Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
585
Views
0
Helpful
2
Replies

Query regarding SNMP Community String Vulnerability on CatOS

g.mundell
Level 1
Level 1

‎07-20-2004 02:18 PM - edited ‎03-02-2019 05:12 PM

Hi all

I need some clarification on Cisco's recommended fix for switches running CatOS which are affected by this bug:

http://www.cisco.com/en/US/products/products_security_advisory09186a00800b13b5.shtml

I've never worked on CatOS devices before, so want to make sure I've got this right (before I finish the document I've been asked to produce to roll out the workaround ;).

As described on the Cisco website, the "vulnerability described in CSCds19674 for CatOS can be remedied by using the "set snmp view" command to prevent access to the SNMP-VIEW-BASED-ACM-MIB. For example:

switch#set snmp view defaultUserView 1.3.6.1.6.3.16.1.2 excluded nonvolatile

Now my question is, how does the view get applied to the community string(s)? In IOS I know you use the snmp-server community private view viewname command, but there doesn't appear to be any equivalent in CatOS? Is any view with the name defaultUserView automatically applied to all community strings? Having never worked on CatOS devices I'm a bit out of my depth, so any help appreciated!

Thanks

Graham

Labels:
0 Helpful
2 Replies 2

steve.busby
Level 5
Level 5

‎07-21-2004 05:50 AM

If you have no other userviews defined, then "defaultUserView" will apply to all read-only queries using your RO community string. If you have other views set up and you do not want them to be able to view the RW community strings, then you'll need to apply this command to all your userviews.

Clear no?

Easiest option (IMHO) is to upgrade your switch CatOS to a nonaffected version.

0 Helpful

g.mundell
Level 1
Level 1
In response to steve.busby

‎07-22-2004 01:06 PM

Sounds good, thanks for that.

The one thing I don't understand is how other views are applied to a community string? From my reading, CatOS doesn't seem to have an equivalent command to IOS "snmp-server community public view novacm", so how do you specify that view "myview" gets applied to a community string?

And yes I agree that upgrading the CatOS is the best option. It's on the plan, but first we have to get the customer to agree to it!

Thanks for your help.

0 Helpful
Customers Also Viewed These Support Documents