[rancid] Re: Retrieving cisco configuration using SNMP+TFTP

Saku Ytti saku+rancid at ytti.fi
Fri Jun 30 17:40:55 UTC 2006

On (2006-06-28 22:19 -0500), Kevin wrote:
> By using Cisco's "snmp-server view", the community string can only do
> one thing -- trigger a "write net".  And with "snmp-server
> tftp-server-list", the destination of the write net command can also
> be locked down.

However this only bites to tftp, not to ftp and rcp which are also
supported by CISCO-COPY-CONFIG-MIB. So if you're not doing vigorous
antispoofing and attacker knows your community, attacker 
can pull/push config using spoofed requests.
This appears to be old bug 'CSCdu32036', but it's also present
in as late IOS' as 12.4T, so I'm not confident if cisco
found correct bug for it.

You can workaround this with, in my order of preference
 a) vigorous antispoofing
 b) CoPP
 c) rACL
 d) ACL in interfaces.

> This solution gives me much more confidence in the security of the
> design than if I were to use "clogin".  Compromise the machine on
> which the script runs, and you still don't automatically own the Cisco
> routers -- all you can do to the router for which you have a community
> is have it send the configuration to the server, you can't even
> exploit this to TFTP the configuration to an unapproved destination!

I'd say never ever run SNMP RW without SNMPv3. At least rancid is
using TCP in most all scecnarios.


More information about the Rancid-discuss mailing list