Cisco has patched nine serious remote code execution vulnerabilities in the SNMP subsystem running in its IOS and IOS XE software. The vulnerabilities had been publicly disclosed.
Cisco notified users of the availability of patches after releasing its initial advisory on the matter on June 29, warning of the public disclosure as well as providing workarounds.
All releases of Cisco IOS and IOS XE software are affected, as are all versions of SNMP (1, 2c and 3), the company said. A request for comment from Cisco on the source of the public disclosures was not returned in time for publication.
Nine buffer overflow vulnerabilities (CVE-2017-6736-CVE-2017-6744) were patched, each allowing a remote attacker without authentication to use specially crafted SNMP packets to exploit the flaws and either execute code remotely or cause a system to reload, Cisco said.
Systems running SNMP version 2c or earlier can be exploited only if an attacker knows the SNMP read-only community string for the particular system. For SNMP version 3, an attacker would have to have credentials for a targeted system to carry out an attack.
“A successful exploit could allow the attacker to execute arbitrary code and obtain full control of the affected system or cause the affected system to reload,” Cisco said in its advisory.
Cisco also said that any of its devices configured with a list of particular MIBs, or management information base, are also vulnerable. MIBs are databases associated with SNMP implementations and are used to manage devices in a communication network. The list of MIBs below, provided by Cisco, are on by default when SNMP is enabled:
- ADSL-LINE-MIB
- ALPS-MIB
- CISCO-ADSL-DMT-LINE-MIB
- CISCO-BSTUN-MIB
- CISCO-MAC-AUTH-BYPASS-MIB
- CISCO-SLB-EXT-MIB
- CISCO-VOICE-DNIS-MIB
- CISCO-VOICE-NUMBER-EXPANSION-MIB
- TN3270E-RT-MIB
“Some of the MIBs may not be present on all systems or versions but are enabled when present,” Cisco said. The company’s original workaround recommendation was to disable the affected MIBs.
“Administrators may be accustomed to utilizing the show snmp mib command in privileged EXEC mode to display a list of enabled MIBs on a device,” Cisco said. “Not all of the MIBs will be displayed in the output of the show snmp mib command but may still be enabled.” Customers were advised to implement the entire exclude list.
In addition to applying the patches, Cisco also advises that network managers regularly change community strings, which are applied to restrict read and write access to SNMP data on a device running IOS or IOS XE.
“These community strings, as with all passwords, should be chosen carefully to ensure they are not trivial,” Cisco said. “They should also be changed at regular intervals and in accordance with network security policies.”
