SNMP Remote Code Execution Vulnerabilities in Cisco IOS and IOS XE

Data Consult > alert > SNMP Remote Code Execution Vulnerabilities in Cisco IOS and IOS XE
SNMP Remote Code Execution Vulnerabilities in Cisco IOS and IOS XE
Summary:
The Simple Network Management Protocol (SNMP) subsystem of Cisco IOS and IOS XE Software contains multiple vulnerabilities that could allow an authenticated, remote attacker to remotely execute code on an affected system or cause an affected system to reload. An attacker could exploit these vulnerabilities by sending a crafted SNMP packet to an affected system via IPv4 or IPv6. Only traffic directed to an affected system can be used to exploit these vulnerabilities. The vulnerabilities are due to a buffer overflow condition in the SNMP subsystem of the affected software. The vulnerabilities affect all versions of SNMP – Versions 1, 2c, and 3.
Affected Products:
These vulnerabilities affect all releases of Cisco IOS and IOS XE Software prior to the first fixed release and they affect all versions of SNMP—Versions 1, 2c, and 3.
To determine if the IOS or IOS XE is affected by this vulnerability, use the Cisco Software Checker tool. Below is an example that shows version 15.6(2)T1 is affected by this vulnerability (SNMP Remote Code Execution) and that the first fix in the same IOS line is 15.6(3)M2.
Inline images 1
Devices running affected IOS/IOS_XE versions and that are configured with any of the following MIBs are vulnerable:
  • ADSL-LINE-MIB
  • ALPS-MIB
  • CISCO-ADSL-DMT-LINE-MIB
  • CISCO-BSTUN-MIB
  • CISCO-MAC-AUTH-BYPASS-MIB
  • CISCO-SLB-EXT-MIB
  • CISCO-VOICE-DNIS-MIB
  • CISCO-VOICE-NUMBER-EXPANSION-MIB
  • TN3270E-RT-MIB
To display a list of the MIBs that are registered and enabled on a device, administrators can issue the show snmp mib command in privileged EXEC mode.
Workaround:
Disable the above vulnerable MIBs. To do so, administrators can use the snmp-server view global configuration command, as shown in the following example:
snmp-server view NO_BAD_SNMP iso included
snmp-server view NO_BAD_SNMP internet included
snmp-server view NO_BAD_SNMP snmpUsmMIB excluded
snmp-server view NO_BAD_SNMP snmpVacmMIB excluded
snmp-server view NO_BAD_SNMP snmpCommunityMIB excluded
snmp-server view NO_BAD_SNMP ciscoMgmt.252 excluded
snmp-server view NO_BAD_SNMP transmission.94 excluded
snmp-server view NO_BAD_SNMP mib-2.34.9 excluded
snmp-server view NO_BAD_SNMP ciscoMgmt.35 excluded
snmp-server view NO_BAD_SNMP ciscoMgmt.95 excluded
snmp-server view NO_BAD_SNMP ciscoMgmt.130 excluded
snmp-server view NO_BAD_SNMP ciscoMgmt.219 excluded
snmp-server view NO_BAD_SNMP ciscoMgmt.254 excluded
snmp-server view NO_BAD_SNMP ciscoMabMIB excluded
snmp-server view NO_BAD_SNMP ciscoExperiment.997 excluded
To then apply this configuration to a community string, administrators can use the following command:
 snmp-server community mycomm view NO_BAD_SNMP RO
 
For SNMP Version 3, administrators can use the following command:
 snmp-server group v3group auth read NO_BAD_SNMP write NO_BAD_SNMP
Further Info & Assistance:
This advisory is available at the following link:
 
Reference CVEs:
CVE-2017-6736
CVE-2017-6737
CVE-2017-6738
CVE-2017-6739
CVE-2017-6740
CVE-2017-6741
CVE-2017-6742
CVE-2017-6743
CVE-2017-6744
 

For assistance in mitigating this vulnerability, open a case by calling our 24×7 call center +961-1-511822 or on support.dcgroup.com.

Related Posts