Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
334
Views
0
Helpful
2
Replies

Cisco IOS and IOS XE Software SNMP Remote Code Execution (RCE)

dissai
Level 1
Level 1

‎03-07-2024 02:14 AM


Dear Friends,

I'm looking the solution to resolve the vulnerability on cisco router isr4331. I have attached the screen shot with details. 

 

THREAT:
The Simple Network Management Protocol (SNMP) subsystem of Cisco IOS and IOS XE Software contains multiple vulnerabilities that could allow
an authenticated, remote attacker to remotely execute code on an affected system or cause an affected system to reload.
Multiple vulnerabilities are due to a buffer overflow condition in the SNMP subsystem of the affected software. The vulnerabilities affect all versions
of SNMP - Versions 1, 2c, and 3.
QID Detection Logic (Authenticated):The check matches Cisco IOS XE version retrieved via Unix Auth.
"Exclude QIDs not exploitable due to configuration" makes use of the "show snmp mib" command to check for vulnerable MIBs on the target.
QID Detection Logic (Unauthenticated):The check matches Cisco IOS XE version retrieved via SNMP or TCP/IP Fingerprint or NTP or Telnet.
IMPACT:
A successful exploit could allow the attacker to execute arbitrary code and obtain full control of the affected system or cause the affected system to reload.

 

Kind Regards,

DI

Preview file
157 KB
0 Helpful
2 Replies 2

Rob Ingram
VIP
VIP

‎03-07-2024 02:22 AM

@dissai this link below has the workaround for this SNMP vulnerability.

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170629-snmp

 

0 Helpful

Pulkit Mittal
Level 1
Level 1

‎03-07-2024 02:56 AM

As per workaround:

Administrators are advised to allow only trusted users to have SNMP access on an affected system. Administrators are also advised to monitor affected systems by using the show snmp host command in the CLI.

In addition, administrators can mitigate these vulnerabilities by disabling the following MIBs on a device:

  • ADSL-LINE-MIB
  • ALPS-MIB
  • CISCO-ADSL-DMT-LINE-MIB
  • CISCO-BSTUN-MIB
  • CISCO-MAC-AUTH-BYPASS-MIB
  • CISCO-SLB-EXT-MIB
  • CISCO-VOICE-DNIS-MIB
  • CISCO-VOICE-NUMBER-EXPANSION-MIB
  • TN3270E-RT-MIB

To create or update a view entry and disable the affected MIBs, administrators can use the snmp-server view global configuration command, as shown in the following example:

!Standard VIEW and Security Exclusions
snmp-server view NO_BAD_SNMP iso included
snmp-server view NO_BAD_SNMP internet included
snmp-server view NO_BAD_SNMP snmpUsmMIB excluded
snmp-server view NO_BAD_SNMP snmpVacmMIB excluded
snmp-server view NO_BAD_SNMP snmpCommunityMIB excluded
snmp-server view NO_BAD_SNMP ciscoMgmt.252 excluded
!End Standard View 

!Advisory Specific Mappings
!ADSL-LINE-MIB
snmp-server view NO_BAD_SNMP transmission.94 excluded 

!TN3270E-RT-MIB
snmp-server view NO_BAD_SNMP mib-2.34.9 excluded 

!CISCO-BSTUN-MIB
snmp-server view NO_BAD_SNMP ciscoMgmt.35 excluded 

!ALPS-MIB
snmp-server view NO_BAD_SNMP ciscoMgmt.95 excluded 

!CISCO-ADSL-DMT-LINE-MIB
snmp-server view NO_BAD_SNMP ciscoMgmt.130 excluded 

!CISCO-VOICE-DNIS-MIB
snmp-server view NO_BAD_SNMP ciscoMgmt.219 excluded 

!CISCO-SLB-EXT-MIB
snmp-server view NO_BAD_SNMP ciscoMgmt.254 excluded 

!CISCO-MAC-AUTH-BYPASS-MIB
snmp-server view NO_BAD_SNMP ciscoMabMIB excluded 

!CISCO-VOICE-NUMBER-EXPANSION-MIB
snmp-server view NO_BAD_SNMP ciscoExperiment.997 excluded

To then apply this configuration to a community string, administrators can use the following command:

snmp-server community mycomm view NO_BAD_SNMP RO

For SNMP Version 3, administrators can use the following command:

snmp-server group v3group auth read NO_BAD_SNMP write NO_BAD_SNMP
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card