Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:1332
HistoryFeb 28, 2001 - 12:00 a.m.

Security Advisory: Cisco IOS Software SNMP Read-Write ILMI Community String Vulnerability

2001-02-2800:00:00
vulners.com
77
JSON

-----BEGIN PGP SIGNED MESSAGE-----

Cisco Security Advisory:

Cisco IOS Software SNMP Read-Write ILMI Community String
Vulnerability

Revision 1.0: INTERIM

For Public Release 2001 February 27 04:00 US/Eastern (UTC+0500)
_______________________________________________________________

Summary

Cisco IOS software releases based on versions 11.x and 12.0
contain
a defect that allows a limited number of SNMP objects to be viewed
and modified without authorization using a undocumented ILMI
community string. Some of the modifiable objects are confined to
the
MIB-II system group, such as "sysContact", "sysLocation", and
"sysName", that do not affect the device's normal operation but
that
may cause confusion if modified unexpectedly. The remaining
objects
are contained in the LAN-EMULATION-CLIENT and PNNI MIBs, and
modification of those objects may affect ATM configuration. An
affected device might be vulnerable to a denial-of-service attack
if
it is not protected against unauthorized use of the ILMI community
string.

The vulnerability is only present in certain combinations of IOS
releases on Cisco routers and switches. ILMI is a necessary
component for ATM, and the vulnerability is present in every IOS
release that contains the supporting software for ATM and ILMI
without regard to the actual presence of an ATM interface or the
physical ability of the device to support an ATM connection.

To remove this vulnerability, Cisco is offering free software
upgrades for all affected platforms. The defect is documented in
DDTS record CSCdp11863.

In lieu of a software upgrade, a workaround can be applied to
certain IOS releases by disabling the ILMI community or "*ilmi"
view
and applying an access list to prevent unauthorized access to
SNMP.
Any affected system, regardless of software release, may be
protected by filtering SNMP traffic at a network perimeter or on
individual devices.

This notice will be posted at
http://www.cisco.com/warp/public/707/ios-snmp-ilmi-vuln-pub.shtml.

Affected Products

The vulnerability is present only in certain releases of Cisco IOS
Software versions 11.x and 12.0 for router and switch products
that
include support for Asynchronous Transfer Mode (ATM) networking
and
Interim Local Management Interface (ILMI), and it is present
without
regard to any physical capability for supporting an ATM interface.

Cisco IOS Software versions based on 10.3 and earlier do not
contain
the vulnerability. The defect was introduced in 11.0(0.2). All
Cisco
IOS software releases of 12.1 and later have been repaired and are
not vulnerable to the defect described in this advisory.

To determine the software running on a Cisco product, log in to
the
device and issue the command "show version" to display the system
banner. Cisco IOS software will identify itself as "Internetwork
Operating System Software" or simply "IOS (tm)". The image name
will
be displayed between parentheses, usually on the next line of
output, followed by "Version" and the IOS release name. Other
Cisco
devices will not have the "show version" command or will give
different output.

The following example identifies a Cisco product running IOS
release
12.0(3) with an installed image name of C2500-IS-L:

   Cisco Internetwork Operating System Software IOS (tm)
   2500 Software (C2500-IS-L), Version 12.0(3), RELEASE SOFTWARE

The device is not vulnerable to the defect described in this
advisory since the model 2500 router is specifically excluded in
the
list of unaffected products shown below.

Cisco devices that may be running an affected IOS software release
include, but are not limited to:

 * Cisco 1400 and 1700 series.

 * Cisco 2600 (except that c2600-c-mz, c2600-d-mz, c2600-i-mz,
   c2600-io3-mz, and c2600-ix-mz images are not vulnerable).

 * Catalyst 2900 ATM, 2900XL, and 2948g series.

 * Cisco 3620 (except that c3620-d-mz, c3620-i-mz, c3620-io3-mz,
   and c3620-ix-mz images are not vulnerable).

 * Cisco 3640 (except that c3640-d-mz, c3640-i-mz, c3640-io3-mz,
   and c3640-ix-mz images are not vulnerable).

 * Cisco 3660 (except that c3660-d-mz, c3660-i-mz, and

c3660-ix-mz
images are not vulnerable).

 * Cisco MC3810 (except that mc3810-i-mz, mc3810-is-mz,
   mc3810-is56i-mz, and mc3810-js-mz images are not vulnerable).

 * Catalyst 4232, 4840g, 5000 RSFC series switches.

 * Cisco 4500, 4700, and 5800 DSC series.

 * Cisco 6200, 6400 NRP, and 6400 NSP series.

 * Catalyst MSM (c6msm), 6000 Hybrid Mode (c6msfc), and 6000

Native
Mode (c6sup).

 * Cisco RSM, 7000, 7010, 7100, 7200, ubr7200, and 7500 series.

 * Catalyst 8510CSR, 8510MSR, 8540CSR, and 8540MSR series.

 * Cisco 10000 ESR and 12000 GSR series.

 * LS1010 and Cisco 6260-NI2.

 * DistributedDirector (except that igs-w3 images are not
   vulnerable).

Cisco products that are not affected by this vulnerability either
because they have no support for ATM and ILMI, or because they do
not run IOS include, but are not limited to:

 * Catalyst ATM blade (runs possibly affected code, but an SNMP
   connection to the blade is not possible).

 * Cisco 800 and 805 series.

 * Cisco Universal Broadband Routers ubr900 and ubr920.

 * Cisco 1003, 1004, and 1005 series.

 * Cisco 1600, 2500, 2800, 4000 series.

 * Cisco 2500 Fixed Frad.

 * Cisco 3800 (not to be confused with MC3810).

 * Cisco 5100, 5200, and 5300 series access servers.

 * Catalyst 6000 Supervisor Module.

 * Cisco PIX Firewall.

 * Aironet and Cisco/Aironet wireless products.

 * CS11000, Cache Engine, LocalDirector, and network scaling
   products (except that the Distributed Director might be
   affected).

 * VPN products such as Altiga concentrators.

 * Host-based network management or access management products.

 * Cisco IP Telephony and telephony management software (except
   those that are hosted on a vulnerable IOS platform).

 * Voice gateways and convergence platforms (except those that

are
hosted on a vulnerable IOS platform).

 * Optical switch products such as the ONS 15000 series.

Details

ILMI (Interim Local Management Interface) is an independent
industry
standard used for configuration of ATM (Asynchronous Transfer
Mode)
interfaces. The standard specifies the use of mechanisms and
formats
previously defined by SNMP (Simple Network Management Protocol).
Although it is based on SNMP, ILMI communication actually occurs
using a transport other than IP (Internet Protocol) that traverses
only the physical ATM link. ILMI is essential to functions such as
ATM auto-discovery and LANE (LAN Emulation).

SNMP "objects" are variables that are organized into a MIB
(Management Information Base). The MIB has a tree structure and
contains both operational (read-only) data as well as
configuration
(read-write) options. By specifying a community string of "ILMI"
in
an SNMP request, access can be obtained to read the objects in
three
specific parts of the overall management tree structure on any
device affected by this vulnerability: the MIB-II system group,
the
LAN-EMULATION-CLIENT MIB, and the PNNI (Private Network-to-Network
Interface) MIB. A subset of objects in each part can be modified
using the same "ILMI" community string.

The MIB-II system group contains basic information about the
device
itself. The number of objects that can be modified is limited.
Examples include:

 * system.sysContact: The contact information for the person or
   organization responsible for managing the device.

 * system.sysLocation: A description of the physical location

where
the device is installed or operating.

 * system.sysName: The hostname of the device, how it identifies
   itself at the console prompt. (This might not be the same name
   by which the device is known to other hosts on the network.)

Most of the objects in the system MIB are read-only and cannot be
changed via SNMP, such as the time elapsed since the previous
restart and textual descriptions of the device's hardware and
software.

Numerous objects can be viewed in the LAN-EMULATION-CLIENT MIB and
PNNI MIB, and modification of some of the read-write objects can
have an affect on ATM operation of the device. The objects in the
LAN-EMULATION-CLIENT MIB can only be viewed or modified if LANE
has
already been configured on the device.

Access to SNMP in Cisco IOS software can be limited by applying
access control lists (ACLs), by modifying or removing the SNMP
view,
by removing the community string from the running configuration,
or
by disabling the SNMP service. Any SNMP query that does not meet
the
criteria for access is promptly discarded when such protective
measures are in place. If a query does meet the criteria for
access,
then a response is formulated and sent.

It is possible to configure the device so that the ILMI community
string is unavailable in all IOS 11.1 and higher releases. The
particular method selected to accomplish this depends on the
specific IOS release and configuration.

This defect is documented as CSCdp11863. The vulnerability is
repaired by imposing a test such that an SNMP request using the
"ILMI" community string will only be recognized if it has been
transported by ILMI.

ATM functionality was added in various 10.x releases of Cisco IOS
software. However, the function containing the defect was
introduced
when support for ILMI and other ATM features was added in IOS
release 11.0(0.2). Therefore, all prior releases are not
vulnerable.

Impact

If SNMP requests can be received by an affected device, then
certain
MIB objects can be viewed without proper authorization, causing a
violation of confidentiality.

A subset of the readable MIB objects can be modified without
authorization to cause a failure of integrity. For example, the
hostname can be modified so as to confuse network adminstrators,
or
the contact and location information could be changed with a goal
of
disrupting operations or embarassing whoever is responsible for
the
device.

Objects in the LAN-EMULATION-CLIENT and PNNI MIBs can be viewed
and
modified, thus resulting in changes to the operation of ATM
functions. If ATM is in use on the device, this may result in a
failure of availability.

Any affected device that is not otherwise protected against the
receipt of SNMP packets is vulnerable to a denial-of-service (DoS)
attack by flooding the SNMP port with read or write requests.

Software Versions and Fixes

The following table summarizes the known affected Cisco IOS
software
releases and the earliest estimated dates of availability for
fixed
releases. All dates are tentative and subject to change.

Each row of the table describes a release train and the platforms
or
products for which it is intended. If a given release train is
vulnerable, then the earliest possible releases that contain the
fix
and the anticipated date of availability for each are listed in
the
"Rebuild", "Interim", and "Maintenance" columns. If a device is
running an earlier release that is known to be vulnerable, it
should
be upgraded to at least the indicated version.

When selecting a release, keep in mind the following definitions:

Maintenance
Most heavily tested and highly recommended release of any
label in a given row of the table.

Rebuild
Constructed from the previous maintenance or major release
in
the same train, it contains the fix for a specific defect.
Although it receives less testing, it contains only the
minimal changes necessary to effect the repair.

Interim
Built at regular intervals between maintenance releases and
receive less testing. Interims should be selected only if
there is no other suitable release that addresses the
vulnerability. Interim releases are usually not available
for
customer download via CCO without prior arrangement.

In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear,
contact the Cisco TAC for assistance as shown in the following
section.

More information on IOS release names and abbreviations is
available
at http://www.cisco.com/warp/public/620/1.html.

+===========================================================================+
| Train | Description of | Availability of Fixed
Releases* |
| | Image or Platform |

+===========================================================================+
| 10.3-based Releases and | | |
| Earlier | Rebuild | Interim** |
Maintenance |

+===========================================================================+
| 10.3 and | |
| earlier |All |Not affected

+===========================================================================+
| 11.0-based Releases | Rebuild | Interim** |
Maintenance |

+===========================================================================+
| | |11.0(22a) | |
| 11.0 |Major GD release | | |
| |for all platforms |2001-Mar-05 | |

+===========================================================================+
| 11.1-based Releases | Rebuild | Interim** |
Maintenance |

+===========================================================================+
| | |11.1(24a) | |
| 11.1 |Major release for | | |
| |all platforms |2001-Mar-05 | |

±---------±------------------±-----------±--------------±--------------+
| |ED release for | |
|12.1(7) |
| 11.1AA |access servers: | | |
| |1600, 3200, and | | |
| |5200 series. | |
|2001-Feb-26 |

±---------±------------------±-----------±--------------±--------------+
| |Platform-specific |11.1(36)CA1 | |
| 11.1CA |support for 7500, | | |
| |7200, 7000, and RSP|2001-Mar-02 | |

±---------±------------------±-----------±--------------±--------------+
| |ISP train: added | | |
| |support for FIB, |11.1(36)CC1 | |
| 11.1CC |CEF, and NetFlow on| | |
| |7500, 7200, 7000, |2001-Mar-02 | |
| |and RSP | | |

±---------±------------------±-----------±--------------±--------------+
| |Added support for |12.0(11)ST2 | |
| 11.1CT |Tag Switching on | | |
| |7500, 7200, 7000, | | |
| |and RSP |2001-Feb-26 | |

±---------±------------------±-----------±--------------±--------------+
| | |11.1(28)IA1 | |
| 11.1IA |DistributedDirector| | |
| |only |2001-Feb-26 | |

+===========================================================================+
| 11.2-based Releases | Rebuild | Interim** |
Maintenance |

+===========================================================================+
| | |11.2(25a) | |
| 11.2 |Major release, | | |
| |general deployment |2001-Mar-05 | |

±---------±------------------±-----------±--------------±--------------+
| |Platform-specific | | |
| |support for IBM | |
|12.1(7) |
| 11.2BC |networking, CIP, | | |
| |and TN3270 on 7500,| |
|2001-Feb-26 |
| |7000, and RSP | | |

±---------±------------------±-----------±--------------±--------------+
| |Early deployment |12.0(15)S1 | |
| 11.2GS |release to support | | |
| |12000 GSR |2001-Feb-20 | |

±---------±------------------±-----------±--------------±--------------+
| | |11.2(25a)P | |
| 11.2P |New platform | | |
| |support |2001-Mar-05 | |

±---------±------------------±-----------±--------------±--------------+
| | | | |12.1WC
| 11.2SA |Catalyst 2900XL | | |
| |switch only | |
|2001-Apr-12 |

±---------±------------------±-----------±--------------±--------------+
| | | |
|12.0(10)W5(18c)|
| 11.2WA3 |LS1010 ATM switch | | |
| | | |
|Available |

±---------±------------------±-----------±--------------±--------------+
| | |11.2(25a)P | |
|11.2(4)XA |Initial release for| | |
| |the 1600 and 3600 |2001-Mar-05 | |

±---------±------------------±-----------±--------------±--------------+
| |Initial release for| | |
| |the 5300 and |11.2(9)XA1 | |
|11.2(9)XA |digital modem | | |
| |support for the |Unscheduled | |
| |3600 |

JSON