What is the impact in Spectrum of disabling mibs on Cisco devices affected by the SNMP Remote Code Execution Vulnerabilities in Cisco IOS and IOS XE Software

book

Article ID: 15966

calendar_today

Updated On:

Products

CA Spectrum

Issue/Introduction



What is the impact in Spectrum of disabling mibs on Cisco devices affected by the SNMP Remote Code Execution Vulnerabilities in Cisco IOS and IOS XE Software?

 

 

Environment

Release: a7n0c000000PBNr
Component:

Resolution

The SNMP Remote Code Execution Vulnerabilities in Cisco IOS and IOS XE Software  Cisco Security Advisory states the following:

In addition, administrators can mitigate these vulnerabilities by disabling the following MIBs on a device:

ADSL-LINE-MIB

ALPS-MIB

CISCO-ADSL-DMT-LINE-MIB

CISCO-BSTUN-MIB

CISCO-MAC-AUTH-BYPASS-MIB

CISCO-SLB-EXT-MIB

CISCO-VOICE-DNIS-MIB

CISCO-VOICE-NUMBER-EXPANSION-MIB

TN3270E-RT-MIB

 

Disabling the above mibs will have the following impact in Spectrum:

MIBOIDImpact on Spectrum
snmpUsmMIB 1.3.6.1.6.3.15No impact
snmpVacmMIB 1.3.6.1.6.3.16Checkpoint Firewall Virtual Context functionality is impacted . Reference the "Certifying and supporting virtual systems within Check Point Firewall" section of the documentation located at https://docops.ca.com/ca-spectrum/10-2-1/en/managing-network/certifying-and-supporting-virtual-systems-within-check-point-firewall 
snmpCommunityMIB 1.3.6.1.6.3.18No impact
CISCO-TAP-MIB1.3.6.1.4.1.9.9.252No impact
adsltcmib 1.3.6.1.2.1.10.94No impact
tn3270eRtMIB 1.3.6.1.2.1.34.9No impact
ciscoBstunMIB1.3.6.1.4.1.9.9.35The stunPeerStateChangeNotification trap will not be sent by the device.
ciscoAlpsMIB 1.3.6.1.4.1.9.9.95No impact
ciscoAdslDmtLineMIB 1.3.6.1.4.1.9.9.130No impact
ciscoVoiceDnisMIB 1.3.6.1.4.1.9.9.219The cvDnisMappingUrlInaccessible trap will not be sent by the device.
ciscoSlbExtMIB 1.3.6.1.4.1.9.9.254The cslbxFtStateChange trap will not be sent by the device.
ciscoMabMIB 1.3.6.1.4.1.9.9.654 No impact
ciscoExperiment 1.3.6.1.4.1.9.10No impact

Additional Information

It is important to note the SNMP Remote Code Execution Vulnerabilities in Cisco IOS and IOS XE Software  Cisco Security Advisory states the following:

"Administrators are advised to allow only trusted users to have SNMP access on an affected system."

If Spectrum is considered a "trusted user" then there should be no need to disable these mibs.

 

Additionally, the SNMP Remote Code Execution Vulnerabilities in Cisco IOS and IOS XE Software  Cisco Security Advisory states there are software updates to address these vulnerabilities negating the reason for disabling these mibs.