| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Pine.GSO.4.53.0306071742070.14654@bru-cse-128.cisco.com> From: itemir at cisco.com (Ilker Temir) Subject: on topic - cisco snmp -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This is in response to the e-mail sent by Lee E. Rian. The original e-mail is available at http://lists.netsys.com/pipermail/full-disclosure/2003-June/010153.html Hello Lee, Thank you for notifying us about this issue. We have updated the examples at http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a00800948e6.shtml and excluded the MIBs that may create a security exposure. We are always very interested in vulnerability reports regarding our products and welcome the chance to work with security researchers. Such reports should be directly sent to our team at psirt@...co.com or to security-alert@...co.com for emergency response. Thank you again, Regards, - -- Ilker Temir Incident Manager, PSIRT Cisco Systems, Inc. +32 2 704-6031 http://www.cisco.com/go/psirt On Fri, 6 Jun 2003 lee.e.rian@...sus.gov wrote: > If you follow Cisco's suggested work-around for SNMP causes high CPU > utilization you might be exposing the write community string. > > http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a00800948e6.shtml > has the following instructions: > > To avoid performance issues, force the router to prematurely end queries > for the route table from the network management system server. Configure > the router to respond with a complete message as soon as it receives the > start of a request for the route table, as follows: > snmp-server view cutdown internet included > snmp-server view cutdown ipRouteTable excluded > snmp-server view cutdown ipNetToMediaTable excluded > snmp-server view cutdown at excluded > snmp-server community public view cutdown RO > snmp-server community private view cutdown RW > > The problem is that the View-based Access Control MIB is now included in > the read-only view: > snmpwalk -c public -v 2c c800 vacmAccessWriteViewName > .iso.org.dod.internet.snmpV2.snmpModules.snmpVacmMIB.vacmMIBObjects.vacmAccessTable.vacmAccessEntry.vacmAccessWriteViewName."public"."".1.noAuthNoPriv > = > .iso.org.dod.internet.snmpV2.snmpModules.snmpVacmMIB.vacmMIBObjects.vacmAccessTable.vacmAccessEntry.vacmAccessWriteViewName."public"."".2.noAuthNoPriv > = > .iso.org.dod.internet.snmpV2.snmpModules.snmpVacmMIB.vacmMIBObjects.vacmAccessTable.vacmAccessEntry.vacmAccessWriteViewName."private"."".1.noAuthNoPriv > = cutdown > .iso.org.dod.internet.snmpV2.snmpModules.snmpVacmMIB.vacmMIBObjects.vacmAccessTable.vacmAccessEntry.vacmAccessWriteViewName."private"."".2.noAuthNoPriv > = cutdown > > Fix is to remove the Vacm MIB from the view by adding > snmp-server view cutdown internet.6.3.16 excluded > > c800#conf t > Enter configuration commands, one per line. End with CNTL/Z. > c800(config)#snmp-server view cutdown internet.6.3.16 excluded > c800(config)#end > c800# > > snmpwalk -c public -v 2c c800 vacmAccessWriteViewName > .iso.org.dod.internet.snmpV2.snmpModules.snmpVacmMIB.vacmMIBObjects.vacmAccessTable.vacmAccessEntry.vacmAccessWriteViewName > = No more variables left in this MIB View > > > Lee > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (SunOS) iD8DBQE+4ghz8/wE0ppYtwURAt9KAJ4/nBObOC6SVHINBsYJatKpAHHaKACfbX+t Hg5j8KQWRDUdeH8JZGrG/Ts= =5jZp -----END PGP SIGNATURE-----
Powered by blists - more mailing lists