Foundry Networks EdgeIron Switches Let Remote Users Access SNMP With Any Community Name
|
|
SecurityTracker Alert ID: 1003870 |
|
SecurityTracker URL: http://securitytracker.com/id/1003870
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Mar 21 2002
|
Impact:
User access via network
|
Fix Available: Yes Exploit Included: Yes
|
Version(s): EdgeIron 4802F Fast Ethernet switches
|
Description:
A default configuration vulnerability was reported in the Foundry Networks EdgeIron switches. An remote user can gain SNMP read and write access.
It is reported that the Foundry Networks EdgeIron 4802F Fast Ethernet switches uses a default SNMP configuration that allows a remote user to generate SNMP requests to the switch with any community string and gain read and write access to the system.
|
Impact:
A remote user can gain read and write SNMP access to the system, even if the default SNMP communities have been deleted from the switch.
|
Solution:
According to the report, the fix from Foundry is to issue the following commands:
EdgeIron(config)#
EdgeIron(config)#snmp-server security
EdgeIron(config)#
EdgeIron(config)#snmp-server user <name> <community-string> <ip-address>
This then allows the specified IP to talk to the switch with that community string. Requests from other IP's are ignored and the 'snmp-server security' option basically turns on the checking of SNMPv1 community strings.
|
Vendor URL: www.foundrynet.com/products/l23wiringcloset/edgeiron/index.html (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
|
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 21 Mar 2002 09:58:10 +1200 (NZST)
Subject: Default SNMP configuration issue with Foundry Networks EdgeIron
|
28-02-02 -- advisory@prophecy.net.nz
"The EdgeIron family of Layer 2 switches is designed to provide wire-speed
performance, superior port density, and complete standard Layer 2 feature
sets at an aggressive price for Enterprise users."
Problem:
--------
Foundry Networks EdgeIron 4802F Fast Ethernet switches have a
default SNMP configuration which allows SNMP requests to the switch with
any community string to have read and write access to the user.
All that is required is IP access to the switch.
Example:
--------
[prophecy@loki ~]$ snmpget 10.1.1.120 public system.sysName
system.sysName.0 =
[prophecy@loki ~]$
[prophecy@loki ~]$ snmpset 10.1.1.120 totallyinvalidcommunitystring
system.sysName s "0wned"
system.sysName.0 = 0wned
[prophecy@loki ~]$
I have tested this both before and AFTER deleting the default SNMP
communities from
the switch. The default strings are: public (RO), private (RW).
Solution:
---------
It turns out that this is less a problem, and more a 'feature' of these
switches.
The fix from Foundry is to issue the following commands:
EdgeIron(config)#
EdgeIron(config)#snmp-server security
EdgeIron(config)#
EdgeIron(config)#snmp-server user <name> <community-string> <ip-address>
This then allows the specified IP to talk to the switch with that
community string.
Requests from other IP's are ignored and the 'snmp-server security' option
basically
turns on the checking of SNMPv1 community strings.
(Does the RFC say that you can run an SNMPv1 implementation _without_
checking
community strings?).
Conclusion:
-----------
It is misleading that the default config comes with 2 community strings
(public and private),
but the switch will still respond to snmpset requests with any community.
I'm guessing that most people (like myself), will generally change the
default community
strings on a new switch, making them read-only, and then feel somewhat
safer about pulling
SNMP information out of them. In this case, doing those 2 things does not
stop anyone
from randomly writing to SNMP objects.
-----
|
|
