Warning: Cisco RW community backdoor.
It appears that 2500 are not affected. The fix below doesn't work on 11.1 and 11.2 , you have to turn snmp off by the looks. have fun. ----- Forwarded message from "James A. T. Rice" <jamesr@rd.bbc.co.uk> ----- Date: Tue, 27 Feb 2001 00:39:38 +0000 (GMT) From: "James A. T. Rice" <jamesr@rd.bbc.co.uk> X-Sender: <jamesr@inet15> To: <members@lonap.net>, <ops@linx.net> Subject: Warning: Cisco RW community backdoor. Precedence: bulk If your router responds to `snmpwalk router.isp.net.uk ILMI`, you probabally will want to do the following to disable it: conf t snmp-server community ILMI RO 99 access-list 99 deny any log (pick another spare access-list if 99 isn't available) If you dont, assuming your ios/hardware combination supports it, (most of the bigger routers do) anyone can do things like: `snmpset router.isp.net.uk ILMI system.sysName.0 s \ "ALL YOUR ROUTER ARE BELONG TO US."` Thats a harmless example. You can do almost anything with RW snmp. Warm Regards James -- James A. T. Rice | Email: jamesr@rd.bbc.co.uk Internet Operations Engineer | Phone: 01737 839 737 BBC Internet Services, Kingswood Warren, Tadworth, Surrey, UK. ----- End forwarded message ----- --------- To unsubscribe from nznog, send email to majordomo@list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
1) Workaround provided by James is incorrect. You need RW not RO. 2) People only have access to the system mib (do a snmpwalk w/ that community to see vulnerable objects) This means someone can a) change router system name, b) location or c) contact. - Jared On Tue, Feb 27, 2001 at 02:54:04PM +1300, Simon Lyall wrote:
It appears that 2500 are not affected.
The fix below doesn't work on 11.1 and 11.2 , you have to turn snmp off by the looks.
have fun.
----- Forwarded message from "James A. T. Rice" <jamesr@rd.bbc.co.uk> -----
Date: Tue, 27 Feb 2001 00:39:38 +0000 (GMT) From: "James A. T. Rice" <jamesr@rd.bbc.co.uk> X-Sender: <jamesr@inet15> To: <members@lonap.net>, <ops@linx.net> Subject: Warning: Cisco RW community backdoor. Precedence: bulk
If your router responds to `snmpwalk router.isp.net.uk ILMI`, you probabally will want to do the following to disable it: conf t snmp-server community ILMI RO 99 access-list 99 deny any log (pick another spare access-list if 99 isn't available)
If you dont, assuming your ios/hardware combination supports it, (most of the bigger routers do) anyone can do things like: `snmpset router.isp.net.uk ILMI system.sysName.0 s \ "ALL YOUR ROUTER ARE BELONG TO US."` Thats a harmless example. You can do almost anything with RW snmp.
Warm Regards James
-- James A. T. Rice | Email: jamesr@rd.bbc.co.uk Internet Operations Engineer | Phone: 01737 839 737 BBC Internet Services, Kingswood Warren, Tadworth, Surrey, UK.
----- End forwarded message ----- --------- To unsubscribe from nznog, send email to majordomo@list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
-- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
On Mon, Feb 26, 2001 at 09:06:51PM -0500, Jared Mauch wrote:
1) Workaround provided by James is incorrect. You need RW not RO.
No, you only need to specify RO... at least according to the tests I've just run. As I understand it you're overriding a built in community. -- John Payne http://www.sackheads.org/jpayne/ john@sackheads.org http://www.sackheads.org/uce/ Fax: +44 870 0547954 To send me mail, use the address in the From: header
I was told by Cisco it should be RW. (To override the builtin one). I never ran a test w/ RO so was speaking from that data. If you get some message about the "community/party" exists or something like that, put this in: no snmp-server view *ilmi It doesn't get saved in the config, so if you machine generate your nvram:startup-config, you're ok, if you do not, you will need to re-add it each time you reboot. - Jared On Mon, Feb 26, 2001 at 06:43:40PM -0800, John Payne wrote:
On Mon, Feb 26, 2001 at 09:06:51PM -0500, Jared Mauch wrote:
1) Workaround provided by James is incorrect. You need RW not RO.
No, you only need to specify RO... at least according to the tests I've just run. As I understand it you're overriding a built in community.
-- John Payne http://www.sackheads.org/jpayne/ john@sackheads.org http://www.sackheads.org/uce/ Fax: +44 870 0547954 To send me mail, use the address in the From: header
-- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
I tried this one of our routers and it worked. I put in the snmp filter to stop it, which it did. Then I took the filter off and it still didn't work. Odd. John
On Mon, 26 Feb 2001, John Kristoff wrote:
I tried this one of our routers and it worked. I put in the snmp filter to stop it, which it did. Then I took the filter off and it still didn't work. Odd.
I tested it on both of my GSR's and got responses. Put the filters in, it stopped. Then I took the changes out of my backup router, and like you, didnt get a response. However, after rebooting the router, I do get a response again. 12008 GSR's running 12.0(9)S. No ATM interfaces (just 3 GigE cards ea). And yes, the only tree I could touch was system. Nothing else, read or write. -j -- -Jonathan Disher -Sr. Systems and Network Engineer, Web Operations -Internet Pictures Corporation, Palo Alto, CA -[v] (650) 388-0497 | [p] (877) 446-9311 | [e] jdisher@eng.ipix.com
Cursory testing shows 16xx, 17xx, 26xx and 25xx don't seem to respond to it running various revs from 11.x to 12.1. 3640 running 12.0.1T coughs up the info. 3662 running 12.1(3a)T acts really goofy. Had to reboot the router to fix it (test point). CPU at 100%. At 09:48 PM 2/26/01 -0500, Jared Mauch wrote:
I was told by Cisco it should be RW. (To override the builtin one).
I never ran a test w/ RO so was speaking from that data.
If you get some message about the "community/party" exists or something like that, put this in:
no snmp-server view *ilmi
It doesn't get saved in the config, so if you machine generate your nvram:startup-config, you're ok, if you do not, you will need to re-add it each time you reboot.
- Jared
On Mon, Feb 26, 2001 at 06:43:40PM -0800, John Payne wrote:
On Mon, Feb 26, 2001 at 09:06:51PM -0500, Jared Mauch wrote:
1) Workaround provided by James is incorrect. You need RW not RO.
No, you only need to specify RO... at least according to the tests I've just run. As I understand it you're overriding a built in community.
-- John Payne http://www.sackheads.org/jpayne/ john@sackheads.org http://www.sackheads.org/uce/ Fax: +44 870 0547954 To send me mail, use the address in the From: header
-- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
========================================================================== Eric Germann Inacom Info Systems egermann@inacomlima.com Lima, OH 45801 Ph: 419 331 9050 ICQ: 41927048 Fax: 603 825 5893 "It is so easy to miss pretty trivial solutions to problems deemed complicated. The goal of a scientist is to find an interesting problem, and live off it for a while. The goal of an engineer is to evade interesting problems :)" -- Vadim Antonov <avg@kotovnik.com> on NANOG
Taking Seans input is confusing. The 3640 doesn't have an ATM interface (running IP Plus though). The 3662 does (T1 IMA Card) and it locks up (refuses logins and spikes a CPU fever). At 11:30 PM 2/26/01 -0500, Eric Germann wrote:
Cursory testing shows 16xx, 17xx, 26xx and 25xx don't seem to respond to it running various revs from 11.x to 12.1.
3640 running 12.0.1T coughs up the info.
3662 running 12.1(3a)T acts really goofy. Had to reboot the router to fix it (test point). CPU at 100%.
At 09:48 PM 2/26/01 -0500, Jared Mauch wrote:
I was told by Cisco it should be RW. (To override the builtin one).
I never ran a test w/ RO so was speaking from that data.
If you get some message about the "community/party" exists or something like that, put this in:
no snmp-server view *ilmi
It doesn't get saved in the config, so if you machine generate your nvram:startup-config, you're ok, if you do not, you will need to re-add it each time you reboot.
- Jared
On Mon, Feb 26, 2001 at 06:43:40PM -0800, John Payne wrote:
On Mon, Feb 26, 2001 at 09:06:51PM -0500, Jared Mauch wrote:
1) Workaround provided by James is incorrect. You need RW not RO.
No, you only need to specify RO... at least according to the tests I've just run. As I understand it you're overriding a built in community.
-- John Payne http://www.sackheads.org/jpayne/ john@sackheads.org http://www.sackheads.org/uce/ Fax: +44 870 0547954 To send me mail, use the address in the From: header
-- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
========================================================================== Eric Germann Inacom Info Systems egermann@inacomlima.com Lima, OH 45801 Ph: 419 331 9050 ICQ: 41927048 Fax: 603 825 5893
"It is so easy to miss pretty trivial solutions to problems deemed complicated. The goal of a scientist is to find an interesting problem, and live off it for a while. The goal of an engineer is to evade interesting problems :)" -- Vadim Antonov <avg@kotovnik.com> on NANOG
========================================================================== Eric Germann Inacom Info Systems egermann@inacomlima.com Lima, OH 45801 Ph: 419 331 9050 ICQ: 41927048 Fax: 603 825 5893 "It is so easy to miss pretty trivial solutions to problems deemed complicated. The goal of a scientist is to find an interesting problem, and live off it for a while. The goal of an engineer is to evade interesting problems :)" -- Vadim Antonov <avg@kotovnik.com> on NANOG
I would suspect that only routers capable of supporting ATM interfaces, ie 3640 and up, will respond, as ILMI is used for ATM. -Alexander Kiwerski -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Eric Germann Sent: Monday, February 26, 2001 8:30 PM To: Jared Mauch Cc: nanog@merit.edu Subject: Re: Warning: Cisco RW community backdoor. Cursory testing shows 16xx, 17xx, 26xx and 25xx don't seem to respond to it running various revs from 11.x to 12.1. 3640 running 12.0.1T coughs up the info. 3662 running 12.1(3a)T acts really goofy. Had to reboot the router to fix it (test point). CPU at 100%. At 09:48 PM 2/26/01 -0500, Jared Mauch wrote:
I was told by Cisco it should be RW. (To override the builtin one).
I never ran a test w/ RO so was speaking from that data.
If you get some message about the "community/party" exists or something like that, put this in:
no snmp-server view *ilmi
It doesn't get saved in the config, so if you machine generate your nvram:startup-config, you're ok, if you do not, you will need to re-add it each time you reboot.
- Jared
On Mon, Feb 26, 2001 at 06:43:40PM -0800, John Payne wrote:
On Mon, Feb 26, 2001 at 09:06:51PM -0500, Jared Mauch wrote:
1) Workaround provided by James is incorrect. You need RW not RO.
No, you only need to specify RO... at least according to the tests I've just run. As I understand it you're overriding a built in community.
-- John Payne http://www.sackheads.org/jpayne/ john@sackheads.org http://www.sackheads.org/uce/ Fax: +44 870 0547954 To send me mail, use the address in the From: header
-- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
========================================================================== Eric Germann Inacom Info Systems egermann@inacomlima.com Lima, OH 45801 Ph: 419 331 9050 ICQ: 41927048 Fax: 603 825 5893 "It is so easy to miss pretty trivial solutions to problems deemed complicated. The goal of a scientist is to find an interesting problem, and live off it for a while. The goal of an engineer is to evade interesting problems :)" -- Vadim Antonov <avg@kotovnik.com> on NANOG
I stand corrected, partially, since routers below 36xx support ATM. -Alex K. -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Alexander Kiwerski Sent: Tuesday, February 27, 2001 10:50 AM To: nanog@merit.edu Subject: RE: Warning: Cisco RW community backdoor. I would suspect that only routers capable of supporting ATM interfaces, ie 3640 and up, will respond, as ILMI is used for ATM. -Alexander Kiwerski -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Eric Germann Sent: Monday, February 26, 2001 8:30 PM To: Jared Mauch Cc: nanog@merit.edu Subject: Re: Warning: Cisco RW community backdoor. Cursory testing shows 16xx, 17xx, 26xx and 25xx don't seem to respond to it running various revs from 11.x to 12.1. 3640 running 12.0.1T coughs up the info. 3662 running 12.1(3a)T acts really goofy. Had to reboot the router to fix it (test point). CPU at 100%. At 09:48 PM 2/26/01 -0500, Jared Mauch wrote:
I was told by Cisco it should be RW. (To override the builtin one).
I never ran a test w/ RO so was speaking from that data.
If you get some message about the "community/party" exists or something like that, put this in:
no snmp-server view *ilmi
It doesn't get saved in the config, so if you machine generate your nvram:startup-config, you're ok, if you do not, you will need to re-add it each time you reboot.
- Jared
On Mon, Feb 26, 2001 at 06:43:40PM -0800, John Payne wrote:
On Mon, Feb 26, 2001 at 09:06:51PM -0500, Jared Mauch wrote:
1) Workaround provided by James is incorrect. You need RW not RO.
No, you only need to specify RO... at least according to the tests I've just run. As I understand it you're overriding a built in community.
-- John Payne http://www.sackheads.org/jpayne/ john@sackheads.org http://www.sackheads.org/uce/ Fax: +44 870 0547954 To send me mail, use the address in the From: header
-- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
========================================================================== Eric Germann Inacom Info Systems egermann@inacomlima.com Lima, OH 45801 Ph: 419 331 9050 ICQ: 41927048 Fax: 603 825 5893 "It is so easy to miss pretty trivial solutions to problems deemed complicated. The goal of a scientist is to find an interesting problem, and live off it for a while. The goal of an engineer is to evade interesting problems :)" -- Vadim Antonov <avg@kotovnik.com> on NANOG
On Mon, 26 Feb 2001, John Payne wrote:
No, you only need to specify RO... at least according to the tests I've just run. As I understand it you're overriding a built in community.
Sweet. Yet another VENDOR CREATED problem. Is the fact that we PURCHASE the %^#&*# hardware from them not enough? Do they have to continually insist on putting backdoors into the code? Backdoors that inevitably leak out of their organization? --- John Fraizer EnterZone, Inc
participants (9)
-
Alexander Kiwerski
-
Eric Germann
-
Jared Mauch
-
John Fraizer
-
John Kristoff
-
John Payne
-
Jonathan Disher
-
mike harrison
-
Simon Lyall