The original article can be found at: http://seclists.org/fulldisclosure/2010/Jul/123
* Cisco Industrial Ethernet 3000 Series Switches (IOS version 12.2(52)SE)
* Cisco Industrial Ethernet 3000 Series Switches (IOS version 12.2(52)SE1)
Cisco Industrial Ethernet 3000 Series switches that are running affected versions of Cisco IOS Software contain hard-coded SNMP read-write community names. The Cisco Industrial Ethernet 3000 Series is a family of switches that provide a rugged, easy-to-use, secure infrastructure for harsh environments. SNMP is used for managing and monitoring the device and community names are the equivalent to a password.
The hard-coded SNMP community names are:
snmp-server community public RO
snmp-server community private RW
The SNMP community names can be removed; however, the hard-coded community names are reapplied to the running configuration when the device reloads. Cisco has provided a workaround that ensures the community names are removed when the device reloads. Note: Configuring an access list or a restricted mib view:
snmp-server community public RO 99
snmp-server community private RW 99
snmp-server community public view RO 99
snmp-server community private view RO 99
access-list 99 deny any
The proceeding works as a workaround until the device is reloaded. Once the device is reloaded the original configuration is inserted without the access lists or mib views assigned to the community names. Consult the workarounds section of this advisory. This vulnerability was introduced as part of a new feature integrated into the affected releases called PROFINET. At the time of the publication of this advisory, PROFINET was only supported on Cisco Industrial Ethernet 3000 Series switches.
Manually Remove SNMP Community Names
Note: The following workaround is only effective until the device is reloaded. Upon each reload of the device this workaround must be re-applied. Cisco encourages performing a Cisco IOS Software upgrade as a permanent fix for this vulnerability. Log in to the device, and enter configuration mode. Enter the following configuration commands:
no snmp-server community public RO
no snmp-server community private RW
Saving the configuration will update the start-up configuration files; however the hard-coded community names will be reinserted to the running configuration when the device reloads. This workaround must be applied each time the device is reloaded.
Automatically Remove SNMP Community Names
By creating an Embedded Event Manager (EEM) policy, it is possible to automatically remove the hard-coded SNMP community names each time the device is reloaded. The following example shows an EEM policy that runs each time the device is reloaded and removes the hard-coded SNMP community names.
event manager applet cisco-sa-20100707-snmp
event timer countdown time 30
action 10 cli command "enable"
action 20 cli command "configure terminal"
action 30 cli command "no snmp-server community public RO"
action 40 cli command "no snmp-server community private RW"
action 50 cli command "end"
action 60 cli command "disable"
action 70 syslog msg "Hard-coded SNMP community names as per Cisco Security Advisory cisco-sa-20100707-snmp removed"
For more information on EEM policies consult the Cisco IOS Network Management Configuration Guide - Embedded Event Manager Overview at the following link:
Infrastructure Access Control Lists
Although it is often difficult to block traffic that transits a network, it is possible to identify traffic that should never be allowed to target infrastructure devices and block that traffic at the device interface or the border of networks. If SNMP management is not required on the IE3000, then dropping all SNMP traffic to the device is a sufficient workaround. The iACL below shows an example of an IE3000 with two interfaces configured with layer 3 access, dropping all SNMP queries destined to the IE3000:
!--- Deny SNMP traffic from all other sources destined to
!--- configured IP addresses on the IE3000.
access-list 150 deny udp any host 192.168.0.1 eq snmp
access-list 150 deny udp any host 192.168.1.1 eq snmp
!--- Permit/deny all other Layer 3 and Layer 4 traffic in
!--- accordance with existing security policies and configurations
!--- Permit all other traffic to transit the device.
access-list 150 permit ip any any
!--- Apply access-list to all Layer 3 interfaces
!--- (only two examples shown)
ip address 192.168.0.1 255.255.255.0
ip access-group 150 in
ip address 192.168.1.1 255.255.255.0
ip access-group 150 in
The white paper "Protecting Your Core: Infrastructure Protection Access Control Lists" presents guidelines and recommended deployment techniques for infrastructure protection access lists. This white paper can be obtained at the following link: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml
07 Jul 2010 - Published