Warning: Cisco RW community backdoor.
Jared Mauch
jared at puck.Nether.net
Tue Feb 27 02:06:51 UTC 2001
1) Workaround provided by James is incorrect. You need RW not
RO.
2) People only have access to the system mib
(do a snmpwalk w/ that community to see vulnerable objects)
This means someone can a) change router system name, b) location
or c) contact.
- Jared
On Tue, Feb 27, 2001 at 02:54:04PM +1300, Simon Lyall wrote:
>
>
> It appears that 2500 are not affected.
>
> The fix below doesn't work on 11.1 and 11.2 , you have to turn snmp off by
> the looks.
>
> have fun.
>
> ----- Forwarded message from "James A. T. Rice" <jamesr at rd.bbc.co.uk> -----
>
> Date: Tue, 27 Feb 2001 00:39:38 +0000 (GMT)
> From: "James A. T. Rice" <jamesr at rd.bbc.co.uk>
> X-Sender: <jamesr at inet15>
> To: <members at lonap.net>, <ops at linx.net>
> Subject: Warning: Cisco RW community backdoor.
> Precedence: bulk
>
> If your router responds to `snmpwalk router.isp.net.uk ILMI`, you
> probabally will want to do the following to disable it:
> conf t
> snmp-server community ILMI RO 99
> access-list 99 deny any log
> (pick another spare access-list if 99 isn't available)
>
> If you dont, assuming your ios/hardware combination supports it,
> (most of the bigger routers do) anyone can do things like:
> `snmpset router.isp.net.uk ILMI system.sysName.0 s \
> "ALL YOUR ROUTER ARE BELONG TO US."`
> Thats a harmless example. You can do almost anything with RW snmp.
>
> Warm Regards
> James
>
> --
> James A. T. Rice | Email: jamesr at rd.bbc.co.uk
> Internet Operations Engineer | Phone: 01737 839 737
> BBC Internet Services, Kingswood Warren, Tadworth, Surrey, UK.
>
> ----- End forwarded message -----
> ---------
> To unsubscribe from nznog, send email to majordomo at list.waikato.ac.nz
> where the body of your message reads:
> unsubscribe nznog
>
>
>
--
Jared Mauch | pgp key available via finger from jared at puck.nether.net
clue++; | http://puck.nether.net/~jared/ My statements are only mine.
More information about the NANOG
mailing list