February 2001 - NZNOG - lists.nznog.org

list.waikato.ac.nz Has Moved
by Donald Neal 11 Dec '24

11 Dec '24

NZNOG-People, I have just finished migrating all of the mailing lists held at The University of Waikato from one server to another. I don't have any reason to believe that anything's gone wrong, but please bear with me for today if it turns out that something has. - Donald Neal -- Donald Neal | Q: How many Aucklanders does it take to change Systems Programmer/Analyst | a light bulb? The University of Waikato | A: Pass me that candle and I'll tell you. Hamilton, New Zealand | --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

4 3

Public providers and ASN on WIX
by Simon Blake 17 Jun '01

17 Jun '01

Matthew Grant from Plain was asking who the WIX route servers pee with, I figured the results may be of interest to others peering or considering peering on WIX: neighbor 202.7.0.1 remote-as 9439 neighbor 202.7.0.1 description Citylink neighbor 202.7.0.49 remote-as 2687 neighbor 202.7.0.49 description AT-T ! neighbor 202.7.0.65 remote-as 7714 ! neighbor 202.7.0.65 description Netlink1 neighbor 202.7.0.76 remote-as 9736 neighbor 202.7.0.76 description Domainz neighbor 202.7.0.78 remote-as 9718 neighbor 202.7.0.78 description Chello neighbor 202.7.0.129 remote-as 9343 neighbor 202.7.0.129 description Actrix neighbor 202.7.0.130 remote-as 9872 neighbor 202.7.0.130 description Actrix-LH neighbor 202.7.0.177 remote-as 9495 neighbor 202.7.0.177 description Clearview neighbor 202.7.0.192 remote-as 4768 neighbor 202.7.0.192 description Clear neighbor 202.7.0.241 remote-as 7657 neighbor 202.7.0.241 description IHUG neighbor 202.7.1.1 remote-as 4770 neighbor 202.7.1.1 description ICONZ neighbor 202.7.1.49 remote-as 9436 neighbor 202.7.1.49 description Globe-Net neighbor 202.7.1.65 remote-as 9445 neighbor 202.7.1.65 description Saturn neighbor 202.7.1.110 remote-as 4740 neighbor 202.7.1.110 description Voyager neighbor 202.7.1.129 remote-as 9345 neighbor 202.7.1.129 description Paradise neighbor 202.7.1.176 remote-as 9503 neighbor 202.7.1.176 description Comnet neighbor 202.7.1.193 remote-as 9338 neighbor 202.7.1.193 description NLNZ neighbor 202.7.1.241 remote-as 9325 neighbor 202.7.1.241 description Xtra neighbor 202.7.1.244 remote-as 9559 neighbor 202.7.1.244 description Plain Cheers Si --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

3 2

Telecom Peering
by Tony Wicks 05 Mar '01

05 Mar '01

Hi all, I have been chasing my Telecom account Manager for months to get some progress on this, so I thought I would throw it out here and see where every one else is with this. We currently peer with all major ISP's and backbone providors over either or both WIX and APE. The notable exception being Telecom Netgate ( we do peer directly with Xtra on WIX ). We are paying Telecom currently for a PVC to Netgate for peering with them and I am unhappy for this to continue. ( especially as we have almost twice the outgoing traffic to them as we recieve from them ! ). I have had nothing more than "I'll get back to you" when attempting to initiate peering with Telecom ( not Xtra ). It seems very strange to me that Clear, Telstra and everyone else is responsive and happy to work for the greater good of the Internet users in the country, but Telecom only seems interested if someone else is paying for it. --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

4 7

Reminder: SRS Green Paper Closes Tomorrow
by Sue Leader 01 Mar '01

01 Mar '01

Greetings Just a reminder that submissions for the SRS Green Paper close at 5pm tomorrow Friday March 2. Submissions should be sent direct to exe.dir(a)isocnz.org.nz. Cheers Sue Sue Leader - Executive Director ISOCNZ (Internet Society of New Zealand Inc) Exe.Dir(a)isocnz.org.nz Voice: +64-4-801-6256 http://www.isocnz.org.nz PLEASE NOTE CHANGE: P.O.Box 11-881, Wellington --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

2 1

Cisco IOS Advisory
by Roger De Salis 27 Feb '01

27 Feb '01

Here is the official word... - We all agree that ATM is evil (thanks to Chris Wedgewood for those thoughts) and Arron agrees that he won't let Dean wind him up over the respective merits of the larger C and J boxes. (and they promise to conduct this meaningful dialog off-line) >Sender: nobody(a)cisco.com >From: Cisco Systems Product Security Incident Response Team <psirt(a)cisco.com> >To: internal-security-announce(a)cisco.com >Cc: psirt(a)cisco.com >Subject: Cisco Security Advisory: Cisco IOS Software SNMP Read-Write > ILMI Community String Vulnerability >Date: Tuesday, 27 Feb 2001 04:00:00 -0500 (EST) > > Cisco IOS Software SNMP Read-Write ILMI Community String Vulnerability > Revision 1.0: INTERIM > For Public Release 2001 February 27 04:00 US/Eastern (UTC+0500) > _______________________________________________________________ > >Summary > > Cisco IOS software releases based on versions 11.x and 12.0 contain > a defect that allows a limited number of SNMP objects to be viewed > and modified without authorization using a undocumented ILMI > community string. Some of the modifiable objects are confined to the > MIB-II system group, such as "sysContact", "sysLocation", and > "sysName", that do not affect the device's normal operation but that > may cause confusion if modified unexpectedly. The remaining objects > are contained in the LAN-EMULATION-CLIENT and PNNI MIBs, and > modification of those objects may affect ATM configuration. An > affected device might be vulnerable to a denial-of-service attack if > it is not protected against unauthorized use of the ILMI community > string. > > The vulnerability is only present in certain combinations of IOS > releases on Cisco routers and switches. ILMI is a necessary > component for ATM, and the vulnerability is present in every IOS > release that contains the supporting software for ATM and ILMI > without regard to the actual presence of an ATM interface or the > physical ability of the device to support an ATM connection. > > To remove this vulnerability, Cisco is offering free software > upgrades for all affected platforms. The defect is documented in > DDTS record CSCdp11863. > > In lieu of a software upgrade, a workaround can be applied to > certain IOS releases by disabling the ILMI community or "*ilmi" view > and applying an access list to prevent unauthorized access to SNMP. > Any affected system, regardless of software release, may be > protected by filtering SNMP traffic at a network perimeter or on > individual devices. > > This notice will be posted at > http://www.cisco.com/warp/public/707/ios-snmp-ilmi-vuln-pub.shtml. > >Affected Products > > The vulnerability is present only in certain releases of Cisco IOS > Software versions 11.x and 12.0 for router and switch products that > include support for Asynchronous Transfer Mode (ATM) networking and > Interim Local Management Interface (ILMI), and it is present without > regard to any physical capability for supporting an ATM interface. > > Cisco IOS Software versions based on 10.3 and earlier do not contain > the vulnerability. The defect was introduced in 11.0(0.2). All Cisco > IOS software releases of 12.1 and later have been repaired and are > not vulnerable to the defect described in this advisory. > > To determine the software running on a Cisco product, log in to the > device and issue the command "show version" to display the system > banner. Cisco IOS software will identify itself as "Internetwork > Operating System Software" or simply "IOS (tm)". The image name will > be displayed between parentheses, usually on the next line of > output, followed by "Version" and the IOS release name. Other Cisco > devices will not have the "show version" command or will give > different output. > > The following example identifies a Cisco product running IOS release > 12.0(3) with an installed image name of C2500-IS-L: > > Cisco Internetwork Operating System Software IOS (tm) > 2500 Software (C2500-IS-L), Version 12.0(3), RELEASE SOFTWARE > > The device is not vulnerable to the defect described in this > advisory since the model 2500 router is specifically excluded in the > list of unaffected products shown below. > > Cisco devices that may be running an affected IOS software release > include, but are not limited to: > > * Cisco 1400 and 1700 series. > > * Cisco 2600 (except that c2600-c-mz, c2600-d-mz, c2600-i-mz, > c2600-io3-mz, and c2600-ix-mz images are not vulnerable). > > * Catalyst 2900 ATM, 2900XL, and 2948g series. > > * Cisco 3620 (except that c3620-d-mz, c3620-i-mz, c3620-io3-mz, > and c3620-ix-mz images are not vulnerable). > > * Cisco 3640 (except that c3640-d-mz, c3640-i-mz, c3640-io3-mz, > and c3640-ix-mz images are not vulnerable). > > * Cisco 3660 (except that c3660-d-mz, c3660-i-mz, and c3660-ix-mz > images are not vulnerable). > > * Cisco MC3810 (except that mc3810-i-mz, mc3810-is-mz, > mc3810-is56i-mz, and mc3810-js-mz images are not vulnerable). > > * Catalyst 4232, 4840g, 5000 RSFC series switches. > > * Cisco 4500, 4700, and 5800 DSC series. > > * Cisco 6200, 6400 NRP, and 6400 NSP series. > > * Catalyst MSM (c6msm), 6000 Hybrid Mode (c6msfc), and 6000 Native > Mode (c6sup). > > * Cisco RSM, 7000, 7010, 7100, 7200, ubr7200, and 7500 series. > > * Catalyst 8510CSR, 8510MSR, 8540CSR, and 8540MSR series. > > * Cisco 10000 ESR and 12000 GSR series. > > * LS1010 and Cisco 6260-NI2. > > * DistributedDirector (except that igs-w3 images are not > vulnerable). > > Cisco products that are not affected by this vulnerability either > because they have no support for ATM and ILMI, or because they do > not run IOS include, but are not limited to: > > * Catalyst ATM blade (runs possibly affected code, but an SNMP > connection to the blade is not possible). > > * Cisco 800 and 805 series. > > * Cisco Universal Broadband Routers ubr900 and ubr920. > > * Cisco 1003, 1004, and 1005 series. > > * Cisco 1600, 2500, 2800, 4000 series. > > * Cisco 2500 Fixed Frad. > > * Cisco 3800 (not to be confused with MC3810). > > * Cisco 5100, 5200, and 5300 series access servers. > > * Catalyst 6000 Supervisor Module. > > * Cisco PIX Firewall. > > * Aironet and Cisco/Aironet wireless products. > > * CS11000, Cache Engine, LocalDirector, and network scaling > products (except that the Distributed Director might be > affected). > > * VPN products such as Altiga concentrators. > > * Host-based network management or access management products. > > * Cisco IP Telephony and telephony management software (except > those that are hosted on a vulnerable IOS platform). > > * Voice gateways and convergence platforms (except those that are > hosted on a vulnerable IOS platform). > > * Optical switch products such as the ONS 15000 series. > >Details > > ILMI (Interim Local Management Interface) is an independent industry > standard used for configuration of ATM (Asynchronous Transfer Mode) > interfaces. The standard specifies the use of mechanisms and formats > previously defined by SNMP (Simple Network Management Protocol). > Although it is based on SNMP, ILMI communication actually occurs > using a transport other than IP (Internet Protocol) that traverses > only the physical ATM link. ILMI is essential to functions such as > ATM auto-discovery and LANE (LAN Emulation). > > SNMP "objects" are variables that are organized into a MIB > (Management Information Base). The MIB has a tree structure and > contains both operational (read-only) data as well as configuration > (read-write) options. By specifying a community string of "ILMI" in > an SNMP request, access can be obtained to read the objects in three > specific parts of the overall management tree structure on any > device affected by this vulnerability: the MIB-II system group, the > LAN-EMULATION-CLIENT MIB, and the PNNI (Private Network-to-Network > Interface) MIB. A subset of objects in each part can be modified > using the same "ILMI" community string. > > The MIB-II system group contains basic information about the device > itself. The number of objects that can be modified is limited. > Examples include: > > * system.sysContact: The contact information for the person or > organization responsible for managing the device. > > * system.sysLocation: A description of the physical location where > the device is installed or operating. > > * system.sysName: The hostname of the device, how it identifies > itself at the console prompt. (This might not be the same name > by which the device is known to other hosts on the network.) > > Most of the objects in the system MIB are read-only and cannot be > changed via SNMP, such as the time elapsed since the previous > restart and textual descriptions of the device's hardware and > software. > > Numerous objects can be viewed in the LAN-EMULATION-CLIENT MIB and > PNNI MIB, and modification of some of the read-write objects can > have an affect on ATM operation of the device. The objects in the > LAN-EMULATION-CLIENT MIB can only be viewed or modified if LANE has > already been configured on the device. > > Access to SNMP in Cisco IOS software can be limited by applying > access control lists (ACLs), by modifying or removing the SNMP view, > by removing the community string from the running configuration, or > by disabling the SNMP service. Any SNMP query that does not meet the > criteria for access is promptly discarded when such protective > measures are in place. If a query does meet the criteria for access, > then a response is formulated and sent. > > It is possible to configure the device so that the ILMI community > string is unavailable in all IOS 11.1 and higher releases. The > particular method selected to accomplish this depends on the > specific IOS release and configuration. > > This defect is documented as CSCdp11863. The vulnerability is > repaired by imposing a test such that an SNMP request using the > "ILMI" community string will only be recognized if it has been > transported by ILMI. > > ATM functionality was added in various 10.x releases of Cisco IOS > software. However, the function containing the defect was introduced > when support for ILMI and other ATM features was added in IOS > release 11.0(0.2). Therefore, all prior releases are not vulnerable. > >Impact > > If SNMP requests can be received by an affected device, then certain > MIB objects can be viewed without proper authorization, causing a > violation of confidentiality. > > A subset of the readable MIB objects can be modified without > authorization to cause a failure of integrity. For example, the > hostname can be modified so as to confuse network adminstrators, or > the contact and location information could be changed with a goal of > disrupting operations or embarassing whoever is responsible for the > device. > > Objects in the LAN-EMULATION-CLIENT and PNNI MIBs can be viewed and > modified, thus resulting in changes to the operation of ATM > functions. If ATM is in use on the device, this may result in a > failure of availability. > > Any affected device that is not otherwise protected against the > receipt of SNMP packets is vulnerable to a denial-of-service (DoS) > attack by flooding the SNMP port with read or write requests. > >Software Versions and Fixes > > The following table summarizes the known affected Cisco IOS software > releases and the earliest estimated dates of availability for fixed > releases. All dates are tentative and subject to change. > > Each row of the table describes a release train and the platforms or > products for which it is intended. If a given release train is > vulnerable, then the earliest possible releases that contain the fix > and the anticipated date of availability for each are listed in the > "Rebuild", "Interim", and "Maintenance" columns. If a device is > running an earlier release that is known to be vulnerable, it should > be upgraded to at least the indicated version. > > When selecting a release, keep in mind the following definitions: > > Maintenance > Most heavily tested and highly recommended release of any > label in a given row of the table. > > Rebuild > Constructed from the previous maintenance or major release in > the same train, it contains the fix for a specific defect. > Although it receives less testing, it contains only the > minimal changes necessary to effect the repair. > > Interim > Built at regular intervals between maintenance releases and > receive less testing. Interims should be selected only if > there is no other suitable release that addresses the > vulnerability. Interim releases are usually not available for > customer download via CCO without prior arrangement. > > In all cases, customers should exercise caution to be certain the > devices to be upgraded contain sufficient memory and that current > hardware and software configurations will continue to be supported > properly by the new release. If the information is not clear, > contact the Cisco TAC for assistance as shown in the following > section. > > More information on IOS release names and abbreviations is available > at http://www.cisco.com/warp/public/620/1.html. > > +===========================================================================+ > | Train | Description of | Availability of Fixed Releases* | > | | Image or Platform | | > +===========================================================================+ > | 10.3-based Releases and | | | | > | Earlier | Rebuild | Interim** | Maintenance | > +===========================================================================+ > | 10.3 and | | | > | earlier |All |Not affected | > +===========================================================================+ > | 11.0-based Releases | Rebuild | Interim** | Maintenance | > +===========================================================================+ > | | |11.0(22a) | | | > | 11.0 |Major GD release | | | | > | |for all platforms |2001-Mar-05 | | | > +===========================================================================+ > | 11.1-based Releases | Rebuild | Interim** | Maintenance | > +===========================================================================+ > | | |11.1(24a) | | | > | 11.1 |Major release for | | | | > | |all platforms |2001-Mar-05 | | | > +----------+-------------------+------------+---------------+---------------+ > | |ED release for | | |12.1(7) | > | 11.1AA |access servers: | | | | > | |1600, 3200, and | | | | > | |5200 series. | | |2001-Feb-26 | > +----------+-------------------+------------+---------------+---------------+ > | |Platform-specific |11.1(36)CA1 | | | > | 11.1CA |support for 7500, | | | | > | |7200, 7000, and RSP|2001-Mar-02 | | | > +----------+-------------------+------------+---------------+---------------+ > | |ISP train: added | | | | > | |support for FIB, |11.1(36)CC1 | | | > | 11.1CC |CEF, and NetFlow on| | | | > | |7500, 7200, 7000, |2001-Mar-02 | | | > | |and RSP | | | | > +----------+-------------------+------------+---------------+---------------+ > | |Added support for |12.0(11)ST2 | | | > | 11.1CT |Tag Switching on | | | | > | |7500, 7200, 7000, | | | | > | |and RSP |2001-Feb-26 | | | > +----------+-------------------+------------+---------------+---------------+ > | | |11.1(28)IA1 | | | > | 11.1IA |DistributedDirector| | | | > | |only |2001-Feb-26 | | | > +===========================================================================+ > | 11.2-based Releases | Rebuild | Interim** | Maintenance | > +===========================================================================+ > | | |11.2(25a) | | | > | 11.2 |Major release, | | | | > | |general deployment |2001-Mar-05 | | | > +----------+-------------------+------------+---------------+---------------+ > | |Platform-specific | | | | > | |support for IBM | | |12.1(7) | > | 11.2BC |networking, CIP, | | | | > | |and TN3270 on 7500,| | |2001-Feb-26 | > | |7000, and RSP | | | | > +----------+-------------------+------------+---------------+---------------+ > | |Early deployment |12.0(15)S1 | | | > | 11.2GS |release to support | | | | > | |12000 GSR |2001-Feb-20 | | | > +----------+-------------------+------------+---------------+---------------+ > | | |11.2(25a)P | | | > | 11.2P |New platform | | | | > | |support |2001-Mar-05 | | | > +----------+-------------------+------------+---------------+---------------+ > | | | | |12.1WC | > | 11.2SA |Catalyst 2900XL | | | | > | |switch only | | |2001-Apr-12 | > +----------+-------------------+------------+---------------+---------------+ > | | | | |12.0(10)W5(18c)| > | 11.2WA3 |LS1010 ATM switch | | | | > | | | | |Available | > +----------+-------------------+------------+---------------+---------------+ > | | |11.2(25a)P | | | > |11.2(4)XA |Initial release for| | | | > | |the 1600 and 3600 |2001-Mar-05 | | | > +----------+-------------------+------------+---------------+---------------+ > | |Initial release for| | | | > | |the 5300 and |11.2(9)XA1 | | | > |11.2(9)XA |digital modem | | | | > | |support for the |Unscheduled | | | > | |3600 | | | | > +===========================================================================+ > | 11.3-based Releases | Rebuild | Interim** | Maintenance | > +===========================================================================+ > | | |11.3(11b) | | | > | 11.3 |Major release for | | | | > | |all platforms |2001-Mar-05 | | | > +----------+-------------------+------------+---------------+---------------+ > | |ED for dial | | | | > | |platforms and |11.3(11a)AA | | | > | 11.3AA |access servers: | | | | > | |5800, 5200, 5300, |2001-Mar-05 | | | > | |7200 | | | | > +----------+-------------------+------------+---------------+---------------+ > | |Early deployment |12.1(5)DA1 | | | > | 11.3DA |train for ISP DSLAM| | | | > | |6200 platform |2001-Feb-28 | | | > +----------+-------------------+------------+---------------+---------------+ > | |Early deployment | | | | > | |train for |12.1(4)DB1 | | | > | |ISP/Telco/PTT xDSL | | | | > | 11.3DB |broadband | | | | > | |concentrator | | | | > | |platform, (NRP) for|2001-Feb-26 | | | > | |6400 | | | | > +----------+-------------------+------------+---------------+---------------+ > | |Short-lived ED | | > | 11.3HA |release for ISR |Not Vulnerable | > | |3300 (SONET/SDH | | > | |router) | | > +----------+-------------------+------------+---------------+---------------+ > | | |11.3(1)MA8 | | | > | 11.3MA |MC3810 | | | | > | |functionality only |Unscheduled | | | > +----------+-------------------+------------+---------------+---------------+ > | |Voice over IP, |12.1(7) | | | > | 11.3NA |media convergence, | | | | > | |various platforms |2001-Mar-05 | | | > +----------+-------------------+------------+---------------+---------------+ > | |Early deployment |11.3(11b)T1 | | | > | 11.3T |major release, | | | | > | |feature-rich for | | | | > | |early adopters |2001-Mar-05 | | | > +----------+-------------------+------------+---------------+---------------+ > | |Multilayer | | | | > | |Switching and | | |12.0(14)W5(20) | > | |Multiprotocol over | | | | > | 11.3WA4 |ATM functionality | | | | > | |for Catalyst 5000 | | | | > | |RSM, 4500, 4700, | | |2001-Feb-28 | > | |7200, 7500, LS1010 | | | | > +----------+-------------------+------------+---------------+---------------+ > | | |11.3(11b)T1 | | | > |11.3(2)XA |Introduction of | | | | > | |ubr7246 and 2600 |2001-Mar-05 | | | > +===========================================================================+ > | 12.0-based Releases | Rebuild | Interim** | Maintenance | > +===========================================================================+ > | |General deployment | |12.0(7.1) |12.0(16) | > | 12.0 |release for all | | | | > | |platforms | |Available |2001-Feb-20 | > +----------+-------------------+------------+---------------+---------------+ > | | | |12.0(7.1)T | | > | 12.0DA |xDSL support: 6100,| | | | > | |6200 | |Available | | > +----------+-------------------+------------+---------------+---------------+ > | |ISP/Telco/PTT xDSL |12.1(4)DB1 | | | > | 12.0DB |broadband | | | | > | |concentrator | | | | > | |platforms |2001-Feb-26 | | | > +----------+-------------------+------------+---------------+---------------+ > | | |12.1(4)DC2 | | | > | 12.0DC |6400 Access | | | | > | |Concentrator |2001-Feb-26 | | | > +----------+-------------------+------------+---------------+---------------+ > | | |12.0(15)S1 | | | > | 12.0S |Core/ISP support: | | | | > | |GSR, RSP, c7200 |2001-Feb-20 | | | > +----------+-------------------+------------+---------------+---------------+ > | | |12.0(15)SC1 | | | > | 12.0SC |Cable/broadband | | | | > | |ISP: ubr7200 |2001-Feb-26 | | | > +----------+-------------------+------------+---------------+---------------+ > | | |12.0(14)SL1 | | | > | 12.0SL |10000 ESR: c10k | | | | > | | |2001-Feb-26 | | | > +----------+-------------------+------------+---------------+---------------+ > | |General deployment |12.0(11)ST2 | | | > | 12.0ST |release for all | | | | > | |platforms |2001-Feb-26 | | | > +----------+-------------------+------------+---------------+---------------+ > | | |12.1(5c)E8 | | | > | 12.0SX |Early Deployment | | | | > | |(ED) |2001-Feb-26 | | | > +----------+-------------------+------------+---------------+---------------+ > | |Early | | | | > | |Deployment(ED): | | |12.1(7) | > | 12.0T |VPN, Distributed | | | | > | |Director, various | | |2001-Feb-26 | > | |platforms | | | | > +----------+-------------------+------------+---------------+---------------+ > | |cat8510c, cat8540c,| | | | > | |ls1010, cat8510m, | |12.0(10)W5(18c)|12.0(14)W5(20) | > | |cat8540m, c5atm, | | | | > | |c5atm, c3620, | | | | > | |c3640, c4500, | | | | > | 12.0W5 |c5rsfc, c5rsm, | |Available |2001-Feb-28 | > | |c7200, rsp, | | | | > | |cat2948g, cat4232 | | | | > | +-------------------+------------+---------------+---------------+ > | | | |12.0(10)W5(18d)|12.0(14)W5(20) | > | |c6msm | | | | > | | | |Available |2001-Feb-28 | > +----------+-------------------+------------+---------------+---------------+ > | |General deployment | | |12.0(13)WT6(1) | > | 12.0WT |release for all | | | | > | |platforms | | |2001-Feb-20 | > +----------+-------------------+------------+---------------+---------------+ > | |Early Deployment | | |12.1(7) | > | 12.0XA |(ED): limited | | | | > | |platforms | | |2001-Feb-26 | > +----------+-------------------+------------+---------------+---------------+ > | | | | |12.1(7) | > | 12.0XB |Short-lived early | | | | > | |deployment release | | |2001-Feb-26 | > +----------+-------------------+------------+---------------+---------------+ > | |Early Deployment | | |12.1(7) | > | 12.0XC |(ED): limited | | | | > | |platforms | | |2001-Feb-26 | > +----------+-------------------+------------+---------------+---------------+ > | |Early Deployment | | |12.1(7) | > | 12.0XD |(ED): limited | | | | > | |platforms | | |2001-Feb-26 | > +----------+-------------------+------------+---------------+---------------+ > | |Early Deployment |12.1(5c)E8 | | | > | 12.0XE |(ED): limited | | | | > | |platforms |2001-Feb-26 | | | > +----------+-------------------+------------+---------------+---------------+ > | |Early Deployment | | |12.1(7) | > | 12.0XF |(ED): limited | | | | > | |platforms | | |2001-Feb-26 | > +----------+-------------------+------------+---------------+---------------+ > | |Early Deployment | | |12.1(7) | > | 12.0XG |(ED): limited | | | | > | |platforms | | |2001-Feb-26 | > +----------+-------------------+------------+---------------+---------------+ > | |Early Deployment |12.0(4)XH5 | | | > | 12.0XH |(ED): limited | | | | > | |platforms |2001-Mar-05 | | | > +----------+-------------------+------------+---------------+---------------+ > | |Early Deployment | | |12.1(7) | > | 12.0XI |(ED): limited | | | | > | |platforms | | |2001-Feb-26 | > +----------+-------------------+------------+---------------+---------------+ > | |Early Deployment | | |12.1(7) | > | 12.0XJ |(ED): limited | | | | > | |platforms | | |2001-Feb-26 | > +----------+-------------------+------------+---------------+---------------+ > | |Early Deployment |12.0(7)XK4 | | | > | 12.0XK |(ED): limited | | | | > | |platforms |Unscheduled | | | > +----------+-------------------+------------+---------------+---------------+ > | |Early Deployment |12.0(4)XH5 | | | > | 12.0XL |(ED): limited | | | | > | |platforms |2001-Mar-05 | | | > +----------+-------------------+------------+---------------+---------------+ > | | | | |12.1(7) | > | 12.0XM |Short-lived early | | | | > | |deployment release | | |2001-Feb-26 | > +----------+-------------------+------------+---------------+---------------+ > | |Early Deployment | | | | > | 12.0XN |(ED): limited | | | | > | |platforms | | | | > +----------+-------------------+------------+---------------+---------------+ > | |Early Deployment | | |12.1WC | > | 12.0XP |(ED): limited | | | | > | |platforms | | |2001-Apr-12 | > +----------+-------------------+------------+---------------+---------------+ > | | | | |12.1(7) | > | 12.0XQ |Short-lived early | | | | > | |deployment release | | |2001-Feb-26 | > +----------+-------------------+------------+---------------+---------------+ > | | |12.1(5)T5 | | | > | 12.0XR |Short-lived early | | | | > | |deployment release |2001-Mar-05 | | | > +----------+-------------------+------------+---------------+---------------+ > | | |12.1(5c)E8 | | | > | 12.0XS |Short-lived early | | | | > | |deployment release |2001-Feb-26 | | | > +----------+-------------------+------------+---------------+---------------+ > | |Early Deployment | | |12.1WC | > | 12.0XU |(ED): limited | | | | > | |platforms | | |2001-Apr-12 | > +----------+-------------------+------------+---------------+---------------+ > | | |12.1(5)T5 | | | > | 12.0XV |Short-lived early | | | | > | |deployment release |2001-Mar-05 | | | > +===========================================================================+ > |12.1-based and Later Releases | Rebuild | Interim** | Maintenance | > +===========================================================================+ > | All 12.1 | | | > | Releases |Various platforms |Not Vulnerable | > +===========================================================================+ > | Notes | > +===========================================================================+ > | * All dates are estimated and Subject to change. | > | | > |** Interim releases are subjected to less rigorous testing than regular | > | maintenance releases, and may have serious bugs. | > +===========================================================================+ > >Obtaining Fixed Software > > Cisco is offering free software upgrades to remedy this > vulnerability for all affected customers. Customers with service > contracts may upgrade to any software release. Customers without > contracts may upgrade only within a single row of the table above, > except that any available fixed software release will be provided to > any customer who can use it and for whom the standard fixed software > release is not yet available. Customers may install only the feature > sets they have purchased. > > Note that not all fixed software may be available as of the release > date of this notice. > > Customers with contracts should obtain upgraded software through > their regular update channels. For most customers, this means that > upgrades should be obtained via Cisco's Software Center at > http://www.cisco.com/. > > Customers without contracts or warranty should get their upgrades by > contacting the Cisco Technical Assistance Center (TAC) as shown > below: > * (800) 553-2447 (toll-free in North America) > * +1 408 526 7209 (toll call from anywhere in the world) > * e-mail: tac(a)cisco.com > > See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for > additional TAC contact information, including instructions and > e-mail addresses for use in various languages. > > Give the URL of this notice as evidence of your entitlement to a > free upgrade. Free upgrades for non-contract customers must be > requested through the TAC. Please do not contact either > "psirt(a)cisco.com" or "security-alert(a)cisco.com" for software > upgrades; faster results will be obtained by contacting the TAC > directly. > >Workarounds > > Several workarounds are available based on customer needs, > equipment, and software features. The usefulness and practicality of > each workaround depends on the IOS release running on the device and > many variables in the customer's environment. Customers are urged to > consider each of the following alternatives carefully before > deploying. These workarounds are only needed if it is not possible > to upgrade to an unaffected release of IOS software. > > A. Default workaround for use with releases for which no other > workarounds are effective: > > 1. Applying access lists to all the interfaces of the > vulnerable device blocking SNMP from all hosts but those > authorized to manage the devices. > > 2. Blocking SNMP access at the edge of the network to prevent > undesirable SNMP traffic from entering the network > containing the vulnerable device. > > Access lists should be deployed with careful consideration of > the possible effects on network operation and performance. Also > note that authentication based on an IP source address is weak, > so the preceding method will not protect against certain types > of attacks in which the IP source address has been spoofed. > Further information can be found in the Cisco document > "Improving Security on Cisco Routers", available at > http://www.cisco.com/warp/public/707/21.html > > B. For affected releases based on IOS 11.1: > > 1. Remove the view so that the ILMI community cannot be > reached: > > no snmp-server view *ilmi > > 2. This configuration will not survive a system reload. The > command must be re-entered after every restart of the > system. > > C. For affected releases of IOS 11.2 through 11.3(8) NOT REQUIRING > ATM: > > In this affected range of releases, the ILMI community string > can be modified or deleted. However, the changes will not > persist through a reboot of the device. These instructions must > be re-applied following every system reload of the affected > device: > > 1. Expose the undocumented ILMI community string so it can be > modified: > > snmp-server community ILMI RW > > The preceding command may cause an error that can be safely > ignored. > > 2. Disable read-write capability for the same community: > > no snmp-server community ILMI RW > > If an error is displayed, then this workaround cannot be > applied to the device. Use the default workarounds > presented in the first item above. > > 3. Since this configuration will not survive a system reload, > the command must be re-entered after every restart of the > system. > > If the command in item 2 above did not generate an error and ATM > is not needed on this device, then this workaround is complete. > > D. For affected releases of IOS 11.2 through 11.3(8) THAT REQUIRE > ATM: > > This workaround will allow ILMI to continue to function for ATM > while constraining who may reconfigure the device by way of the > ILMI community string: > > 1. Create a simple ACL to deny access using the following > command. If "66" is already in use, choose a different > two-digit number: > > access-list 66 deny any > > 2. Apply it generally to the ILMI community to restrict its > view: > > snmp community ILMI view *ilmi RW 66 > > An error will be reported if the *ilmi view doesn't exist. > If that occurs, then use the following command to > explicitly restrict the ILMI view: > > snmp community ILMI RW 66 > > If the preceding command produces persistent errors, then > this workaround cannot be applied to this device. Use the > default workarounds presented in the first item above. > > E. For affected releases of IOS 11.3(9) through 12.0(2)T NOT > REQUIRING ATM: > > All versions of IOS in this range will accept this workaround, > and the change will remain in place after a system reload. > > 1. Expose the undocumented ILMI community string so it can be > modified: > > snmp-server community ILMI RW > > The preceding command may cause an error that can be safely > ignored. > > 2. Disable read-write capability for the same community: > > no snmp-server community ILMI RW > > If an error is displayed, then this workaround cannot be > applied to the device. Stop this procedure and use the > default workarounds presented in the first item above. > > F. For affected releases of IOS 11.3(9) through 12.0(2)T THAT > REQUIRE ATM: > > This workaround will allow ILMI to continue to function for ATM > while constraining who may reconfigure the device by way of the > ILMI community string: > > 1. Create a simple ACL to deny access using the following > command. If "66" is already in use, choose a different > two-digit number: > > access-list 66 deny any > > 2. Apply it generally to the ILMI community to restrict its > view: > > snmp community ILMI view *ilmi RW 66 > > An error will be reported if the *ilmi view doesn't exist. > If that occurs, then use the following command to > explicitly restrict the ILMI view: > > snmp community ILMI RW 66 > > If the preceding command produces persistent errors, then > this workaround cannot be applied to this device. Use the > default workaround presented in the first item above. > > G. For affected releases of IOS 12.0(3)T and later: > These releases of IOS include support for Simple Network > Management Protocol version 3 (SNMPv3), which is required for > this workaround. > > 1. Confirm the presence of SNMPv3 support by asking the > console CLI (command-line interpreter) for assistance with > options to complete the snmp-server command. Enter config > mode, enter the command shown below, and note the expected > response: > > snmp-server user test test ? > > remote Specify a remote SNMP entity to which the user belongs > v1 user using the v1 security model > v2c user using the v2c security model > v3 user using the v3 security model > > If the preceding command did not produce the expected > results, then SNMPv3 is not supported in the release and > this workaround cannot be applied. Stop this procedure and > consider applying the default workaround presented above in > the first item. > > Otherwise, if the device responded as expected, continue > with the following explanation and instructions. > > In these IOS releases (12.0(3)T and later), ILMI packets are > processed by the SNMP engine in the same manner as ordinary IP > SNMP packets. An access control list or a view applied to the > ILMI community string will be processed whether the transport is > ILMI or IP. However, the only types of access control lists that > can be applied to a community string are via IP access-list > statements, which when applied, block ALL non-IP packets, > including ILMI packets. Modifying or deleting the *ilmi view > will also affect the packets transported by ILMI, so workarounds > that change the view are equally ineffective at permitting ILMI > while denying SNMP. In this range of releases, it is not > possible to apply a workaround that denies IP SNMP packets that > does not also deny ILMI SNMP packets. > > H. For affected releases of IOS 12.0(3)T and later NOT REQUIRING > ATM: > > 1. Expose the undocumented ILMI community string so it can be > modified: > > snmp-server community ILMI RW > > The preceding command may cause an error that can be safely > ignored. > > 2. Disable read-write capability for the same community: > > no snmp-server community ILMI RW > > If an error is displayed, then this workaround cannot be > applied to the device. Stop this procedure and consider > using the default workaround. > > I. For affected releases of IOS 12.0(3)T and later THAT REQUIRE > ATM: > > NOTE: This section also applies to 12.0-based ATM switch > software such as for the LS1010 and the 8500 series. > > The only effective workaround for systems in this category is > the default workaround: > > 1. Applying access lists to all the interfaces of the > vulnerable device blocking SNMP from all hosts but those > authorized to manage the devices. > > 2. Blocking SNMP access at the edge of the network to prevent > undesirable SNMP traffic from entering the network > containing the vulnerable device. > > Access lists should be deployed with careful consideration of > the possible effects on network operation and performance. Also > note that authentication based on an IP source address is weak, > so the preceding method will not protect against certain types > of attacks in which the IP source address has been spoofed. > In this range of releases it is not possible to block IP SNMP > packets while permitting ILMI SNMP packets. The alternative > workarounds presented previously will almost certainly cause a > failure of ATM ILMI communications resulting in a loss of ATM > connectivity, either immediately upon configuration, or > unexpectedly at some later time. Either use the default > workaround or upgrade to fixed software. > >Exploitation and Public Announcements > > This vulnerability is known to the engineering staff of several > Cisco customers. Cisco considers it known to the public prior to the > publication of this notice. > > Cisco is aware of one recent incident involving the unauthorized > modification of a router that appears to have resulted from this > vulnerability. However, it may have been the unintended side-effect > of a test of the vulnerability. > > Cisco is not aware of any available tools specifically designed to > make use of this vulnerability. However, various off-the-shelf > network management programs could easily be used to test for this > vulnerability and to exploit it. Certain widely-available programs > known to the cracker community could be modified by any reasonably > competent programmer to automate the abuse of this vulnerability. > > Cisco is not aware of any general public discussion of this > vulnerability other than the exceptions previously noted. > >Status of This Notice: INTERIM > > This is an interim security advisory. Cisco anticipates issuing > updated versions of this notice at irregular intervals as there are > material changes in the facts, and will continue to update this > notice as necessary. The reader is warned that this notice may > contain inaccurate or incomplete information. Although Cisco cannot > guarantee the accuracy of all statements in this notice, all of the > facts have been checked to the best of our ability. Cisco > anticipates issuing monthly updates of this notice until it reaches > FINAL status. > > A standalone copy or paraphrase of the text of this security > advisory that omits the distribution URL in the following section is > an uncontrolled copy, and may lack important information or contain > factual errors. > >Distribution > > This notice will be posted at > http://www.cisco.com/warp/public/707/ios-snmp-ilmi-vuln-pub.shtml . > > In addition to Worldwide Web posting, a text version of this notice > will be clear-signed with the Cisco PSIRT PGP key and will be posted > to the following e-mail and Usenet news recipients: > > * cust-security-announce(a)cisco.com > > * bugtraq(a)securityfocus.com > > * firewalls(a)lists.gnac.com > > * first-teams(a)first.org (including CERT/CC) > > * cisco(a)spot.colorado.edu > > * cisco-nsp(a)puck.nether.net > > * comp.dcom.sys.cisco > > * Various internal Cisco mailing lists > > Future updates of this notice, if any, will be placed on Cisco's > Worldwide Web server, but may or may not be actively announced on > mailing lists or newsgroups. Users concerned about this problem are > encouraged to check the URL given above for any updates. > >Revision History > > Revision 1.0 2001-Feb-27 First interim public version > >Cisco Product Security Incident Procedures > > Instructions for reporting product security vulnerabilities in Cisco > products, obtaining assistance with customer security incidents, and > registering to receive security information from Cisco can be found > at http://www.cisco.com/warp/public/707/sec_incident_response.shtml > , including instructions for press inquiries regarding Cisco > Security Advisories. > _______________________________________________________________ > > Copyright 2001 by Cisco Systems, Inc. This notice may be > redistributed freely after the release date given at the top of the > text, provided that redistributed copies are complete and > unmodified, and include all date and version information. > _______________________________________________________________ > -- \_ Roger De Salis Cisco Systems NZ Ltd </' +64 25 481 452 L8, ASB Tower, 2 Hunter St /) +64 4 496 9003 Wellington, New Zealand (/ roger(a)desalis.gen.nz rdesalis(a)cisco.com ` --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

1 0

Fw: Re: Warning: Cisco RW community backdoor.
by Joe Abley 27 Feb '01

27 Feb '01

More details below. -----Original Message----- From: "James A. T. Rice" <jamesr(a)rd.bbc.co.uk> Date: Tue, 27 Feb 2001 01:46:37 +0000 (GMT) Subject: Re: Warning: Cisco RW community backdoor. To: <members(a)lonap.net>, , , <ops(a)linx.net> Just a couple of things to note, I've been asked what the backdoor is, if its the community "ILMI" or if that was just an example, the answer is yes - "ILMI" is the backdoor which gives read-write access to parts of the SNMP base. Its looks like parts of my earlier email are somewhat misleading, the ILMI community appears to only allow RW access to the system object and possibly some more objects. Its not a 'standard' open RW community. hence the damage caused by this backdoor is limited. There is still some write access however, so the fix mentioned below is still highly recommended. And of course - it allows people to read what IOS/model cisco you have, which could be used to find exploitable bugs in that particular release. Oh I wonder what the chances of having a router stolen due to discovery of system.sysLocation is! :-) Warm Regards James -- James A. T. Rice | Email: jamesr(a)rd.bbc.co.uk Internet Operations Engineer | Phone: 01737 839 737 BBC Internet Services, Kingswood Warren, Tadworth, Surrey, UK. On Tue, 27 Feb 2001, it was written: > If your router responds to `snmpwalk router.isp.net.uk ILMI`, you > probabally will want to do the following to disable it: > conf t > snmp-server community ILMI RO 99 > access-list 99 deny any log > (pick another spare access-list if 99 isn't available) > > If you dont, assuming your ios/hardware combination supports it, > (most of the bigger routers do) anyone can do things like: > `snmpset router.isp.net.uk ILMI system.sysName.0 s \ > "ALL YOUR ROUTER ARE BELONG TO US."` > Thats a harmless example. You can do almost anything with RW snmp. > > Warm Regards > James > > -- > James A. T. Rice | Email: jamesr(a)rd.bbc.co.uk > Internet Operations Engineer | Phone: 01737 839 737 > BBC Internet Services, Kingswood Warren, Tadworth, Surrey, UK. --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

6 7

FW: [nsp] Cisco Security Advisory: Cisco IOS Software SNMP Read-Write ILMI Community String Vulnerability
by Barry Raveendran Greene 26 Feb '01

26 Feb '01

-----Original Message----- From: nobody(a)cisco.com [mailto:nobody(a)cisco.com]On Behalf Of Cisco Systems Product Security Incident Response Team Sent: Tuesday, February 27, 2001 1:00 AM To: cisco-nsp(a)puck.nether.net Cc: psirt(a)cisco.com Subject: [nsp] Cisco Security Advisory: Cisco IOS Software SNMP Read-Write ILMI Community String Vulnerability -----BEGIN PGP SIGNED MESSAGE----- Cisco Security Advisory: Cisco IOS Software SNMP Read-Write ILMI Community String Vulnerability Revision 1.0: INTERIM For Public Release 2001 February 27 04:00 US/Eastern (UTC+0500) _______________________________________________________________ Summary Cisco IOS software releases based on versions 11.x and 12.0 contain a defect that allows a limited number of SNMP objects to be viewed and modified without authorization using a undocumented ILMI community string. Some of the modifiable objects are confined to the MIB-II system group, such as "sysContact", "sysLocation", and "sysName", that do not affect the device's normal operation but that may cause confusion if modified unexpectedly. The remaining objects are contained in the LAN-EMULATION-CLIENT and PNNI MIBs, and modification of those objects may affect ATM configuration. An affected device might be vulnerable to a denial-of-service attack if it is not protected against unauthorized use of the ILMI community string. The vulnerability is only present in certain combinations of IOS releases on Cisco routers and switches. ILMI is a necessary component for ATM, and the vulnerability is present in every IOS release that contains the supporting software for ATM and ILMI without regard to the actual presence of an ATM interface or the physical ability of the device to support an ATM connection. To remove this vulnerability, Cisco is offering free software upgrades for all affected platforms. The defect is documented in DDTS record CSCdp11863. In lieu of a software upgrade, a workaround can be applied to certain IOS releases by disabling the ILMI community or "*ilmi" view and applying an access list to prevent unauthorized access to SNMP. Any affected system, regardless of software release, may be protected by filtering SNMP traffic at a network perimeter or on individual devices. This notice will be posted at http://www.cisco.com/warp/public/707/ios-snmp-ilmi-vuln-pub.shtml. Affected Products The vulnerability is present only in certain releases of Cisco IOS Software versions 11.x and 12.0 for router and switch products that include support for Asynchronous Transfer Mode (ATM) networking and Interim Local Management Interface (ILMI), and it is present without regard to any physical capability for supporting an ATM interface. Cisco IOS Software versions based on 10.3 and earlier do not contain the vulnerability. The defect was introduced in 11.0(0.2). All Cisco IOS software releases of 12.1 and later have been repaired and are not vulnerable to the defect described in this advisory. To determine the software running on a Cisco product, log in to the device and issue the command "show version" to display the system banner. Cisco IOS software will identify itself as "Internetwork Operating System Software" or simply "IOS (tm)". The image name will be displayed between parentheses, usually on the next line of output, followed by "Version" and the IOS release name. Other Cisco devices will not have the "show version" command or will give different output. The following example identifies a Cisco product running IOS release 12.0(3) with an installed image name of C2500-IS-L: Cisco Internetwork Operating System Software IOS (tm) 2500 Software (C2500-IS-L), Version 12.0(3), RELEASE SOFTWARE The device is not vulnerable to the defect described in this advisory since the model 2500 router is specifically excluded in the list of unaffected products shown below. Cisco devices that may be running an affected IOS software release include, but are not limited to: * Cisco 1400 and 1700 series. * Cisco 2600 (except that c2600-c-mz, c2600-d-mz, c2600-i-mz, c2600-io3-mz, and c2600-ix-mz images are not vulnerable). * Catalyst 2900 ATM, 2900XL, and 2948g series. * Cisco 3620 (except that c3620-d-mz, c3620-i-mz, c3620-io3-mz, and c3620-ix-mz images are not vulnerable). * Cisco 3640 (except that c3640-d-mz, c3640-i-mz, c3640-io3-mz, and c3640-ix-mz images are not vulnerable). * Cisco 3660 (except that c3660-d-mz, c3660-i-mz, and c3660-ix-mz images are not vulnerable). * Cisco MC3810 (except that mc3810-i-mz, mc3810-is-mz, mc3810-is56i-mz, and mc3810-js-mz images are not vulnerable). * Catalyst 4232, 4840g, 5000 RSFC series switches. * Cisco 4500, 4700, and 5800 DSC series. * Cisco 6200, 6400 NRP, and 6400 NSP series. * Catalyst MSM (c6msm), 6000 Hybrid Mode (c6msfc), and 6000 Native Mode (c6sup). * Cisco RSM, 7000, 7010, 7100, 7200, ubr7200, and 7500 series. * Catalyst 8510CSR, 8510MSR, 8540CSR, and 8540MSR series. * Cisco 10000 ESR and 12000 GSR series. * LS1010 and Cisco 6260-NI2. * DistributedDirector (except that igs-w3 images are not vulnerable). Cisco products that are not affected by this vulnerability either because they have no support for ATM and ILMI, or because they do not run IOS include, but are not limited to: * Catalyst ATM blade (runs possibly affected code, but an SNMP connection to the blade is not possible). * Cisco 800 and 805 series. * Cisco Universal Broadband Routers ubr900 and ubr920. * Cisco 1003, 1004, and 1005 series. * Cisco 1600, 2500, 2800, 4000 series. * Cisco 2500 Fixed Frad. * Cisco 3800 (not to be confused with MC3810). * Cisco 5100, 5200, and 5300 series access servers. * Catalyst 6000 Supervisor Module. * Cisco PIX Firewall. * Aironet and Cisco/Aironet wireless products. * CS11000, Cache Engine, LocalDirector, and network scaling products (except that the Distributed Director might be affected). * VPN products such as Altiga concentrators. * Host-based network management or access management products. * Cisco IP Telephony and telephony management software (except those that are hosted on a vulnerable IOS platform). * Voice gateways and convergence platforms (except those that are hosted on a vulnerable IOS platform). * Optical switch products such as the ONS 15000 series. Details ILMI (Interim Local Management Interface) is an independent industry standard used for configuration of ATM (Asynchronous Transfer Mode) interfaces. The standard specifies the use of mechanisms and formats previously defined by SNMP (Simple Network Management Protocol). Although it is based on SNMP, ILMI communication actually occurs using a transport other than IP (Internet Protocol) that traverses only the physical ATM link. ILMI is essential to functions such as ATM auto-discovery and LANE (LAN Emulation). SNMP "objects" are variables that are organized into a MIB (Management Information Base). The MIB has a tree structure and contains both operational (read-only) data as well as configuration (read-write) options. By specifying a community string of "ILMI" in an SNMP request, access can be obtained to read the objects in three specific parts of the overall management tree structure on any device affected by this vulnerability: the MIB-II system group, the LAN-EMULATION-CLIENT MIB, and the PNNI (Private Network-to-Network Interface) MIB. A subset of objects in each part can be modified using the same "ILMI" community string. The MIB-II system group contains basic information about the device itself. The number of objects that can be modified is limited. Examples include: * system.sysContact: The contact information for the person or organization responsible for managing the device. * system.sysLocation: A description of the physical location where the device is installed or operating. * system.sysName: The hostname of the device, how it identifies itself at the console prompt. (This might not be the same name by which the device is known to other hosts on the network.) Most of the objects in the system MIB are read-only and cannot be changed via SNMP, such as the time elapsed since the previous restart and textual descriptions of the device's hardware and software. Numerous objects can be viewed in the LAN-EMULATION-CLIENT MIB and PNNI MIB, and modification of some of the read-write objects can have an affect on ATM operation of the device. The objects in the LAN-EMULATION-CLIENT MIB can only be viewed or modified if LANE has already been configured on the device. Access to SNMP in Cisco IOS software can be limited by applying access control lists (ACLs), by modifying or removing the SNMP view, by removing the community string from the running configuration, or by disabling the SNMP service. Any SNMP query that does not meet the criteria for access is promptly discarded when such protective measures are in place. If a query does meet the criteria for access, then a response is formulated and sent. It is possible to configure the device so that the ILMI community string is unavailable in all IOS 11.1 and higher releases. The particular method selected to accomplish this depends on the specific IOS release and configuration. This defect is documented as CSCdp11863. The vulnerability is repaired by imposing a test such that an SNMP request using the "ILMI" community string will only be recognized if it has been transported by ILMI. ATM functionality was added in various 10.x releases of Cisco IOS software. However, the function containing the defect was introduced when support for ILMI and other ATM features was added in IOS release 11.0(0.2). Therefore, all prior releases are not vulnerable. Impact If SNMP requests can be received by an affected device, then certain MIB objects can be viewed without proper authorization, causing a violation of confidentiality. A subset of the readable MIB objects can be modified without authorization to cause a failure of integrity. For example, the hostname can be modified so as to confuse network adminstrators, or the contact and location information could be changed with a goal of disrupting operations or embarassing whoever is responsible for the device. Objects in the LAN-EMULATION-CLIENT and PNNI MIBs can be viewed and modified, thus resulting in changes to the operation of ATM functions. If ATM is in use on the device, this may result in a failure of availability. Any affected device that is not otherwise protected against the receipt of SNMP packets is vulnerable to a denial-of-service (DoS) attack by flooding the SNMP port with read or write requests. Software Versions and Fixes The following table summarizes the known affected Cisco IOS software releases and the earliest estimated dates of availability for fixed releases. All dates are tentative and subject to change. Each row of the table describes a release train and the platforms or products for which it is intended. If a given release train is vulnerable, then the earliest possible releases that contain the fix and the anticipated date of availability for each are listed in the "Rebuild", "Interim", and "Maintenance" columns. If a device is running an earlier release that is known to be vulnerable, it should be upgraded to at least the indicated version. When selecting a release, keep in mind the following definitions: Maintenance Most heavily tested and highly recommended release of any label in a given row of the table. Rebuild Constructed from the previous maintenance or major release in the same train, it contains the fix for a specific defect. Although it receives less testing, it contains only the minimal changes necessary to effect the repair. Interim Built at regular intervals between maintenance releases and receive less testing. Interims should be selected only if there is no other suitable release that addresses the vulnerability. Interim releases are usually not available for customer download via CCO without prior arrangement. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco TAC for assistance as shown in the following section. More information on IOS release names and abbreviations is available at http://www.cisco.com/warp/public/620/1.html. +=========================================================================== + | Train | Description of | Availability of Fixed Releases* | | | Image or Platform | | +=========================================================================== + | 10.3-based Releases and | | | | | Earlier | Rebuild | Interim** | Maintenance | +=========================================================================== + | 10.3 and | | | | earlier |All |Not affected | +=========================================================================== + | 11.0-based Releases | Rebuild | Interim** | Maintenance | +=========================================================================== + | | |11.0(22a) | | | | 11.0 |Major GD release | | | | | |for all platforms |2001-Mar-05 | | | +=========================================================================== + | 11.1-based Releases | Rebuild | Interim** | Maintenance | +=========================================================================== + | | |11.1(24a) | | | | 11.1 |Major release for | | | | | |all platforms |2001-Mar-05 | | | +----------+-------------------+------------+---------------+--------------- + | |ED release for | | |12.1(7) | | 11.1AA |access servers: | | | | | |1600, 3200, and | | | | | |5200 series. | | |2001-Feb-26 | +----------+-------------------+------------+---------------+--------------- + | |Platform-specific |11.1(36)CA1 | | | | 11.1CA |support for 7500, | | | | | |7200, 7000, and RSP|2001-Mar-02 | | | +----------+-------------------+------------+---------------+--------------- + | |ISP train: added | | | | | |support for FIB, |11.1(36)CC1 | | | | 11.1CC |CEF, and NetFlow on| | | | | |7500, 7200, 7000, |2001-Mar-02 | | | | |and RSP | | | | +----------+-------------------+------------+---------------+--------------- + | |Added support for |12.0(11)ST2 | | | | 11.1CT |Tag Switching on | | | | | |7500, 7200, 7000, | | | | | |and RSP |2001-Feb-26 | | | +----------+-------------------+------------+---------------+--------------- + | | |11.1(28)IA1 | | | | 11.1IA |DistributedDirector| | | | | |only |2001-Feb-26 | | | +=========================================================================== + | 11.2-based Releases | Rebuild | Interim** | Maintenance | +=========================================================================== + | | |11.2(25a) | | | | 11.2 |Major release, | | | | | |general deployment |2001-Mar-05 | | | +----------+-------------------+------------+---------------+--------------- + | |Platform-specific | | | | | |support for IBM | | |12.1(7) | | 11.2BC |networking, CIP, | | | | | |and TN3270 on 7500,| | |2001-Feb-26 | | |7000, and RSP | | | | +----------+-------------------+------------+---------------+--------------- + | |Early deployment |12.0(15)S1 | | | | 11.2GS |release to support | | | | | |12000 GSR |2001-Feb-20 | | | +----------+-------------------+------------+---------------+--------------- + | | |11.2(25a)P | | | | 11.2P |New platform | | | | | |support |2001-Mar-05 | | | +----------+-------------------+------------+---------------+--------------- + | | | | |12.1WC | | 11.2SA |Catalyst 2900XL | | | | | |switch only | | |2001-Apr-12 | +----------+-------------------+------------+---------------+--------------- + | | | | |12.0(10)W5(18c)| | 11.2WA3 |LS1010 ATM switch | | | | | | | | |Available | +----------+-------------------+------------+---------------+--------------- + | | |11.2(25a)P | | | |11.2(4)XA |Initial release for| | | | | |the 1600 and 3600 |2001-Mar-05 | | | +----------+-------------------+------------+---------------+--------------- + | |Initial release for| | | | | |the 5300 and |11.2(9)XA1 | | | |11.2(9)XA |digital modem | | | | | |support for the |Unscheduled | | | | |3600 | | | | +=========================================================================== + | 11.3-based Releases | Rebuild | Interim** | Maintenance | +=========================================================================== + | | |11.3(11b) | | | | 11.3 |Major release for | | | | | |all platforms |2001-Mar-05 | | | +----------+-------------------+------------+---------------+--------------- + | |ED for dial | | | | | |platforms and |11.3(11a)AA | | | | 11.3AA |access servers: | | | | | |5800, 5200, 5300, |2001-Mar-05 | | | | |7200 | | | | +----------+-------------------+------------+---------------+--------------- + | |Early deployment |12.1(5)DA1 | | | | 11.3DA |train for ISP DSLAM| | | | | |6200 platform |2001-Feb-28 | | | +----------+-------------------+------------+---------------+--------------- + | |Early deployment | | | | | |train for |12.1(4)DB1 | | | | |ISP/Telco/PTT xDSL | | | | | 11.3DB |broadband | | | | | |concentrator | | | | | |platform, (NRP) for|2001-Feb-26 | | | | |6400 | | | | +----------+-------------------+------------+---------------+--------------- + | |Short-lived ED | | | 11.3HA |release for ISR |Not Vulnerable | | |3300 (SONET/SDH | | | |router) | | +----------+-------------------+------------+---------------+--------------- + | | |11.3(1)MA8 | | | | 11.3MA |MC3810 | | | | | |functionality only |Unscheduled | | | +----------+-------------------+------------+---------------+--------------- + | |Voice over IP, |12.1(7) | | | | 11.3NA |media convergence, | | | | | |various platforms |2001-Mar-05 | | | +----------+-------------------+------------+---------------+--------------- + | |Early deployment |11.3(11b)T1 | | | | 11.3T |major release, | | | | | |feature-rich for | | | | | |early adopters |2001-Mar-05 | | | +----------+-------------------+------------+---------------+--------------- + | |Multilayer | | | | | |Switching and | | |12.0(14)W5(20) | | |Multiprotocol over | | | | | 11.3WA4 |ATM functionality | | | | | |for Catalyst 5000 | | | | | |RSM, 4500, 4700, | | |2001-Feb-28 | | |7200, 7500, LS1010 | | | | +----------+-------------------+------------+---------------+--------------- + | | |11.3(11b)T1 | | | |11.3(2)XA |Introduction of | | | | | |ubr7246 and 2600 |2001-Mar-05 | | | +=========================================================================== + | 12.0-based Releases | Rebuild | Interim** | Maintenance | +=========================================================================== + | |General deployment | |12.0(7.1) |12.0(16) | | 12.0 |release for all | | | | | |platforms | |Available |2001-Feb-20 | +----------+-------------------+------------+---------------+--------------- + | | | |12.0(7.1)T | | | 12.0DA |xDSL support: 6100,| | | | | |6200 | |Available | | +----------+-------------------+------------+---------------+--------------- + | |ISP/Telco/PTT xDSL |12.1(4)DB1 | | | | 12.0DB |broadband | | | | | |concentrator | | | | | |platforms |2001-Feb-26 | | | +----------+-------------------+------------+---------------+--------------- + | | |12.1(4)DC2 | | | | 12.0DC |6400 Access | | | | | |Concentrator |2001-Feb-26 | | | +----------+-------------------+------------+---------------+--------------- + | | |12.0(15)S1 | | | | 12.0S |Core/ISP support: | | | | | |GSR, RSP, c7200 |2001-Feb-20 | | | +----------+-------------------+------------+---------------+--------------- + | | |12.0(15)SC1 | | | | 12.0SC |Cable/broadband | | | | | |ISP: ubr7200 |2001-Feb-26 | | | +----------+-------------------+------------+---------------+--------------- + | | |12.0(14)SL1 | | | | 12.0SL |10000 ESR: c10k | | | | | | |2001-Feb-26 | | | +----------+-------------------+------------+---------------+--------------- + | |General deployment |12.0(11)ST2 | | | | 12.0ST |release for all | | | | | |platforms |2001-Feb-26 | | | +----------+-------------------+------------+---------------+--------------- + | | |12.1(5c)E8 | | | | 12.0SX |Early Deployment | | | | | |(ED) |2001-Feb-26 | | | +----------+-------------------+------------+---------------+--------------- + | |Early | | | | | |Deployment(ED): | | |12.1(7) | | 12.0T |VPN, Distributed | | | | | |Director, various | | |2001-Feb-26 | | |platforms | | | | +----------+-------------------+------------+---------------+--------------- + | |cat8510c, cat8540c,| | | | | |ls1010, cat8510m, | |12.0(10)W5(18c)|12.0(14)W5(20) | | |cat8540m, c5atm, | | | | | |c5atm, c3620, | | | | | |c3640, c4500, | | | | | 12.0W5 |c5rsfc, c5rsm, | |Available |2001-Feb-28 | | |c7200, rsp, | | | | | |cat2948g, cat4232 | | | | | +-------------------+------------+---------------+---------------+ | | | |12.0(10)W5(18d)|12.0(14)W5(20) | | |c6msm | | | | | | | |Available |2001-Feb-28 | +----------+-------------------+------------+---------------+--------------- + | |General deployment | | |12.0(13)WT6(1) | | 12.0WT |release for all | | | | | |platforms | | |2001-Feb-20 | +----------+-------------------+------------+---------------+--------------- + | |Early Deployment | | |12.1(7) | | 12.0XA |(ED): limited | | | | | |platforms | | |2001-Feb-26 | +----------+-------------------+------------+---------------+--------------- + | | | | |12.1(7) | | 12.0XB |Short-lived early | | | | | |deployment release | | |2001-Feb-26 | +----------+-------------------+------------+---------------+--------------- + | |Early Deployment | | |12.1(7) | | 12.0XC |(ED): limited | | | | | |platforms | | |2001-Feb-26 | +----------+-------------------+------------+---------------+--------------- + | |Early Deployment | | |12.1(7) | | 12.0XD |(ED): limited | | | | | |platforms | | |2001-Feb-26 | +----------+-------------------+------------+---------------+--------------- + | |Early Deployment |12.1(5c)E8 | | | | 12.0XE |(ED): limited | | | | | |platforms |2001-Feb-26 | | | +----------+-------------------+------------+---------------+--------------- + | |Early Deployment | | |12.1(7) | | 12.0XF |(ED): limited | | | | | |platforms | | |2001-Feb-26 | +----------+-------------------+------------+---------------+--------------- + | |Early Deployment | | |12.1(7) | | 12.0XG |(ED): limited | | | | | |platforms | | |2001-Feb-26 | +----------+-------------------+------------+---------------+--------------- + | |Early Deployment |12.0(4)XH5 | | | | 12.0XH |(ED): limited | | | | | |platforms |2001-Mar-05 | | | +----------+-------------------+------------+---------------+--------------- + | |Early Deployment | | |12.1(7) | | 12.0XI |(ED): limited | | | | | |platforms | | |2001-Feb-26 | +----------+-------------------+------------+---------------+--------------- + | |Early Deployment | | |12.1(7) | | 12.0XJ |(ED): limited | | | | | |platforms | | |2001-Feb-26 | +----------+-------------------+------------+---------------+--------------- + | |Early Deployment |12.0(7)XK4 | | | | 12.0XK |(ED): limited | | | | | |platforms |Unscheduled | | | +----------+-------------------+------------+---------------+--------------- + | |Early Deployment |12.0(4)XH5 | | | | 12.0XL |(ED): limited | | | | | |platforms |2001-Mar-05 | | | +----------+-------------------+------------+---------------+--------------- + | | | | |12.1(7) | | 12.0XM |Short-lived early | | | | | |deployment release | | |2001-Feb-26 | +----------+-------------------+------------+---------------+--------------- + | |Early Deployment | | | | | 12.0XN |(ED): limited | | | | | |platforms | | | | +----------+-------------------+------------+---------------+--------------- + | |Early Deployment | | |12.1WC | | 12.0XP |(ED): limited | | | | | |platforms | | |2001-Apr-12 | +----------+-------------------+------------+---------------+--------------- + | | | | |12.1(7) | | 12.0XQ |Short-lived early | | | | | |deployment release | | |2001-Feb-26 | +----------+-------------------+------------+---------------+--------------- + | | |12.1(5)T5 | | | | 12.0XR |Short-lived early | | | | | |deployment release |2001-Mar-05 | | | +----------+-------------------+------------+---------------+--------------- + | | |12.1(5c)E8 | | | | 12.0XS |Short-lived early | | | | | |deployment release |2001-Feb-26 | | | +----------+-------------------+------------+---------------+--------------- + | |Early Deployment | | |12.1WC | | 12.0XU |(ED): limited | | | | | |platforms | | |2001-Apr-12 | +----------+-------------------+------------+---------------+--------------- + | | |12.1(5)T5 | | | | 12.0XV |Short-lived early | | | | | |deployment release |2001-Mar-05 | | | +=========================================================================== + |12.1-based and Later Releases | Rebuild | Interim** | Maintenance | +=========================================================================== + | All 12.1 | | | | Releases |Various platforms |Not Vulnerable | +=========================================================================== + | Notes | +=========================================================================== + | * All dates are estimated and Subject to change. | | | |** Interim releases are subjected to less rigorous testing than regular | | maintenance releases, and may have serious bugs. | +=========================================================================== + Obtaining Fixed Software Cisco is offering free software upgrades to remedy this vulnerability for all affected customers. Customers with service contracts may upgrade to any software release. Customers without contracts may upgrade only within a single row of the table above, except that any available fixed software release will be provided to any customer who can use it and for whom the standard fixed software release is not yet available. Customers may install only the feature sets they have purchased. Note that not all fixed software may be available as of the release date of this notice. Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained via Cisco's Software Center at http://www.cisco.com/. Customers without contracts or warranty should get their upgrades by contacting the Cisco Technical Assistance Center (TAC) as shown below: * (800) 553-2447 (toll-free in North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac(a)cisco.com See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including instructions and e-mail addresses for use in various languages. Give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Please do not contact either "psirt(a)cisco.com" or "security-alert(a)cisco.com" for software upgrades; faster results will be obtained by contacting the TAC directly. Workarounds Several workarounds are available based on customer needs, equipment, and software features. The usefulness and practicality of each workaround depends on the IOS release running on the device and many variables in the customer's environment. Customers are urged to consider each of the following alternatives carefully before deploying. These workarounds are only needed if it is not possible to upgrade to an unaffected release of IOS software. A. Default workaround for use with releases for which no other workarounds are effective: 1. Applying access lists to all the interfaces of the vulnerable device blocking SNMP from all hosts but those authorized to manage the devices. 2. Blocking SNMP access at the edge of the network to prevent undesirable SNMP traffic from entering the network containing the vulnerable device. Access lists should be deployed with careful consideration of the possible effects on network operation and performance. Also note that authentication based on an IP source address is weak, so the preceding method will not protect against certain types of attacks in which the IP source address has been spoofed. Further information can be found in the Cisco document "Improving Security on Cisco Routers", available at http://www.cisco.com/warp/public/707/21.html B. For affected releases based on IOS 11.1: 1. Remove the view so that the ILMI community cannot be reached: no snmp-server view *ilmi 2. This configuration will not survive a system reload. The command must be re-entered after every restart of the system. C. For affected releases of IOS 11.2 through 11.3(8) NOT REQUIRING ATM: In this affected range of releases, the ILMI community string can be modified or deleted. However, the changes will not persist through a reboot of the device. These instructions must be re-applied following every system reload of the affected device: 1. Expose the undocumented ILMI community string so it can be modified: snmp-server community ILMI RW The preceding command may cause an error that can be safely ignored. 2. Disable read-write capability for the same community: no snmp-server community ILMI RW If an error is displayed, then this workaround cannot be applied to the device. Use the default workarounds presented in the first item above. 3. Since this configuration will not survive a system reload, the command must be re-entered after every restart of the system. If the command in item 2 above did not generate an error and ATM is not needed on this device, then this workaround is complete. D. For affected releases of IOS 11.2 through 11.3(8) THAT REQUIRE ATM: This workaround will allow ILMI to continue to function for ATM while constraining who may reconfigure the device by way of the ILMI community string: 1. Create a simple ACL to deny access using the following command. If "66" is already in use, choose a different two-digit number: access-list 66 deny any 2. Apply it generally to the ILMI community to restrict its view: snmp community ILMI view *ilmi RW 66 An error will be reported if the *ilmi view doesn't exist. If that occurs, then use the following command to explicitly restrict the ILMI view: snmp community ILMI RW 66 If the preceding command produces persistent errors, then this workaround cannot be applied to this device. Use the default workarounds presented in the first item above. E. For affected releases of IOS 11.3(9) through 12.0(2)T NOT REQUIRING ATM: All versions of IOS in this range will accept this workaround, and the change will remain in place after a system reload. 1. Expose the undocumented ILMI community string so it can be modified: snmp-server community ILMI RW The preceding command may cause an error that can be safely ignored. 2. Disable read-write capability for the same community: no snmp-server community ILMI RW If an error is displayed, then this workaround cannot be applied to the device. Stop this procedure and use the default workarounds presented in the first item above. F. For affected releases of IOS 11.3(9) through 12.0(2)T THAT REQUIRE ATM: This workaround will allow ILMI to continue to function for ATM while constraining who may reconfigure the device by way of the ILMI community string: 1. Create a simple ACL to deny access using the following command. If "66" is already in use, choose a different two-digit number: access-list 66 deny any 2. Apply it generally to the ILMI community to restrict its view: snmp community ILMI view *ilmi RW 66 An error will be reported if the *ilmi view doesn't exist. If that occurs, then use the following command to explicitly restrict the ILMI view: snmp community ILMI RW 66 If the preceding command produces persistent errors, then this workaround cannot be applied to this device. Use the default workaround presented in the first item above. G. For affected releases of IOS 12.0(3)T and later: These releases of IOS include support for Simple Network Management Protocol version 3 (SNMPv3), which is required for this workaround. 1. Confirm the presence of SNMPv3 support by asking the console CLI (command-line interpreter) for assistance with options to complete the snmp-server command. Enter config mode, enter the command shown below, and note the expected response: snmp-server user test test ? remote Specify a remote SNMP entity to which the user belongs v1 user using the v1 security model v2c user using the v2c security model v3 user using the v3 security model If the preceding command did not produce the expected results, then SNMPv3 is not supported in the release and this workaround cannot be applied. Stop this procedure and consider applying the default workaround presented above in the first item. Otherwise, if the device responded as expected, continue with the following explanation and instructions. In these IOS releases (12.0(3)T and later), ILMI packets are processed by the SNMP engine in the same manner as ordinary IP SNMP packets. An access control list or a view applied to the ILMI community string will be processed whether the transport is ILMI or IP. However, the only types of access control lists that can be applied to a community string are via IP access-list statements, which when applied, block ALL non-IP packets, including ILMI packets. Modifying or deleting the *ilmi view will also affect the packets transported by ILMI, so workarounds that change the view are equally ineffective at permitting ILMI while denying SNMP. In this range of releases, it is not possible to apply a workaround that denies IP SNMP packets that does not also deny ILMI SNMP packets. H. For affected releases of IOS 12.0(3)T and later NOT REQUIRING ATM: 1. Expose the undocumented ILMI community string so it can be modified: snmp-server community ILMI RW The preceding command may cause an error that can be safely ignored. 2. Disable read-write capability for the same community: no snmp-server community ILMI RW If an error is displayed, then this workaround cannot be applied to the device. Stop this procedure and consider using the default workaround. I. For affected releases of IOS 12.0(3)T and later THAT REQUIRE ATM: NOTE: This section also applies to 12.0-based ATM switch software such as for the LS1010 and the 8500 series. The only effective workaround for systems in this category is the default workaround: 1. Applying access lists to all the interfaces of the vulnerable device blocking SNMP from all hosts but those authorized to manage the devices. 2. Blocking SNMP access at the edge of the network to prevent undesirable SNMP traffic from entering the network containing the vulnerable device. Access lists should be deployed with careful consideration of the possible effects on network operation and performance. Also note that authentication based on an IP source address is weak, so the preceding method will not protect against certain types of attacks in which the IP source address has been spoofed. In this range of releases it is not possible to block IP SNMP packets while permitting ILMI SNMP packets. The alternative workarounds presented previously will almost certainly cause a failure of ATM ILMI communications resulting in a loss of ATM connectivity, either immediately upon configuration, or unexpectedly at some later time. Either use the default workaround or upgrade to fixed software. Exploitation and Public Announcements This vulnerability is known to the engineering staff of several Cisco customers. Cisco considers it known to the public prior to the publication of this notice. Cisco is aware of one recent incident involving the unauthorized modification of a router that appears to have resulted from this vulnerability. However, it may have been the unintended side-effect of a test of the vulnerability. Cisco is not aware of any available tools specifically designed to make use of this vulnerability. However, various off-the-shelf network management programs could easily be used to test for this vulnerability and to exploit it. Certain widely-available programs known to the cracker community could be modified by any reasonably competent programmer to automate the abuse of this vulnerability. Cisco is not aware of any general public discussion of this vulnerability other than the exceptions previously noted. Status of This Notice: INTERIM This is an interim security advisory. Cisco anticipates issuing updated versions of this notice at irregular intervals as there are material changes in the facts, and will continue to update this notice as necessary. The reader is warned that this notice may contain inaccurate or incomplete information. Although Cisco cannot guarantee the accuracy of all statements in this notice, all of the facts have been checked to the best of our ability. Cisco anticipates issuing monthly updates of this notice until it reaches FINAL status. A standalone copy or paraphrase of the text of this security advisory that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution This notice will be posted at http://www.cisco.com/warp/public/707/ios-snmp-ilmi-vuln-pub.shtml . In addition to Worldwide Web posting, a text version of this notice will be clear-signed with the Cisco PSIRT PGP key and will be posted to the following e-mail and Usenet news recipients: * cust-security-announce(a)cisco.com * bugtraq(a)securityfocus.com * firewalls(a)lists.gnac.com * first-teams(a)first.org (including CERT/CC) * cisco(a)spot.colorado.edu * cisco-nsp(a)puck.nether.net * comp.dcom.sys.cisco * Various internal Cisco mailing lists Future updates of this notice, if any, will be placed on Cisco's Worldwide Web server, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the URL given above for any updates. Revision History Revision 1.0 2001-Feb-27 First interim public version Cisco Product Security Incident Procedures Instructions for reporting product security vulnerabilities in Cisco products, obtaining assistance with customer security incidents, and registering to receive security information from Cisco can be found at http://www.cisco.com/warp/public/707/sec_incident_response.shtml , including instructions for press inquiries regarding Cisco Security Advisories. _______________________________________________________________ Copyright 2001 by Cisco Systems, Inc. This notice may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, and include all date and version information. _______________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.2 iQEVAwUBOpuPFWiN3BRdFxkbAQEmvAf+Ng5nJtzMpp2Dl/N+ZDp4/4Ul1nqMt89P IcNr/9AKa/jCMKNE8z20/tql78f0oniJ3YfR2GcoFfgfRCRKEVJ5QvzH3r+8BLA2 9YRsmxg/96aVwMP9gLoh4RiO4+qoTwSZkOBJ/DlZFzM7TG8SjKvgtjqcHWiLH9wx /YnxrVWg0jmnY9NvsRQSmS4KvKjFXZXaUBzlH8pOcrY9+vScS6ol+HwCiQOynQYn 2sG+KEapKP/ld2iDcHZPjbFfVsKm+iCtMzcroqpA+ND3ezBeNe2yjJXZG9oWUiVR zLYima8yuU5Mm18b3BoBkM2npf5QP/zRinis9A8d+mlnPemAWVoWug== =xM8n -----END PGP SIGNATURE----- --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

1 0

Re: [jamesr@rd.bbc.co.uk: Warning: Cisco RW community backdoor.]
by Andy Linton 26 Feb '01

26 Feb '01

At 14:44 27/02/2001 +1300, David Robb wrote: >On Tue, 27 Feb 2001, Chris Wedgwood wrote: > > > Unless you have IOS 11.1 where this doesn't work :) > > > > "no snmp-server" > >11.2 seems to require the same treatment. I tried the "patch" on IOS 11.2 and 11.3 boxes such as 2500s and 2924 switches. I had to leave out the "log'" option on the access list. --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

1 0

Cisco IOS ILMI/SNMP
by Roger De Salis 26 Feb '01

26 Feb '01

Gentlefolks, Cisco has become aware of an issue with ILMI (and there is is another advisory pending) across several versions of IOS. Please look at the PSAT pages on www.cisco.com, as info will be available very shortly with full details. Rgds Roger De Salis James A.T. Rice wrote > Its looks like parts of my earlier email are somewhat misleading, > the ILMI community appears to only allow RW access to the system > object and possibly some more objects. Its not a 'standard' open > RW community. hence the damage caused by this backdoor is limited. > There is still some write access however, so the fix mentioned > below is still highly recommended. > > And of course - it allows people to read what IOS/model cisco > you have, which could be used to find exploitable bugs in that > particular release. Oh I wonder what the chances of having a > router stolen due to discovery of system.sysLocation is! :-) > > Warm Regards > James -- \_ Roger De Salis Cisco Systems NZ Ltd </' +64 25 481 452 L8, ASB Tower, 2 Hunter St /) +64 4 496 9003 Wellington, New Zealand (/ roger(a)desalis.gen.nz rdesalis(a)cisco.com ` --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

1 0

[jamesr@rd.bbc.co.uk: Warning: Cisco RW community backdoor.]
by Joe Abley 26 Feb '01

26 Feb '01

----- Forwarded message from "James A. T. Rice" <jamesr(a)rd.bbc.co.uk> ----- Date: Tue, 27 Feb 2001 00:39:38 +0000 (GMT) From: "James A. T. Rice" <jamesr(a)rd.bbc.co.uk> X-Sender: <jamesr(a)inet15> To: <members(a)lonap.net>, <ops(a)linx.net> Subject: Warning: Cisco RW community backdoor. Precedence: bulk If your router responds to `snmpwalk router.isp.net.uk ILMI`, you probabally will want to do the following to disable it: conf t snmp-server community ILMI RO 99 access-list 99 deny any log (pick another spare access-list if 99 isn't available) If you dont, assuming your ios/hardware combination supports it, (most of the bigger routers do) anyone can do things like: `snmpset router.isp.net.uk ILMI system.sysName.0 s \ "ALL YOUR ROUTER ARE BELONG TO US."` Thats a harmless example. You can do almost anything with RW snmp. Warm Regards James -- James A. T. Rice | Email: jamesr(a)rd.bbc.co.uk Internet Operations Engineer | Phone: 01737 839 737 BBC Internet Services, Kingswood Warren, Tadworth, Surrey, UK. ----- End forwarded message ----- --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

4 3