What is the impact in Spectrum of disabling mibs on Cisco devices affected by the SNMP Remote Code Execution Vulnerabilities in Cisco IOS and IOS XE Software?
The SNMP Remote Code Execution Vulnerabilities in Cisco IOS and IOS XE Software Cisco Security Advisory states the following:
In addition, administrators can mitigate these vulnerabilities by disabling the following MIBs on a device:
ADSL-LINE-MIB
ALPS-MIB
CISCO-ADSL-DMT-LINE-MIB
CISCO-BSTUN-MIB
CISCO-MAC-AUTH-BYPASS-MIB
CISCO-SLB-EXT-MIB
CISCO-VOICE-DNIS-MIB
CISCO-VOICE-NUMBER-EXPANSION-MIB
TN3270E-RT-MIB
Disabling the above mibs will have the following impact in Spectrum:
MIB | OID | Impact on Spectrum |
snmpUsmMIB | 1.3.6.1.6.3.15 | No impact |
snmpVacmMIB | 1.3.6.1.6.3.16 | Checkpoint Firewall Virtual Context functionality is impacted . Reference the "Certifying and supporting virtual systems within Check Point Firewall" section of the documentation located at https://docops.ca.com/ca-spectrum/10-2-1/en/managing-network/certifying-and-supporting-virtual-systems-within-check-point-firewall |
snmpCommunityMIB | 1.3.6.1.6.3.18 | No impact |
CISCO-TAP-MIB | 1.3.6.1.4.1.9.9.252 | No impact |
adsltcmib | 1.3.6.1.2.1.10.94 | No impact |
tn3270eRtMIB | 1.3.6.1.2.1.34.9 | No impact |
ciscoBstunMIB | 1.3.6.1.4.1.9.9.35 | The stunPeerStateChangeNotification trap will not be sent by the device. |
ciscoAlpsMIB | 1.3.6.1.4.1.9.9.95 | No impact |
ciscoAdslDmtLineMIB | 1.3.6.1.4.1.9.9.130 | No impact |
ciscoVoiceDnisMIB | 1.3.6.1.4.1.9.9.219 | The cvDnisMappingUrlInaccessible trap will not be sent by the device. |
ciscoSlbExtMIB | 1.3.6.1.4.1.9.9.254 | The cslbxFtStateChange trap will not be sent by the device. |
ciscoMabMIB | 1.3.6.1.4.1.9.9.654 | No impact |
ciscoExperiment | 1.3.6.1.4.1.9.10 | No impact |
It is important to note the SNMP Remote Code Execution Vulnerabilities in Cisco IOS and IOS XE Software Cisco Security Advisory states the following:
"Administrators are advised to allow only trusted users to have SNMP access on an affected system."
If Spectrum is considered a "trusted user" then there should be no need to disable these mibs.
Additionally, the SNMP Remote Code Execution Vulnerabilities in Cisco IOS and IOS XE Software Cisco Security Advisory states there are software updates to address these vulnerabilities negating the reason for disabling these mibs.