On 20/09/2022 15:54, Simon Leinen wrote:
Gert Doering via cisco-nsp writes:
Hi,
On Mon, Sep 19, 2022 at 03:47:09PM +0300, Hank Nussbacher via cisco-nsp wrote:
On 19/09/2022 15:40, Gert Doering wrote:
https://www.cisco.com/c/dam/en/us/support/docs/csa/cisco-sa-20010227-ios-snmp-ilmi.html
[..]
That said, I tried to reproduce it on our boxes, and neither the ASR920
nor the lone ASR1000 reponds to SNMP v1 or v2c queries with community
"ILMI", with nothing in the config to block it (same source host can
query with one of the configured SNMP communities). This is on IOS XE
16.6.10 and 15.5(3)S10 respectively. Seems you need something extra.
It is V3. Here is a Shodan snippet from one of dozens of alerts we get
per day:
Good to know. Looking at shodan, I see that both types of devices here
are listed as well (ewww!).
So, need to figure out what the magic -v3 incantation of snmpget is
to make this work... (every time I tried v3 so far has led to
"more grey hair").
Yeah, I'd like to reproduce/understand that too. I actually remember
both ILMI (in ATM, sigh) and SNMPv3. One of SNMPv3's distinguishing
features is that it DOESN'T use community strings anymore. So I'm a bit
confused as to what the problem is. Is there some implicit mapping from
SNMPv1/2c communities to SNMPv3 usernames/passwords? Or are the Shodan
reports referring to information leaks from SNMPv3 engine-ID discovery?
(e.g. CSCtw74132)
Indeed the SNMP leaks appear to be exactly CSCtw74132 which we did not
know about nor did Cisco TAC :-(
Good to know the people here are more knowledgeable than Cisco :-)
Regards,
Hank
Cheers,
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
