In an advisory originally released on June 29, Cisco disclosed that there were buffer overflow vulnerabilities within its Simple Network Management Protocol (SNMP) subsystem of IOS and IOS XE Software. At the time, the only workarounds were restricting access to “trusted users” for the affected SNMP subsystems, as well as monitoring “affected systems by using the show snmp host command in the CLI.”
Additionally certain Cisco management information bases (MIBs) are affected. These are listed below:
Recently, however, Cisco updated its security advisory to indicate that there have been patches released for the exploits. To understand how important it is to install these patches as soon as possible, we must understand the nature of the vulnerabilities. The buffer overflow attack against the IOS and IOS XE software will result in remote code execution by an attacker, or a possible reload of the entire system. The main goal here would be total and complete control from a remote system.
The way the attack is carried out, at least the prerequisites for said attack, does vary from version to version of the SNMP subsystems. As Cisco states, “to exploit these vulnerabilities via SNMP Version 2c or earlier, the attacker must know the SNMP read-only community string for the affected system.” However, for “SNMP Version 3, the attacker must have user credentials for the affected system.”
In addition to the patches, Cisco recommends that network managers routinely alter community strings so as to ensure that access is only for the most up-to-date vetted users. Cisco states that the “community strings, as with all passwords, should be chosen carefully to ensure they are not trivial… they should also be changed at regular intervals and in accordance with network security policies.” For example, Cisco notes that “the strings should be changed when a network administrator changes roles or leaves the organization.”
Photo credit: Flickr / Hades2k