1.2.3.4 public router(config)#exit router#write memory router#
If the "snmp-server community" command is entered after one or more "snmp-server host" commands have been entered using the same community string, then all of the "snmp-server host" commands must be re-entered due to the otherwise unrelated defect CSCdr21997. This latter defect prevents traps or informs from leaving the router using the community string. The defect is present in some but not all of the same IOS releases as CSCdr61016.
To permanently remove communities after definition of the "snmp-server host" command, the associated "snmp-server host" commands that correspond to those communities must also be removed.
The vulnerability described in CSCds32217 and CSCds16384 can be remedied by using the "snmp-server view" command to block the ability to poll the SNMP-VIEW-BASED-ACM-MIB. The result is a view that restricts the ability to browse the SNMP-VIEW-BASED-ACM-MIB, and it must be applied to all read-only community strings. For example:
router#config term ! create view router(config)#snmp-server view novacm internet included ! block vacmSecurityToGroupEntry table router(config)#snmp-server view novacm internet.6.3.16 excluded ! apply view to read-only security string router(config)#snmp-server community public view novacm RO router(config)#exit router#write memory router#
If the affected router or switch already contains more than one read-write community string, then all read-write community strings must be prevented from reading the SNMP-VIEW-BASED-ACM-MIB. For read-write community strings that do not have a view applied, create a new view and apply it to the community string. If a read-write community string already has a view applied to it, then modify the view to prevent access to the SNMP-VIEW-BASED-ACM-MIB. Both situations are shown below.
If the following example is part of a pre-existing configuration:
router#show running-config ... snmp-server view oldview internet included snmp-server view oldview ipRouteTable excluded snmp-server view oldview ipNetToMediaTable excluded snmp-server view oldview at excluded snmp-server community tech view oldview RW snmp-server community private RW ...
then the following modifications will exclude the SNMP-VIEW-BASED-ACM-MIB:
router#config term ! block vacmSecurityToGroupEntry table in existing view router(config)#snmp-server view oldview internet.6.3.16 excluded ! create new view router(config)#snmp-server view novacm internet included router(config)#snmp-server view novacm internet.6.3.16 excluded ! apply new view router(config)#snmp-server community private view novacm RW router(config)#exit router#write memory router#
Note: For the fullest protection provided by this workaround, every existing view on the affected switch or router must be modified in a similar manner.
The vulnerability described in CSCds19674 for CatOS can be remedied by using the "set snmp view" command to prevent access to the SNMP-VIEW-BASED-ACM-MIB. For example:
switch#set snmp view defaultUserView 1.3.6.1.6.3.16.1.2 excluded nonvolatile
If the "cable-docsis" community string is deleted from the configuration, then CSCdr59314 causes it to automatically reappear after the system is reloaded. The following workaround prohibits the use of the "cable-docsis" community string by defining an access list statement that completely denies any requests for it:
router#config term ! create access list router(config)#access-list 66 deny any ! apply access restrictions to cable-docsis community string router(config)#snmp-server community cable-docsis ro 66 router(config)#exit router#write memory router#
-
This security advisory represents a combination of multiple related product security vulnerabilities. The affected trains and releases are not identical for all of the defects, but there are significant groups of releases where affected versions intersect with others. Unless otherwise noted, each label displayed under "Availability of Fixed Releases" identifies the release that resolves all of these defects for that specific train. Please note the following exceptions:
-
IOS software Major Release version 12.0 and IOS releases based on
11.x or earlier are not affected by the vulnerabilities described in this
notice. All other releases of 12.0, such as 12.0DA, 12.0S or 12.0T, may be
affected.
-
CSCdr59314 is only present in certain 12.1(3) releases and does not
affect any other IOS releases.
-
Fixes for all six defects have been integrated into 12.2 prior to its
initial availability, and therefore all releases based on 12.2 and all later
versions are not vulnerable to the defects described in this advisory.
The following table summarizes the IOS software releases that are known to be affected, and the earliest estimated dates of availability for the recommended fixed versions. Dates are always tentative and subject to change.
Each row of the table describes a release train and the platforms or products for which it is intended. If a given release train is vulnerable, then the earliest possible releases that contain the fix and the anticipated date of availability for each are listed in the "Rebuild", "Interim", and "Maintenance" columns. A device running any release in the given train that is earlier the release in a specific column (less than the earliest fixed release) is known to be vulnerable, and it should be upgraded at least to the indicated release or a later version (greater than the earliest fixed release label).
When selecting a release, keep in mind the following definitions:
-
Maintenance - Most heavily tested and highly
recommended release of any label in a given row of the table.
-
Rebuild - Constructed from the previous maintenance
or major release in the same train, it contains the fix for a specific defect.
Although it receives less testing, it contains only the minimal changes
necessary to effect the repair.
-
Interim - Built at regular intervals between
maintenance releases and receive less testing. Interims should be selected only
if there is no other suitable release that addresses the vulnerability, and
interim images should be upgraded to the next available maintenance release as
soon as possible. Interim releases are not available via manufacturing, and
usually they are not available for customer download from CCO without prior
arrangement with the Cisco TAC.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco TAC for assistance as shown in the following section.
More information on IOS release names and abbreviations is available at http://www.cisco.com/warp/public/620/1.html.
Train
Description of Image or Platform
Availability of Fixed Releases*
Catalyst Software Releases
Rebuild
Interim**
Maintenance
5.5
5.5(3)
Available
6.1
6.1(2)
Available
11.x-based Releases and Earlier
Rebuild
Interim**
Maintenance
11.x and earlier
Multiple releases and platforms
Not Vulnerable
12.0-based Releases
Rebuild
Interim**
Maintenance
12.0
General Deployment release for all platforms
Not Vulnerable
12.0DA
xDSL support: 6100, 6200 Vulnerable to CSCds32217
12.1(5)DA1
12.1(6)DA
2001-Mar-19
Unscheduled
12.0DB
General Deployment release for all platforms
12.1(4)DB1
2001-Feb-26
12.0DC
General Deployment release for all platforms
12.1(4)DC2
2001-Feb-20
12.0S
Core/ISP support: GSR, RSP, c7200
12.0(15)S1
12.0(16)S
2001-Feb-20
2001-Mar-19
12.0SC
Cable/broadband ISP: ubr7200
12.0(15)SC
2001-Mar-05
12.0SL
12.0(14)SL1
12.0(15)SL
2001-Feb-26
2001-Mar-19
12.0ST
General Deployment release for all platforms
12.0(11)ST2
12.0(15)ST
2001-Feb-26
2001-Mar-05
12.0T
Early Deployment(ED): VPN, Distributed Director, various platforms
12.1(7)
2001-Feb-26
12.0W5
Catalyst switches: cat8510c, cat8540c, c6msm, ls1010, cat8510m, cat8540m, cat2948g, cat4232
Not Vulnerable
12.0WT
cat4840g
Not Vulnerable
12.0XA
Early Deployment (ED): limited platforms
12.1(7)
2001-Feb-26
12.0XB
Early Deployment (ED): limited platforms
12.1(7)
2001-Feb-26
12.0XC
Early Deployment (ED): limited platforms
12.1(7)
2001-Feb-26
12.0XD
Early Deployment (ED): limited platforms
12.1(7)
2001-Feb-26
12.0XE
Early Deployment (ED): limited platforms
12.1(5c)E8
2001-Feb-26
12.0XF
Early Deployment (ED): limited platforms
12.1(7)
2001-Feb-26
12.0XG
Early Deployment (ED): limited platforms
12.1(7)
2001-Feb-26
12.0XH
Early Deployment (ED): limited platforms
12.0(4)XH5
2001-Mar-12
12.0XI
Early Deployment (ED): limited platforms
12.1(7)
2001-Feb-26
12.0XJ
Early Deployment (ED): limited platforms
12.1(7)
2001-Feb-26
12.0XK
Early Deployment (ED): limited platforms
12.0(7)XK3
2001-Mar-19
12.0XL
Early Deployment (ED): limited platforms
12.0(4)XH5
2001-Mar-12
12.0XM
Short-lived early deployment release
12.1(7)
2001-Feb-26
12.0XN
Early Deployment (ED): limited platforms
Indeterminate
Unscheduled
12.0XP
Early Deployment (ED): limited platforms
12.0(5)WC
2001-APR-13
12.0XQ
Short-lived early deployment release
12.1(7)
2001-Feb-26
12.0XR
Short-lived early deployment release
12.1(5)T5
2001-Mar-05
12.0XS
Short-lived early deployment release
12.1(5c)E8
2001-Mar-05
12.0XU
Early Deployment (ED): limited platforms
12.0(5)WC
2001-APR-13
12.0XW
Early Deployment (ED): limited platforms
12.0(5)WC
2001-APR-13
12.0XV
Short-lived early deployment release
12.1(5)T5
12.1WC
2001-Mar-05
2001-Apr-12
12.1-based and Later Releases
Rebuild
Interim**
Maintenance
12.1
General deployment release for all platforms
12.1(5c)
12.1(5.1)
12.1(7)
2001-Feb-20
Available
2001-Feb-26
12.1AA
Dial support
12.1(7)AA
2001-Mar-12
12.1DA
xDSL support: 6100, 6200
12.1(5)DA1
12.1(6)DA
2001-Feb-28
2001-Feb-26
12.1CX
Core/ISP support: GSR, RSP, c7200
12.1(4)CX
2001-Mar-13
12.1DB
General Deployment release for all platforms
12.1(4)DB1
12.1(5)DB
2001-Mar-05
2001-Mar-19
12.1DC
General Deployment release for all platforms
12.1(4)DC2
12.1(5)DC
2001-Mar-05
2001-Mar-19
12.1E
Core/ISP support: GSR, RSP, c7200
12.1(5c)E8
12.1(6)E
2001-Mar-05
2001-Mar-12
12.1EC
Core/ISP support: GSR, RSP, c7200
12.1(5)EC1
12.1(6)EC
2001-Feb-26
2001-Mar-26
12.1EX
Core/ISP support: GSR, RSP, c7200
12.1(5c)EX
2001-Mar-12
12.1EY
Cat8510c, Cat8510m, Cat8540c, Cat8540m, LS1010
Not Affected
12.1T
Early Deployment(ED): VPN, Distributed Director, various platforms
12.1(5)T5
2001-Mar-05
12.1XA
Early Deployment (ED): limited platforms
12.1(5)T5
2001-Mar-05
12.1XB
Early Deployment (ED): limited platforms
12.1(5)T5
2001-Mar-05
12.1XC
Early Deployment (ED): limited platforms
12.1(5)T5
2001-Mar-05
12.1XD
Early Deployment (ED): limited platforms
12.1(5)T5
2001-Mar-05
12.1XE
Early Deployment (ED): limited platforms
12.1(5)T5
2001-Mar-05
12.1XF
Early Deployment (ED): 811 and 813 (c800 images)
12.1(2)XF3
2001-Mar-05
12.1XG
Early Deployment (ED): 800, 805, 820, and 1600
12.1(3)XG4
2001-Mar-05
12.1XH
Early Deployment (ED): limited platforms
12.1(2)XH5
2001-Mar-12
12.1XI
Early Deployment (ED): limited platforms
12.1(3a)XI6
2001-Mar-19
12.1XJ
Early Deployment (ED): limited platforms
Indeterminate
Unscheduled
12.1XK
Early Deployment (ED): limited platforms
12.1(5)T5
2001-Mar-05
12.1XL
Early Deployment (ED): limited platforms
12.1(3)XL1
2001-Mar-05
12.1XM
Short-lived early deployment release
12.1(5)XM1
2001-Feb-28
12.1XP
Early Deployment (ED): 1700 and SOHO
12.1(3)XP3
2001-Mar-05
12.1XQ
Short-lived early deployment release
12.1(3)XQ3
2001-Mar
12.1XR
Short-lived early deployment release
12.1(5)XR1
2001-Feb-20
12.1XS
Short-lived early deployment release
12.1(5)XS
2001-Mar-12
12.1XT
Early Deployment (ED): 1700 series
12.1(3)XT2
2001-Mar-05
12.1XU
Early Deployment (ED): limited platforms
12.1(5)XU1
2001-Feb-15
12.1XV
Short-lived early deployment release
12.1(5)XV1
2001-Mar-12
12.1XW
Short-lived early deployment release
12.1(5)XW2
2001-Mar-6
12.1XX
Short-lived early deployment release
12.1(5)XX3
2001-Mar-6
12.1XY
Short-lived early deployment release
12.1(5)XY4
2001-Mar-6
12.1XZ
Short-lived early deployment release
12.1(5)XZ2
2001-Mar-6
12.1YA
Short-lived early deployment release
12.1(5)YA1
2001-Mar-6
12.1YB
Short-lived early deployment release
12.1(5)YB
2001-Feb-13
12.1YC
Short-lived early deployment release
12.1(5)YC
2001-Mar-12
12.1YD
Short-lived early deployment release
12.1(5)YD
2001-Mar-12
Notes
* All dates are estimated and subject to change.
** Interim releases are subjected to less rigorous testing than regular maintenance releases, and may have serious bugs.
-
IOS software Major Release version 12.0 and IOS releases based on
11.x or earlier are not affected by the vulnerabilities described in this
notice. All other releases of 12.0, such as 12.0DA, 12.0S or 12.0T, may be
affected.
-
CSCdr59314 was discovered internally and repaired. Cisco is aware of one incident in which a customer's routers were modified without authorization by using the "cable-docsis" community string. The vulnerability was brought to the attention of the Cisco Product Security Incident Response Team when the customer reported the incident. The other vulnerabilities were initially reported by customers on one product or confirmed internally on other products during repair.
Although Cisco has no knowledge of a specific program or script designed to make use of these vulnerabilities, there are numerous off-the-shelf programs and scripts available which could be used as-is or modified to exploit any of the vulnerabilities described in this notice.
Cisco is not aware of any general discussion of these vulnerabilities in public forums.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Revision 1.2
2001-March-07
Revised software table with corrected version numbers. Corrected typos.
Revision 1.1
2001-March-02
Revised software table with corrected version numbers
Revision 1.0
2001-February-28
Initial public release
Show Less
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.