Datasheet
310
Release Notes for Cisco IOS Release 12.1E on the Catalyst 6500 and Cisco 7600 Supervisor Engine and MSFC
OL-2310-11
Caveats
• Cisco Security Advisory:
Cisco IOS Software Multiple SNMP Community String Vulnerabilities
Revision 1.0: INTERIM
For Public Release2001 February 27 20:00 US/Eastern (UTC+0500)
Summary:
Multiple Cisco IOS software and Catalyst OS software releases contain several independent but
related vulnerabilities involving the unexpected creation and exposure of SNMP community strings.
These vulnerabilities can be exploited to permit the unauthorized viewing or modification of
affected devices.
To remove the vulnerabilities, Cisco is offering free software upgrades for all affected platforms.
The defects are documented in DDTS records CSCds32217, CSCds16384, CSCds19674,
CSCdr59314, CSCdr61016, and CSCds49183.
In addition to specific workarounds for each vulnerability, affected systems can be protected by
preventing SNMP access.
This notice will be posted at:
http://www.cisco.com/warp/public/707/ios-snmp-community-vulns-pub.shtml.
(CSCdr59314, CSCdr61016, CSCds32217)
• Cisco Security Advisory:
Cisco IOS Software SNMP Read-Write ILMI Community String Vulnerability
Revision 1.0: INTERIM
For Public Release 2001 February 27 04:00 US/Eastern (UTC+0500)
Summary:
Cisco IOS software releases based on versions 11.x and 12.0 contain a defect that allows a limited
number of SNMP objects to be viewed and modified without authorization using a undocumented
ILMI community string. Some of the modifiable objects are confined to the MIB-II system group,
such as “sysContact,” “sysLocation,” and “sysName,” that do not affect the device’s normal
operation but that may cause confusion if modified unexpectedly. The remaining objects are
contained in the LAN-EMULATION-CLIENT and PNNI MIBs, and modification of those objects
may affect ATM configuration. An affected device might be vulnerable to a denial-of-service attack
if it is not protected against unauthorized use of the ILMI community string.
The vulnerability is only present in certain combinations of Cisco IOS releases on Cisco routers and
switches. ILMI is a necessary component for ATM, and the vulnerability is present in every
Cisco IOS Release that contains the supporting software for ATM and ILMI without regard to the
actual presence of an ATM interface or the physical ability of the device to support an ATM
connection.
To remove this vulnerability, Cisco is offering free software upgrades for all affected platforms. The
defect is documented in DDTS record CSCdp11863.
In lieu of a software upgrade, a workaround can be applied to certain Cisco IOS releases by
disabling the ILMI community or “*ilmi” view and applying an access list to prevent unauthorized
access to SNMP. Any affected system, regardless of software release, may be protected by filtering
SNMP traffic at a network perimeter or on individual devices.
This notice will be posted at:
http://www.cisco.com/warp/public/707/ios-snmp-ilmi-vuln-pub.shtml
(CSCdp11863)