Warning: Cisco RW community backdoor.

It appears that 2500 are not affected.

The fix below doesn't work on 11.1 and 11.2 , you have to turn snmp off by
the looks.

have fun.

----- Forwarded message from "James A. T. Rice" <jamesr@rd.bbc.co.uk> -----

X-Sender: <jamesr@inet15>
Precedence: bulk

If your router responds to `snmpwalk router.isp.net.uk ILMI`, you
probabally will want to do the following to disable it:
   conf t
   snmp-server community ILMI RO 99
   access-list 99 deny any log
(pick another spare access-list if 99 isn't available)

If you dont, assuming your ios/hardware combination supports it,
(most of the bigger routers do) anyone can do things like:
          `snmpset router.isp.net.uk ILMI system.sysName.0 s \
Thats a harmless example. You can do almost anything with RW snmp.

Warm Regards

1) Workaround provided by James is incorrect. You need RW not

  2) People only have access to the system mib
(do a snmpwalk w/ that community to see vulnerable objects)

  This means someone can a) change router system name, b) location
or c) contact.

  - Jared

No, you only need to specify RO... at least according to the tests I've
just run. As I understand it you're overriding a built in community.

I was told by Cisco it should be RW. (To override the builtin

  I never ran a test w/ RO so was speaking from that

  If you get some message about the "community/party" exists
or something like that, put this in:

no snmp-server view *ilmi

  It doesn't get saved in the config, so if you machine generate
your nvram:startup-config, you're ok, if you do not, you will
need to re-add it each time you reboot.

  - Jared

I tried this one of our routers and it worked. I put in the snmp filter
to stop it, which it did. Then I took the filter off and it still
didn't work. Odd.


Sweet. Yet another VENDOR CREATED problem. Is the fact that we PURCHASE
the %^#&*# hardware from them not enough? Do they have to continually
insist on putting backdoors into the code? Backdoors that inevitably leak
out of their organization?

Cursory testing shows 16xx, 17xx, 26xx and 25xx don't seem to respond to it running various revs from 11.x to 12.1.

3640 running 12.0.1T coughs up the info.

3662 running 12.1(3a)T acts really goofy. Had to reboot the router to fix it (test point). CPU at 100%.

Congratulations folks. We've graduated from "minor annoyance" to DoS.

Taking Seans input is confusing. The 3640 doesn't have an ATM interface (running IP Plus though). The 3662 does (T1 IMA Card) and it locks up (refuses logins and spikes a CPU fever).

I tested it on both of my GSR's and got responses. Put the filters in, it

Then I took the changes out of my backup router, and like you, didnt get a
response. However, after rebooting the router, I do get a response again.

12008 GSR's running 12.0(9)S. No ATM interfaces (just 3 GigE cards ea).

And yes, the only tree I could touch was system. Nothing else, read or


Cursory testing shows 16xx, 17xx, 26xx and 25xx don't seem to respond
to it running various revs from 11.x to 12.1.

I have a 7812 responding to ILMI. Dagnabit.. It's been up for:
Timeticks: (2865524906) 331 days, 15:47:29.06

and a few lesser boxen as well.. -Mike--

I would suspect that only routers capable of supporting ATM interfaces, ie
3640 and up, will respond, as ILMI is used for ATM.

-Alexander Kiwerski

I stand corrected, partially, since routers below 36xx support ATM.

-Alex K.