SNMP Vulnerability

Similar Messages

• SNMP Vulnerability with master_peer

  I understand that the SNMP vulnerability problem with master_peer can cause DoS and allow the possibility of arbitrary code being executed. Is this correct?
  (The Oracle Security Alert document, see url below, does not mention the "arbitrary code being executed" problem.)
  In addition, is any risk to the database itself or is this isolated to the SNMP monitoring only? That is will a DoS attack on master_peer impact the database in any way.
  Security Alert: http://otn.oracle.com/deploy/security/pdf/snmp_2002_alert.pdf

  Hi,
  Iplanet does not support for it's products being installed on linux or snmp for linux.

• Prob installing snmpdx patch on 2.6

  Anyone know why I'd be getting this message when I try to install patch 106787-17 (snmp vulnerability)?
  Checking installed patches...
  One or more patch packages included in
  106787-17 are not installed on this system.
  I did a pkginfo -il on all the packages in the directory and they are (4 of them) installed.

  Anyone know why I'd be getting this message when I try
  to install patch 106787-17 (snmp vulnerability)?
  Checking installed patches...
  One or more patch packages included in
  106787-17 are not installed on this system.
  I did a pkginfo -il on all the packages in the
  directory and they are (4 of them) installed.I had the same problems when I tried to install the patch on our E250's running 2.6 and 2.7,
  Solaris 8 was no problem. I cehcked (like you did) that I had indeed all the packages installed.
  I was however in the lucky situation that I could just disable SNMP as it was not doing anything useful...
  I think if you look in the patch that you could perhaps just replace the files manually and then restart the service. (I guess it's a good idea to try on only one host first;)
  Good luck,
  Thomas

• Multiple SNMP strings on Pix-501

  Does the pix-501 support multiple SNMP communities?  Im trying to add a second one, but the original community string gets removed when I add the new one.  If we can have multiple SNMP hosts, then I woud imagine you could have multiple strings. I thought it was like most switches and routers, which can have the following:
  snmp-server community STRING1
  snmp-server community STRING2
  The Pix-501 is currently running on version 6.3(5).

  Hi Bro
  You can’t possible compare Cisco IOS Routers and Switches with Cisco Firewalls. They are both different types of product, with totally different behaviors and purposes.
  This is a Cisco FWSM/PIX/ASA Firewall limitation. You can only define one snmp community string, and that too has to be RO, and NOT RW. Perhaps, this Cisco URL link may shed some light on your query http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20031215-pix
  There’s a reason to why Cisco Firewalls don’t support RW. RW is used generally, by network management tools such as Cisco Security Manager, Cisco MARS, CiscoWorks etc. to push configurations, IOS etc. to Cisco products in large masses. In fact, RW can also be used as a mitigation approach. Cisco Firewalls being a defensive product by nature, will not allow this to occur. There could be a possibility of un-stealth-ing the product. Hence, only RO is available. Mitigation approach in Cisco Firewalls can always be done through telnet/ssh, if needed.
  Note: Perhaps, it doesn't make sense to use a vulnerable/non-secure protocol such as SNMP to manage a security appliance, unless SNMP v3 is introduced.
  P/S: If you think this comment is useful, please do rate them nicely :-) and select the option "THIS QUESTION IS ANSWERED"

• Ports (vulnerability scan)

  I ran a vulnerability scan on a 2960 switch and some "ports" (I don't even know if this is the right way to call them) showed being open or that needed to be reviewed. I really need to know what they are and if I need to keep them or need to get rid of them. How do you disable "ports" (I am not talking about the actual ports on the switch ex. gig1/0/1) on a cisco switch? The ports are 4786 tcp, 67 udp, 161 udp, 162 udp, 1975 udp, 2228 udp, and 49688 udp.

  udp/67 is bootp (used by DHCP). The switch listens on that port if it is either a DHCP server itself or is setup to provide "ip helper" service which is used to translate local segment end users broadcasts to a unicast packet which is then forwarded to your DHCP server elsewhere.
  udp 161 and 162 are used by SNMP. Best practice has SNMP restricted to SNMP v3 (with authentication and privacy or encryption) and an access-list applied to define your permitted SNMP servers.
  The high numbered ports are usually a sign that the device (or a user session on it) is logged into something remotely and that's the random port is selected from the >1024 range (sometimes known as "ephemeral" ports since they come and go somewhat at random) to use as its source port. As long as the session is open, the devices will be "listening" on that port for replies.
  Good link for port number reference.

• Is java vulnerable in safari 5.1? I have a macbook using 10.6.8

  I am worried about the java vulnerability.  I need it to pay bills on my banks website.  is java vulnerable in safari 5.1.  I am using a macbook with os 10.6.8

  The recently discovered zero-day flaw in Java 7 is so serious that the U.S. Department of Homeland Security has warned users to disable or uninstall it, and Apple has disabled the Java 7 plugin on Macs through its OS X anti-malware system, in order to protect users from a potentially serious security issue.
  You should disable Java (if not already done) until either the US Department of Homeland Security, or Oracle, declare it safe and Apple restore the facility. Oracle have released an update said to fix the security flaw, available from here:
  http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.h tml
  Javascript should not be disabled (it has nothing to do with Java), and is probably what your bank is using.

• SNMP ifindex in Solaris 10

  Can anyone tell me how I can nail down the SNMP ifmib ifindex table on a Solaris 10 server? Every time the server guys add a subintderface, I have to reconfigure my PRTG and Spectrum models, and it's getting tedious. I cannot believe there is no way to nail down e1000g0=#2, e1000g1=#3, etc.
  Thanks in advance.
  Kevin Dorrell
  Luxembourg

  it should be possible to define the "index" in each /etc/hostname. file
  I have never done this, but when the system boots it reads the content of these files and passes them to "ifconfig" to configure the NICs
  search this page for "index":
  http://docs.oracle.com/cd/E19253-01/816-5166/ifconfig-1m/index.html

• Shellshock Vulnerability

  Are any of the Adobe Creative Cloud services vulnerable to the Bash / Shellshock bug?

  The Cisco PSIRT is investigating the impact of this vulnerability on Cisco products and will disclose any vulnerabilities according to our security policy, which is available at http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html .
  An INTERIM Cisco Security Advisory was published on September 25th, 2014 and is available at the following URL:
  http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash
  The Cisco PSIRT will update this Cisco Security Advisory as more information becomes available.

• Are we really vulnerable for plugins?

  Are we really vulnerable... or is the admonition to perform updates a catchall for out-of-date plugins? What I mean is, do these plugins really miss a new vulnerability every other week, or is the term "vulnerable" used to mean that there is a newer release available and you should just update it later, because maybe this release fixed something.
  I really want to know when cyber creeps have unleashed a new round of havoc via bad code in the plugins. However, I don't have the time to chase updates in Acroread or Java every week. Besides, after every series of updates, I always need to open up Microsoft Autoruns and disable their self-installed processes to call home and check versions whenever I boot up. I'm sorry, but any updating will be done by me when I'm not late for something at work. I can't say how many times my computer is stalled checking for new versions (and downloading and installing them while I'm trying to do accomplish something!)
  So if these vulnerabilities are just a reflection of there being a new version available, I'll research and weigh my options for the day and just avoid vulnerable sites for a couple weeks (that's a joke - I always avoid vulnerable sites and have never gotten a virus). However, if these really mean that bad guys are actively deploying malware, I'll take them more seriously. I know how to manage the risks if I know what this message means.
  One might wonder why plugins to display images and documents would be so vulnerable anyways. Is there really code in them that says "ok, the document is displayed, is there anything else the server side would like us to run on the client PC?" :) Looking at the recent Apple QT versions, they're not clear if the "arbitrary code" that gets run is that the PC will continue to execute random stuff in memory (which is more likely to lead to a crash) or if it's code placed in the image that will get executed.
  Thanks in advance for clarifying...

  hello, yes the updates from adobe and oracle for its plugins contain fixes for discovered vulnerabilities regularly. this should not be taken lightly since outdated plugins are the #1 infection vector for malware on the web nowadays...
  ''edit: you also might not be safe by just visiting known & "trusted" sites, since also ad-networks or content delivery networks might get hacked and used for the spreading of malware.''
  http://www.adobe.com/support/security/
  <br>http://www.oracle.com/technetwork/topics/security/alerts-086861.html

• I'm having trouble with something that redirects Google search results when I use Firefox on my PC. It's called the 'going on earth' virus. Do you have a fix that could rectify the vulnerability in your software?

  I'm having trouble with a virus or something which affects Google search results when I use Firefox on my PC ...
  When I search a topic gives me pages of links as normal, but when I click on a link, the page is hijacked to a site called 'www.goingonearth.com' ...
  I've done a separate search and found that other users are affected, but there doesn't seem to be a clear-cut solution ... (Norton, McAfee and Kaspersky don't seem to be able to detect/fix it).
  I'd like to continue using the Firefox/Google combination (nb: the hijack virus also affects IE but not Safari) - do you have a patch/fix that could rectify the vulnerability in your software?
  thanks

  ''' "... vulnerability in your software?" ''' <br />
  And it affects IE, too? Ya probably picked up some malware and you blame it on Firefox.
  Install, update, and run these programs in this order. They are listed in order of efficacy.<br />'''''(Not all programs detect the same Malware, so you may need to run them all to solve your problem.)''''' <br />These programs are all free for personal use, but some have limited functionality in the "free mode" - but those are features you really don't need to find and remove the problem that you have.<br />
  ''Note: If your Malware infection is bad enough and you are mis-directed to URL's other than what is posted, you may have to use a different PC to download these programs and use a USB stick to transfer them to the afflicted PC.''
  Malwarebytes' Anti-Malware - [http://www.malwarebytes.org/mbam.php] <br />
  SuperAntispyware - [http://www.superantispyware.com/] <br />
  AdAware - [http://www.lavasoftusa.com/software/adaware/] <br />
  Spybot Search & Destroy - [http://www.safer-networking.org/en/index.html] <br />
  Windows Defender: Home Page - [http://www.microsoft.com/windows/products/winfamily/defender/default.mspx]<br />
  Also, if you have a search engine re-direct problem, see this:<br />
  http://deletemalware.blogspot.com/2010/02/remove-google-redirect-virus.html
  If these don't find it or can't clear it, post in one of these forums for specialized malware removal help: <br />
  [http://www.spywarewarrior.com/index.php] <br />
  [http://forum.aumha.org/] <br />
  [http://www.spywareinfoforum.com/] <br />
  [http://bleepingcomputer.com]

• Can't Ping or access via SNMP Inside interface of 5505

  I have a remote site I'm trying to setup monitoring on and I can't get the inside interface to respond to a ping or SNMP requests.  I have tried everything I can find in the forums and on the web but this location will not cooperate.  I have full access to the ASA and to the inside network behind it.  IPSEC VPN tunnel is working perfectly.  I see the ping requests in the log on the ASA.  I turned on ICMP debugging and only see the echo request.. never an echo reply.  Below is a partial configuration.  If you need any more information, let me know.
  names
  name 192.168.0.0 Domain
  name 1.1.1.2 MCCC_Outside
  name 172.31.10.0 VLAN10
  interface Ethernet0/0
   switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
   nameif inside
   security-level 100
   ip address 192.168.23.1 255.255.255.0
  interface Vlan2
   nameif outside
   security-level 0
   ip address 1.1.1.1 255.255.255.0
  boot system disk0:/asa847-k8.bin
  ftp mode passive
  clock timezone EST -5
  clock summer-time EDT recurring
  dns server-group DefaultDNS
   domain-name mtcomp.org
  object network obj-192.168.23.0
   subnet 192.168.23.0 255.255.255.0
  object network Domain
   subnet 192.168.0.0 255.255.0.0
  object network 172.31.0.0
   subnet 172.31.0.0 255.255.0.0
  access-list outside_1_cryptomap extended permit ip 192.168.23.0 255.255.255.0 any
  access-list outside_1_cryptomap extended permit ip 192.168.23.0 255.255.255.0 object Domain
  access-list inside_nat0_outbound extended permit ip 192.168.23.0 255.255.255.0 192.168.1.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.23.0 255.255.255.0 object Domain
  access-list Outside_NAT0_inbound extended permit ip object Domain 192.168.23.0 255.255.255.0
  access-list inside_access_in extended permit ip 192.168.23.0 255.255.255.0 any
  access-list inside_access_in extended permit ip any 192.168.23.0 255.255.255.0 inactive
  no pager
  logging enable
  logging timestamp
  logging buffered debugging
  logging trap informational
  logging asdm informational
  logging device-id hostname
  logging host inside 192.168.x.x 17/1514
  mtu inside 1500
  mtu outside 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any inside
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,any) source static obj-192.168.23.0 obj-192.168.23.0 destination static Domain Domain no-proxy-arp route-lookup
  route outside MCCC_Outside 255.255.255.255 1.1.1.1 1
  route outside 172.31.0.0 255.255.0.0 192.168.1.1 1
  route outside VLAN10 255.255.255.0 MCCC_Outside 1
  route outside Domain 255.255.0.0 192.168.1.1 1
  route outside 192.168.1.0 255.255.255.0 MCCC_Outside 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  aaa authentication enable console LOCAL
  http server enable
  http 192.168.1.81 255.255.255.255 inside
  http 192.168.1.0 255.255.255.0 inside
  http 192.168.23.0 255.255.255.0 inside
  snmp-server host inside 172.x.x.x community ***** version 2c
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set pfs group1
  crypto map outside_map 1 set peer MCCC_Outside
  crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
  crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
  crypto map outside_map interface outside
  management-access inside
  class-map inspection_default
   match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
   parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
   class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny 
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip 
    inspect xdmcp
    inspect icmp
  policy-map global-policy
  service-policy global_policy global
  prompt hostname context

  Hi,
  First of all let me clarify your trial.
  Where is your monitoring server?
  Is it behind inside or outside interface (please share ip adress)?
  From config it seems, it can be reach via outside interface. Then you have to make snmp check on outside interface, not on inside (cannot make a snmp/ping check on inside interface with request comming through outside inteface - it simply won't work).
  From the first check of routing table, I would suggest:
  delete : route outside MCCC_Outside 255.255.255.255 1.1.1.1 1 - doesn't make a sense route host address, when it's directly connected network (and more, route 1.1.1.2 to 1.1.1.1, when 1.1.1.1 is vlan2 interface)
  change : route outside 172.31.0.0 255.255.0.0 192.168.1.1 1; route outside Domain 255.255.0.0 192.168.1.1 1 - you should consider route it to 1.1.1.2 (if this is your next hop address at WAN).
  route outside VLAN10 255.255.255.0 MCCC_Outside 1 - why?
  I would use default route to somewhere at 1.1.1.0/24 range - next hop (router).
  HTH,
  Pavel

• I am trying to build a basic TCL skeleton script that reads a remote SNMP OID and displays the value on the screen.

  I am trying to build a basic TCL skeleton script that reads a remote SNMP OID and displays the value on the screen.
  I don't want it to be an EEM Event, I just want to run it from the (tcl)# prompt.
  So I guess I'm asking if you can use cli_exec and other commands in the "namespace import ::cisco::eem::*" in a normal non-EEM script - can I do that?
  This is the error I get:
  OTN.159(tcl)#source flash:TCL_SNMP_Remote_Read.tcl
  invalid command name "::cisco::eem::event_register_none"             ^
  % Invalid input detected at '^' marker.
  What am I missing?
  =================  TCL_SNMP_Remote_Read.tcl  ==============================
  ::cisco::eem::event_register_none
  namespace import ::cisco::eem::*
  namespace import ::cisco::lib::*
  if [catch {cli_open} RESULT]
      { error $RESULT $errorInfo }
      else { array set cli1 $RESULT }
  if [catch {cli_exec $cli1(fd) "snmp get v2c 192.168.1.100 public timeout 1 oid 1.3.6.1.2.1.1.1.0" } RESULT]
         { error $RESULT $errorInfo  }
         else { set SnmpSysDesc $RESULT }
  if [catch {cli_close $cli1(fd) $cli1(tty_id)} RESULT] {
              error $RESULT $errorInfo
  puts $SnmpSysDesc
  =========================================================================
  In the sho-run config I have:
  event manager directory user policy "flash:/"
  event manager session cli username "cisco"
  Any help to get me started would be greatly appreciated!
  Tim

  If you don't want an EEM policy, then don't use any of the EEM constructs.  Instead, all you need is this:
  set output [exec "snmp get v2c 192.168.1.100 public timeout 1 oid 1.3.6.1.2.1.1.1.0"]puts $output

• Interface errors (crc, in/output, collisions etc.) via snmp

  Hi,
  I'm trying to understand how to get interface errors via SNMP.  I do get stats via SNMP for ifInErrors / ifOutErrors etc, but I'm trying to get output via SNMP for the errors visible via the 'sh int x' command - CRC errors, input / output errors, collisions, runts. giants etc.).
  1) The SNMP ifInError / ifOutError seems to give an overall counter of all errors from the time the device has started - Am I correct about this?
  2) Is there any way I can get the interface-specific errors noted above via SNMP?
  Thanks,
  Mario

  Depends on the device and version of code, but most likely you will get what you want from the CISCO-IF-EXTENSION-MIB.  Look at objects like cieIfInRuntsErrs, cieIfInGiantsErrs, and cieIfInFramingErrs.  You will also get some ethernet-specific errors from the ETHERLIKE-MIB.

• Bug report: vpn (ipsec) interface number in snmp always change

  Hi,
  this is a bug report for RV082 hardware version 3 and 4, firmware version 1.x, 2.x and 4.x (all latest versions). I hope someone from cisco/belkin reads it.
  Summary:
  The snmp interface number of a VPN Tunnel change when the VPN tunnel disconnect and then re-connects.
  What should happend:
  The VPN Tunnel number 1, should always have the same snmp interface number. In RV082 v4, this number should always be 10. For example, the LAN, WAN1 and WAN2 always have the same snmp interface number.
  What is the problem:
  The VPN Tunnel number 1 change the snmp interface number, from 10, to 11, to 12, etc.
  How to reproduce:
  create a VPN Tunnel using 2 RV082 or 1 RV082 and 1 RV042. Once the VPN Tunnel is connected write down the snmp interface number. A few days later, disconnect the cable of block internet access. Then restore the internet conection and write down the snmp interface number, you should note that the snmp interface number have changed.
  Tools used:
  PRTG Network Monitor
  Please take a look at the attached image, note all the "ppp" interfaces, theres only 1 VPN Tunnel (gateway-to-gateway) defined.

  Hi Tom,
  many thanks for your reply.
  I see that I have to call Tech-support, in order to report a very technical situation, explaining them this is a bug report and I want them to make a better product.
  Since I won't pay a dime for this problem to be fixed, I can only see pain in this path(calling to speak with a tech support representative).
  I also readed that Belkin has bought Linksys, so I don't know if the RV082 will remain with Cisco or will go with Belkin.
  So, my only hope is to document this bug, that is pressent inall firmware version and hardware version of the RV082 as of today.
  many thanks for your help,
  regards,
  Oliver

• Questions on Receiving SNMP Traps

  Hi:
  - I have more questions on receiving SNMP traps:
  1) the OEM plug-in can receive traps now, but when I click the metric, I see:
  Error getting data for target test20. Exception: ORA-20216: ORA-06512: at "SYSMAN.EMD_MNTR", line 817 ORA-01403: no data found ORA-06512: at line 1
  - the push descriptor looks like:
  <PushDescriptor RECVLET_ID="SNMPTrap">
  <Property NAME="MatchEnterprise" SCOPE="GLOBAL">...</Property>
  <Property NAME="MatchGenericTrap" SCOPE="GLOBAL">6</Property> <Property NAME="MatchSpecificTrap" SCOPE="GLOBAL">31</Property> <Property NAME="MatchAgentAddr" SCOPE="INSTANCE">target_ip</Property>
  <Property NAME="EventsnChasFanIndexOID" SCOPE="GLOBAL">...</Property>
  <Property NAME="ContextsnChasFanDescriptionOID" SCOPE="GLOBAL">...</Property>
  <Property NAME="SeverityCode" SCOPE="GLOBAL">WARNING</Property>
  </PushDescriptor>
  - is the Key Property needed ?
  2) The alerts for some reason do not filter back to the all targets home page.
  - When I click the Home tab and goto to the 'All Targets' pane, I do not see the alert generated by the OEM plug-in.
  - What I am doing wrong ?
  3) Is it okay to receive traps with the metric usage set to either: HIDDEN or HIDDEN_COLLECT ?
  - Does this cause the errors I see in Q 1) ?
  Thanks
  John
  Edited by: user8826739 on Feb 23, 2010 7:05 AM

  Hi John,
  Can you post the full definition of the metric? You would need to use the Key property for each key column in the metric description.
  With the SNMP receivelet you can set up definitons for data points or alerts. I would assume (as I've never tried this ;) that if you set up the definition to be a data point, you would see data from the All Metrics page. To me, it wouldn't make sense for a metric that used the PushDescriptor SNMPTrap to have data to be viewed as the result of the SNMP trap coming is would be an alert. I will have to look into that. My gut reaction is that a metric with PushDescriptor SNMPTrap shouldn't even appear on the All Metrics page ...
  To be clear are you saying that you don't see the Warning number under "All Targets Alerts" increase by 1 when you SNMP trap is caught and alert is generated? When this occurs do you see the alert on the target instance homepage?
  In regards to HIDDEN and HIDDEN_COLLECT, I don't know what effect they would have on a metric defined for an SNMP trap to raise an alert. You definitely wouldn't want to use HIDDEN as this setting is for temporary metrics that are used in the caclulation of other metrics. HIDDEN metrics are not collected (or hence uploaded to the OMS) and don't appear in the UI. HIDDEN_COLLECT are collected, but do not show up in the UI and are not uploaded. I've never used this settings with SNMP trap metrics that are for alerts. If your metrics for the SNMP trap alerts do show up on the All Metrics page (I'd have to get something set up to look at this), then it could make sense to use the HIDDEN_COLLECT as the alert would still be generated, but the metric itself wouldn't be shown in the UI.
  Let me find out the expected behavior from someone on the agent team.
  Dave