Warning: Cisco RW community backdoor.

Simon_Lyall · February 27, 2001, 1:54am

It appears that 2500 are not affected.

The fix below doesn't work on 11.1 and 11.2 , you have to turn snmp off by
the looks.

have fun.

----- Forwarded message from "James A. T. Rice" <jamesr@rd.bbc.co.uk> -----

X-Sender: <jamesr@inet15>
Precedence: bulk

If your router responds to `snmpwalk router.isp.net.uk ILMI`, you
probabally will want to do the following to disable it:
   conf t
   snmp-server community ILMI RO 99
   access-list 99 deny any log
(pick another spare access-list if 99 isn't available)

If you dont, assuming your ios/hardware combination supports it,
(most of the bigger routers do) anyone can do things like:
`snmpset router.isp.net.uk ILMI system.sysName.0 s \
"ALL YOUR ROUTER ARE BELONG TO US."`
Thats a harmless example. You can do almost anything with RW snmp.

Warm Regards
James

Jared_Mauch · February 27, 2001, 2:06am

1) Workaround provided by James is incorrect. You need RW not
RO.

2) People only have access to the system mib
(do a snmpwalk w/ that community to see vulnerable objects)

This means someone can a) change router system name, b) location
or c) contact.

- Jared

jpayne · February 27, 2001, 2:43am

No, you only need to specify RO... at least according to the tests I've
just run. As I understand it you're overriding a built in community.

Jared_Mauch · February 27, 2001, 2:48am

I was told by Cisco it should be RW. (To override the builtin
one).

I never ran a test w/ RO so was speaking from that
data.

If you get some message about the "community/party" exists
or something like that, put this in:

no snmp-server view *ilmi

It doesn't get saved in the config, so if you machine generate
your nvram:startup-config, you're ok, if you do not, you will
need to re-add it each time you reboot.

- Jared

John_Kristoff3 · February 27, 2001, 3:28am

I tried this one of our routers and it worked. I put in the snmp filter
to stop it, which it did. Then I took the filter off and it still
didn't work. Odd.

John

John_Fraizer4 · February 27, 2001, 3:33am

Sweet. Yet another VENDOR CREATED problem. Is the fact that we PURCHASE
the %^#&*# hardware from them not enough? Do they have to continually
insist on putting backdoors into the code? Backdoors that inevitably leak
out of their organization?

Eric_Germann1 · February 27, 2001, 4:30am

Cursory testing shows 16xx, 17xx, 26xx and 25xx don't seem to respond to it running various revs from 11.x to 12.1.

3640 running 12.0.1T coughs up the info.

3662 running 12.1(3a)T acts really goofy. Had to reboot the router to fix it (test point). CPU at 100%.

John_Fraizer4 · February 27, 2001, 4:55am

Congratulations folks. We've graduated from "minor annoyance" to DoS.

Eric_Germann1 · February 27, 2001, 5:08am

Taking Seans input is confusing. The 3640 doesn't have an ATM interface (running IP Plus though). The 3662 does (T1 IMA Card) and it locks up (refuses logins and spikes a CPU fever).

Jonathan_Disher · February 27, 2001, 6:00am

I tested it on both of my GSR's and got responses. Put the filters in, it
stopped.

Then I took the changes out of my backup router, and like you, didnt get a
response. However, after rebooting the router, I do get a response again.

12008 GSR's running 12.0(9)S. No ATM interfaces (just 3 GigE cards ea).

And yes, the only tree I could touch was system. Nothing else, read or
write.

-j

Mike_meuon_Harrison · February 27, 2001, 2:23pm

Cursory testing shows 16xx, 17xx, 26xx and 25xx don't seem to respond
to it running various revs from 11.x to 12.1.

I have a 7812 responding to ILMI. Dagnabit.. It's been up for:
Timeticks: (2865524906) 331 days, 15:47:29.06

and a few lesser boxen as well.. -Mike--

Alexander_Kiwerski1 · February 27, 2001, 6:50pm

I would suspect that only routers capable of supporting ATM interfaces, ie
3640 and up, will respond, as ILMI is used for ATM.

-Alexander Kiwerski

Alexander_Kiwerski1 · February 27, 2001, 7:29pm

I stand corrected, partially, since routers below 36xx support ATM.

-Alex K.