On 19/09/2022 15:40, Gert Doering wrote:
HI,
On Mon, Sep 19, 2022 at 02:29:06PM +0300, Hank Nussbacher via cisco-nsp wrote:
Recently Shodan has been showing how it probes all our IOS-XE routers
via SNMP even though we have an ACL on all our SNMP. We then found that
there is a bugid on the issue (ILMI can't be blocked by ACL):
CSCvs33325
Is that still a thing? Insane.
Indeed.
It used to be an issue on IOS 15+ years ago... (on IOS, the issue was
"ILMI is a predefined community which cannot be deleted" - but you
*could* expose it, make it explicit, and then put an ACL on it).
That bug is amazing anyway. My suggestion would have been "escalate via
PSIRT", but the bug says "The Cisco PSIRT has evaluated this issue and
determined it does not meet the criteria for PSIRT ownership or involvement.
This issue will be addressed via normal resolution channels."
WAT?!
That said, I tried to reproduce it on our boxes, and neither the ASR920
nor the lone ASR1000 reponds to SNMP v1 or v2c queries with community
"ILMI", with nothing in the config to block it (same source host can
query with one of the configured SNMP communities). This is on IOS XE
16.6.10 and 15.5(3)S10 respectively. Seems you need something extra.
It is V3. Here is a Shodan snippet from one of dozens of alerts we get
per day:
Banner (snmp_v3)
Snmp:
Versions:
3
Engineid Format: mac
Engine Boots: 20
Engineid Data: 70:ca:9b:a9:2f:40
Enterprise: 9
Engine Time: 189 days, 9:15:11
-Hank
gert
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
