Cisco Security Advisory: Cisco IOS Software Multiple SNMP Community String Vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----

Cisco Security Advisory: Cisco IOS Software Multiple SNMP Community
String
Vulnerabilities

Revision 1.0: INTERIM

For Public Release 2001 February 28 11:00 US/Eastern (UTC+0500)

---

Summary

Multiple Cisco IOS software and CatOS software releases contain
several
independent but related vulnerabilities involving the unexpected
creation
and exposure of SNMP community strings. These vulnerabilities can be
exploited to permit the unauthorized viewing or modification of
affected
devices.

To remove the vulnerabilities, Cisco is offering free software
upgrades for
all affected platforms. The defects are documented in DDTS records
CSCds32217, CSCds16384, CSCds19674, CSCdr59314, CSCdr61016, and
CSCds49183.

In addition to specific workarounds for each vulnerability, affected
systems can be protected by preventing SNMP access.

This notice will be posted
at
http://www.cisco.com/warp/public/707/ios-snmp-community-vulns-pub.shtml.

Affected Products

The vulnerabilities described in this notice are present in Cisco
router
and switch products that are running certain releases of Cisco IOS
software
or CatOS software. Only Cisco products running affected releases are
vulnerable. No other Cisco products are affected.

To determine the software running on a Cisco product, log in to the
device
and display the system banner with the command "show version". Cisco
IOS
software will identify itself as "Internetwork Operating System
Software"
or simply "IOS (tm)". The image name will be displayed between
parentheses,
usually on the next line of output, followed by "Version" and the IOS
release name. Other Cisco devices will not have the "show version"
command
or will give different output.

The following example identifies a Cisco product running IOS release
12.0(3) with an installed image name of C2500-IS-L:

 Cisco Internetwork Operating System Software IOS (tm)
 2500 Software (C2500-IS-L), Version 12.0(3), RELEASE SOFTWARE

To determine if the Cisco product is affected, compare the
information
obtained above to the lists of affected platforms and releases shown
below.

Cisco devices that may be running an affected IOS software release
include,
but are not limited to:

• 800, 1000, 1005, 1400, 1600, 1700, 2500, 2600, 3600, MC3810,
  4000,
  4500, 4700, 6200, 6400 NRP, 6400 NSP series Cisco routers.
• ubr900 and ubr920 universal broadband routers.
• Catalyst 2900 ATM, 2900XL, 2948g, 3500XL, 4232, 4840g, 5000 RSFC
  series switches.
• 5200, 5300, 5800 series access servers.
• Catalyst 6000 MSM, 6000 Hybrid Mode, 6000 Native Mode, 6000
  Supervisor
  Module, Catalyst ATM Blade.
• RSM, 7000, 7010, 7100, 7200, ubr7200, 7500, 10000 ESR, and
  12000 GSR
  series Cisco routers.
• DistributedDirector.
• Catalyst 8510CSR, 8510MSR, 8540CSR, 8540MSR series switches.

Cisco products that do not run Cisco IOS software and are not
affected by
the vulnerabilities described in this notice include, but are not
limited
to:

• Cisco PIX firewall.
• Aironet and Cisco/Aironet wireless products
• CSS11000, Cache Engine, and LocalDirector products.
• VPN products such as the Altiga concentrator
• Host-based network management or access management products.
• Cisco IP Telephony and telephony management software (except
  those
  that are hosted on a vulnerable IOS platform).
• Voice gateways and convergence products (except those that are
  hosted
  on a vulnerable IOS platform).
• Optical switch products such as the ONS 15000 series.

Details

These vulnerabilities are the result of defects in the functions
responsible for Simple Network Management Protocol (SNMP), an
Internet
standard for the remote administration of network devices. SNMP
makes use
of one or more labels called "community strings" to delimit groups of
"objects" (variables) that can be viewed or modified on a device.
The SNMP
data in such a group is organized in a tree structure called a
Management
Information Base (MIB). A single device may have multiple MIBs
connected
together into one large structure, and various community strings may
provide read-only or read-write access to different, possibly
overlapping
portions of the larger data structure. An example of a read-only
variable
might be a counter showing the total number of octets sent or
received
through an interface. An example of a read-write variable might be
the
speed of an interface, or the hostname of a device.

Community strings also provide a weak form of access control in
earlier
versions of SNMP, v1 and v2c. (SNMPv3 provides much improved access
control
using strong authentication and should be preferred over SNMPv1 and
SNMPv2c
wherever it is supported.) If a community string is defined, then it
must
be provided in any basic SNMP query if the requested operation is to
be
permitted by the device. Community strings usually allow read-only or
read-write access to the entire device. In some cases, a given
community
string will be limited to one group of read-only or read-write
objects
described in an individual MIB.

In the absence of additional configuration options to constrain
access,
knowledge of the single community string for the device is all that
is
required to gain access to all objects, both read-only and
read-write, and
to modify any read-write objects. The defects responsible for these
vulnerabilities are grouped here by function:

 A read-only community string is unexpectedly added when a

"snmp-server
community" command is entered in the configuration of a device
where
"community" does not already exist on the device as a valid
community
string. If deleted, this community string will reappear after
the
device is reloaded. CSCdr61016 documents the defect in IOS for
routers
and switch-routers and only affects IOS releases 12.0(7)T,
12.1(1)E
and 12.1(2). CSCds49183 refers to the equivalent defect
affecting
products from the 2900XL and 3500XL series, and only affects IOS
releases 12.0(5)XU and 12.0(5)XW.

 The defect arises from implementation of the SNMPv2 "informs"
 functionality, which involves the exchange of read-only

community
strings for the sharing of status information. When an affected
device
processes a command defining a host to receive SNMP "traps"
(logging
messages) such as the "snmp-server host" command, then the
community
specified in the trap statement is also configured for general
use if
it is not already defined in the saved configuration. This
occurs even
if the community was previously removed and the configuration
was
saved to memory prior to a system reload.

 The read-write community string is exposed when the device is

examined
via a "walk", or traversal, of the View-based Access Control MIB
(VACM) using the device's read-only community string. View-based
Access Control is a feature of SNMPv3 added to IOS in version
12.0(3)T. CSCds32217 describes the defect in IOS, CSCds16384
applies
to IOS running on 2900XL and 3500XL switches, and CSCds19674
documents
the defect in CatOS on Catalyst switches. Most IOS releases in
12.0
(after 12.0(3)T) as well as most 12.1 releases contain this
vulnerability, as well as 12.0(5.2)XU and 12.0(5)XW for the
2900XL and
3500XL switches, and CatOS releases 5.4(1) - 5.5(3)and 6.1(1)
for the
Catalyst switches.

 Implementation of new cable-industry standards for management

of cable
modems introduced an undocumented read-write community string,
"cable-docsis", which was intended only for DOCSIS-compliant
cable-capable devices. It was inadvertently enabled by default
for all
devices except DOCSIS-compatible cable modems and head end
units in a
limited range of IOS releases. This defect is documented as
CSCdr59314. This vulnerability is confined to a very narrow set
of IOS
releases based on 12.1(3) and 12.1(3)T, and it is fixed in
12.1(4) and
12.1(5)T releases and following.

Full details are provided in the software section below regarding the
status of each vulnerability in specific releases.

A separate Cisco Security Advisory has recently been announced
regarding an
SNMP vulnerability due to an undocumented default "ILMI" read-write
community string in IOS. That advisory,
http://www.cisco.com/warp/public/707/ios-snmp-ilmi-vuln-pub.shtml,
should
be consulted in tandem with this notice.

Impact

Knowledge of read-only community strings allows read access to
information
stored on an affected device, leading to a failure of
confidentiality.
Knowledge of read-write community strings allows remote
configuration of
affected devices without authorization, possibly without the
awareness of
the administrators of the device and resulting in a failure of
integrity
and a possible failure of availability.

These vulnerabilities could be exploited separately or in
combination to
gain access to or modify the configuration and operation of any
affected
devices without authorization. Customers are urged to upgrade
affected
systems to fixed releases of software, or to apply measures to
protect such
systems against unauthorized use by restricting access to SNMP
services
until such time as the devices can be upgraded.

Software Versions and Fixes

This security advisory represents a combination of multiple related
product
security vulnerabilities. The affected trains and releases are not
identical for all of the defects, but there are significant groups of
releases where affected versions intersect with others. Unless
otherwise
noted, each label displayed under "Availability of Fixed Releases"
identifies the release that resolves all of these defects for that
specific
train.
Please note the following exceptions:

 IOS software Major Release version 12.0 and IOS releases based

on 11.x
or earlier are not affected by the vulnerabilities described in
this
notice. All other releases of 12.0, such as 12.0DA, 12.0S or
12.0T,
may be affected.

 CSCdr59314 is only present in certain 12.1(3) releases and does

not
affect any other IOS releases.

 Fixes for all six defects have been integrated into 12.2 prior

to its
initial availability, and therefore all releases based on 12.2
and all
later versions are not vulnerable to the defects described in
this
advisory.

The following table summarizes the IOS software releases that are
known to
be affected, and the earliest estimated dates of availability for the
recommended fixed versions. Dates are always tentative and subject to
change.

Each row of the table describes a release train and the platforms or
products for which it is intended. If a given release train is
vulnerable,
then the earliest possible releases that contain the fix and the
anticipated date of availability for each are listed in the
"Rebuild",
"Interim", and "Maintenance" columns. A device running any release
in the
given train that is earlier the release in a specific column (less
than the
earliest fixed release) is known to be vulnerable, and it should be
upgraded at least to the indicated release or a later version
(greater than
the earliest fixed release label).

When selecting a release, keep in mind the following definitions:

 Maintenance
      Most heavily tested and highly recommended release of any

label
in a given row of the table.
Rebuild
Constructed from the previous maintenance or major release
in the
same train, it contains the fix for a specific defect.
Although
it receives less testing, it contains only the minimal
changes
necessary to effect the repair.
Interim
Built at regular intervals between maintenance releases and
receive less testing. Interims should be selected only if
there
is no other suitable release that addresses the
vulnerability,
and interim images should be upgraded to the next available
maintenance release as soon as possible. Interim releases
are not
available via manufacturing, and usually they are not
available
for customer download from CCO without prior arrangement
with the
Cisco TAC.

In all cases, customers should exercise caution to be certain the
devices
to be upgraded contain sufficient memory and that current hardware
and
software configurations will continue to be supported properly by
the new
release. If the information is not clear, contact the Cisco TAC for
assistance as shown in the following section.

More information on IOS release names and abbreviations is available
at
http://www.cisco.com/warp/public/620/1.html.

+===========================================================================+
Train Description of Image Availability of Fixed
Releases*
or Platform
+===========================================================================+
Catalyst Software Releases Rebuild Interim**
Maintenance
+===========================================================================+
5.5(3)
5.5
Available

                                                        6.1(2)
6.1
                                                        Available

+===========================================================================+
11.x-based Releases and Earlier Rebuild Interim**
Maintenance
+===========================================================================+
11.x and Multiple releases and
earlier platforms Not Vulnerable
+===========================================================================+
12.0-based Releases Rebuild Interim**
Maintenance
+===========================================================================+
General Deployment
12.0 release for all Not Vulnerable
platforms
±---------±-----------------------±----------±---------±---------------+
xDSL support: 6100, 12.1(5)DA1 12.1(6)DA
12.0DA 6200
Vulnerable to
CSCds32217 2001-Feb-28
Unscheduled
±---------±-----------------------±----------±---------±---------------+
General deployment 12.1(4)DB1
12.0DB release for all
platforms 2001-Feb-26
±---------±-----------------------±----------±---------±---------------+
General deployment 12.1(4)DC2
12.0DC release for all
platforms 2001-Feb-20
±---------±-----------------------±----------±---------±---------------+
12.0(15)S1 12.0(16)S
12.0S Core/ISP support: GSR,
RSP, c7200 2001-Feb-20
2001-Mar-12
±---------±-----------------------±----------±---------±---------------+
12.0(15)SC1
12.0SC Cable/broadband ISP:
ubr7200 2001-Feb-26
±---------±-----------------------±----------±---------±---------------+
12.0(14)SL1
12.0SL 10000 ESR: c10k
2001-Feb-26
±---------±-----------------------±----------±---------±---------------+
General deployment 12.0(11)ST2
12.0(15)ST
12.0ST release for all
platforms 2001-Feb-26
2001-Mar-05
±---------±-----------------------±----------±---------±---------------+
12.1(5c)E8
12.0SX Early Deployment (ED)
2001-Feb-26
±---------±-----------------------±----------±---------±---------------+
Early Deployment(ED): 12.1(7)
12.0T VPN, Distributed
Director, various
platforms
2001-Feb-26
±---------±-----------------------±----------±---------±---------------+
Catalyst switches:
cat8510c, cat8540c,
c6msm, ls1010,
12.0W5 cat8510m, cat8540m, Not Vulnerable
c5atm, c5atm, c3620,
c3640, c4500, c5rsfc,
c5rsm, c7200, rsp,
cat2948g, cat4232
±---------±-----------------------±----------±---------±---------------+
12.0WT Early deployment Not Vulnerable
release
±---------±-----------------------±----------±---------±---------------+
12.1(7)
12.0XA Early Deployment (ED):
limited platforms
2001-Feb-26
±---------±-----------------------±----------±---------±---------------+
12.1(7)
12.0XB Short-lived early
deployment release
2001-Feb-26
±---------±-----------------------±----------±---------±---------------+
12.1(7)
12.0XC Early Deployment (ED):
limited platforms
2001-Feb-26
±---------±-----------------------±----------±---------±---------------+
12.1(7)
12.0XD Early Deployment (ED):
limited platforms
2001-Feb-26
±---------±-----------------------±----------±---------±---------------+
12.1(5c)E8
12.0XE Early Deployment (ED):
limited platforms 2001-Feb-26
±---------±-----------------------±----------±---------±---------------+
12.1(7)
12.0XF Early Deployment (ED):
limited platforms
2001-Feb-26
±---------±-----------------------±----------±---------±---------------+
12.1(7)
12.0XG Early Deployment (ED):
limited platforms
2001-Feb-26
±---------±-----------------------±----------±---------±---------------+
12.0(4)XH5
12.0XH Early Deployment (ED):
limited platforms 2001-Mar-05
±---------±-----------------------±----------±---------±---------------+
12.1(7)
12.0XI E