UCF STIG Viewer Logo

The network device must only allow SNMP read-only access.


Overview

Finding ID Version Rule ID IA Controls Severity
V-3969 NET0894 SV-30086r3_rule ECSC-1 Medium
Description
Enabling write access to the device via SNMP provides a mechanism that can be exploited by an attacker to set configuration variables that can disrupt network operations.
STIG Date
Layer 2 Switch Security Technical Implementation Guide - Cisco 2019-01-09

Details

Check Text ( C-12800r7_chk )
Review the network device configuration and verify SNMP community strings are read-only when using SNMPv1, v2c, or basic v3 (no authentication or privacy). Write access may be used if authentication is configured when using SNMPv3.

If write-access is used for SNMP versions 1, 2c, or 3-noAuthNoPriv mode and there is no documented approval by the IAO, this is a finding.

SNMP v1/v2c Configuration Example

Device# show run
!
ip access-list standard NMS_LIST
permit 10.1.1.22
permit 10.1.1.24
!
snmp-server community c0macc3ss RO NMS_LIST
snmp-server community R34dWr1t3 RW NMS_LIST
snmp-server location Somewhere USA
snmp-server contact snmp.admin@snmp.mil
snmp-server enable traps
snmp host 10.1.1.22 traps SNMPv1
snmp host 10.1.1.24 traps SNMPv2c


SNMP v3 Configuration Example

The example ACL NMS_LIST and ADMIN_LIST are used to define what network management stations and administrator (users) desktops can access the device. Examine all group statements to determine what groups are allowed write access. Have the administrator enter a "show snmp user" command and examine all users for these groups to verify that they must be authenticated.

Device# show run
!
ip access-list standard ADMIN_LIST
permit 10.1.1.35
permit 10.1.1.36
ip access-list standard NMS_LIST
permit 10.1.1.24
permit 10.1.1.22
permit 10.1.1.23
!
snmp-server group NOC v3 priv read VIEW_ALL write VIEW_LIMIT access NMS_LIST
snmp-server group TRAP_GROUP v3 priv notify
*tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F
snmp-server group ADMIN_GROUP v3 priv read VIEW_ALL write VIEW_ALL access ADMIN_LIST
snmp-server view VIEW_ALL internet included
snmp-server view VIEW_LIMIT internet included
snmp-server view VIEW_LIMIT internet.6.3.15 excluded
snmp-server view VIEW_LIMIT internet.6.3.16 excluded
snmp-server view VIEW_LIMIT internet.6.3.18 excluded
snmp-server enable traps snmp linkdown linkup
snmp-server host 10.1.1.24 version 3 priv TRAP_NMS1

Note: For the configured group TRAP_GROUP, the notify view is auto-generated by the snmp-server host command which bind the user (TRAP_NMS1) and the group it belongs to (TRAP_GROUP) to the list of notifications (traps or informs) which are sent to the host. Hence, the configuration snmp-server group TRAP_GROUP v3 results in the following:
snmp-server group TRAP_GROUP v3 priv notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F

Note: Also, for illustration purpose only, the VIEW_LIMIT excludes MIB objects which could potentially reveal information about configured SNMP credentials. These objects are snmpUsmMIB, snmpVacmMIB, and snmpCommunityMIB which is configured as 1.3.6.1.6.3.15, 1.3.6.1.6.3.16, and 1.3.6.1.6.3.18 respectively


SNMPv3 users are not shown in a running configuration. You can view them with the show "snmp user" command. So for example, if the following users were configured as such.

snmp-server user HP_OV NOC v3 auth sha HPOVpswd priv aes 256 HPOVsecretkey
snmp-server user Admin1 ADMIN_GROUP v3 auth sha Admin1PW priv aes 256 Admin1key
snmp-server user Admin2 ADMIN_GROUP v3 auth md5 Admin2pass priv 3des Admin2key
snmp-server user TRAP_NMS1 TRAP_GROUP v3 auth sha trap_nms1_pw priv aes trap_nms1_key

The show snmp user command would depict the configured users as follows:

Device#show snmp user

User name: HP_OV
Engine ID: AB12CD34EF56
storage-type: nonvolatile active
Authentication Protocol: SHA
Privacy Protocol: AES256
Group-name: NOC

User name: Admin1
Engine ID: 800000090300C20013080000
storage-type: nonvolatile active
Authentication Protocol: SHA
Privacy Protocol: AES256
Group-name: ADMIN_GROUP

User name: Admin2
Engine ID: 800000090300C20013080000
storage-type: nonvolatile active
Authentication Protocol: MD5
Privacy Protocol: 3DES
Group-name: ADMIN_GROUP

User name: TRAP_NMS1
Engine ID: 800000090300C20013080000
storage-type: nonvolatile active
Authentication Protocol: SHA
Privacy Protocol: AES256
Group-name: TRAP_GROUP
Fix Text (F-3902r7_fix)
Configure the network device to allow for read-only SNMP access when using SNMPv1, v2c, or basic v3 (no authentication or privacy). Write access may be used if authentication is configured when using SNMPv3.