Cisco IOS XR Software SNMP Management Plane Protection ACL Bypass Vulnerability

A vulnerability in the Local Packet Transport Services (LPTS) programming of the SNMP with the management plane protection feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to allow connections despite the management plane protection that is configured to deny access to the SNMP server of an affected device.

This vulnerability is due to incorrect LPTS programming when using SNMP with management plane protection. An attacker could exploit this vulnerability by connecting to an affected device using SNMP. A successful exploit could allow the attacker to connect to the device on the configured SNMP ports. Valid credentials are required to execute any of the SNMP requests.

Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snmp-7MKrW7Nq

Security Impact Rating: Medium

CVE: CVE-2021-1243

Related:

  • No Related Posts

Cisco Firepower Threat Defense Software SNMP Denial of Service Vulnerability

A vulnerability in the Simple Network Management Protocol (SNMP) input packet processor of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause an affected device to restart unexpectedly.

The vulnerability is due to a lack of sufficient memory management protections under heavy SNMP polling loads. An attacker could exploit this vulnerability by sending a high rate of SNMP requests to the SNMP daemon through the management interface on an affected device. A successful exploit could allow the attacker to cause the SNMP daemon process to consume a large amount of system memory over time, which could then lead to an unexpected device restart, causing a denial of service (DoS) condition.

This vulnerability affects all versions of SNMP.

Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-snmp-dos-R8ENPbOs

This advisory is part of the October 2020 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication, which includes 17 Cisco Security Advisories that describe 17 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: October 2020 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication.

Security Impact Rating: High

CVE: CVE-2020-3533

Related:

  • No Related Posts

Cisco IOS XE Wireless Controller Software for the Catalyst 9000 Family SNMP Trap Denial of Service Vulnerability

A vulnerability in Simple Network Management Protocol (SNMP) trap generation for wireless clients of the Cisco IOS XE Wireless Controller Software for the Cisco Catalyst 9000 Family could allow an unauthenticated, adjacent attacker to cause the device to unexpectedly reload, causing a denial of service (DoS) condition on an affected device. 

The vulnerability is due to the lack of input validation of the information used to generate an SNMP trap in relation to a wireless client connection. An attacker could exploit this vulnerability by sending an 802.1x packet with crafted parameters during the wireless authentication setup phase of a connection. A successful exploit could allow the attacker to cause the device to reload, causing a DoS condition.

Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-ewlc-snmp-dos-wNkedg9K

This advisory is part of the September 24, 2020, release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which includes 25 Cisco Security Advisories that describe 34 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: September 2020 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication.

Security Impact Rating: High

CVE: CVE-2020-3390

Related:

Cisco IOS and IOS XE Software Simple Network Management Protocol Denial of Service Vulnerability

A vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS Software and Cisco IOS XE Software on Catalyst 4500 Series Switches could allow an authenticated, remote attacker to cause a denial of service (DoS) condition.

The vulnerability is due to insufficient input validation when the software processes specific SNMP object identifiers. An attacker could exploit this vulnerability by sending a crafted SNMP packet to an affected device. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition.

Note: To exploit this vulnerability by using SNMPv2c or earlier, the attacker must know the SNMP read-only community string for an affected system. To exploit this vulnerability by using SNMPv3, the attacker must know the user credentials for the affected system.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snmp-dos-USxSyTk5

This advisory is part of the June 3, 2020, release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which includes 23 Cisco Security Advisories that describe 25 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: June 2020 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication.

Security Impact Rating: High

CVE: CVE-2020-3235

Related:

Cisco ASR 920 Series Aggregation Services Router Model 12SZ-IM SNMP Denial of Service Vulnerability

A vulnerability in the Simple Network Management Protocol (SNMP) implementation in Cisco ASR 920 Series Aggregation Services Router model ASR920-12SZ-IM could allow an authenticated, remote attacker to cause the device to reload.

The vulnerability is due to incorrect handling of data that is returned for Cisco Discovery Protocol queries to SNMP. An attacker could exploit this vulnerability by sending a request for Cisco Discovery Protocol information by using SNMP. An exploit could allow the attacker to cause the affected device to reload, resulting in a denial of service (DoS) condition.

Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asr920-ABjcLmef

Security Impact Rating: Medium

CVE: CVE-2020-3232

Related:

Citrix ADC SNMP Counters

This article contains information about the newnslog Simple Network Management Protocol (SNMP) counters, and its brief description.

Using the Counters

Log on to the ADC using an SSH client, change to SHELL, navigate to the /var/nslog directory, and then use the ‘nsconmsg’ command to see comprehensive statistics using the different counters available. For the detailed procedure refer to Citrix Blog – NetScaler ‘Counters’ Grab-Bag!.

The newnslog SNMP

The following table lists the newnslog SNMP counters with a simple description of the counter.

Newnslog Counter

Description

snmp_tot_rxpkts

This counter tracks the SNMP packets received.

snmp_tot_txpkts

This counter tracks the SNMP packets transmitted.

snmp_tot_badVersions

This counter tracks the number of SNMP messages received, which were for an unsupported SNMP version.

snmp_tot_badCommName

This counter tracks the SNMP messages received, which used an SNMP community name not known to the NetScaler appliance.

snmp_tot_badCommUse

This counter tracks the total number of SNMP Messages received that represented an SNMP operation which is not allowed by the SNMP community named in the Message.

snmp_tot_parseErrs

This counter tracks the number of ASN.1 or BER errors encountered when decoding received SNMP Messages.

snmp_tot_getBulkReqs

This counter tracks the SNMP Get-Bulk PDUs that are accepted and processed.

snmp_tot_getReqs

This counter tracks the SNMP Get-Request PDUs that are accepted and processed.

snmp_tot_getNextReqs

This counter tracks the SNMP Get-Next PDUs that are accepted and processed.

snmp_tot_responses

This counter tracks the SNMP Get-Response PDUs that the NetScaler appliance generates.

snmp_err_req_dropped

This counter tracks the SNMP requests dropped.

snmp_tot_traps

This counter tracks the SNMP Trap PDUs that the NetScaler appliance generates.

snmp_tot_unsupportedSecurityLevel

This counter tracks the SNMP packets that are dropped because they requested a security level that is

unknown to the NetScaler appliance or otherwise unavailable.

snmp_tot_notInTimeWindow

This counter tracks the SNMP packets that are dropped because they appeared outside the Window of the authoritative SNMP engine.

snmp_tot_unknownUserName

This counter tracks the SNMP packets that are dropped because they referenced a user that is not known to the SNMP engine.

snmp_tot_unknownEngineIds

This counter tracks the SNMP packets that are dropped because they referenced an SNMP engine ID that is not known to the NetScaler appliance.

snmp_tot_wrongDigests

This counter tracks the SNMP packets that are dropped because they do not contain the expected digest value.

snmp_tot_decryptionErrors

This counter tracks the SNMP packets that are dropped because they cannot be decrypted.

Related:

Citrix ADC System Counters

This article contains information about the newnslog system counters and their brief description.

Using newnslog Counter

To use the newnslog counter, log on to the ADC using an SSH client, switch to SHELL, navigate to the /var/nslog directory, and then use the ‘nsconmsg’ command to see comprehensive statistics. For more information refer to Citrix Blog – NetScaler ‘Counters’ Grab-Bag!

Citrix ADC System Counters

The following table lists the newnslog System counters with a simple description of the counter.

newnslog Counter

Description

allnic_tot_rx_mbits This counter tracks the number of megabytes received by the NetScaler appliance.
allnic_tot_tx_mbits This counter tracks the number of megabytes transmitted by the NetScaler appliance.
avg_cpu_usage This counter tracks the average CPU utilization percentage.
avg_cpu_usage_pcnt This counter tracks the average CPU utilization percentage.
cc_cpu_use This counter tracks the CPU utilization percentage.
cpu_speed_expected This counter tracks the CPU speed in MHz.
cpu_usage This counter tracks the CPU utilization percentage.
cpu_usage_pcnt This counter tracks the CPU utilization percentage.
cpu_usage_snmp This counter tracks the CPU utilization percentage.
cpu_use This counter tracks the CPU utilization: percentage * 10.
cur_moninfo This counter tracks the number of monitor bindings defined on this NetScaler appliance.
cur_monitor This counter tracks the number of monitors defined on this NetScaler appliance.
cur_server This counter tracks the number of servers defined on this NetScaler appliance.
cur_service This counter tracks the number of services defined on this NetScaler appliance.
cur_servinfo This counter tracks the number of virtual server bindings on this NetScaler appliance.
cur_svcgroup This counter tracks the number of service groups defined on this NetScaler appliance.
cur_svcgroup_svcitem This counter tracks the number of service group members defined on this NetScaler appliance.
cur_svcgroup_vsrvitem This counter tracks the number of virtual server, service group bindings on this NetScaler appliance.
cur_syshealth_disk0_avail This counter tracks the available space in /flash partition of the hard disk.
cur_syshealth_disk0_errors This counter tracks the disk (/flash) Error counter.
cur_syshealth_disk0_pusage This counter tracks the cur_syshealth_disk0_errors.
cur_syshealth_disk0_size This counter tracks the size of /flash partition of the hard disk.
cur_syshealth_disk0_used This counter tracks the used space in /flash partition of the hard disk.
cur_syshealth_disk1_avail This counter tracks the available space in /var partition of the hard disk.
cur_syshealth_disk1_errors This counter tracks the number of errors on the /var partition of the hard disk.
cur_syshealth_disk1_pusage This counter tracks the used space in /var partition of the disk, as a percentage. This is a critical counter.

You can configure /var Used percentage by using the Set snmp alarm DISK-USAGE-HIGH command.
cur_syshealth_disk1_size This counter tracks the size of /var partition of the hard disk.
cur_syshealth_disk1_used This counter tracks the used space in /var partition of the hard disk.
cur_syshealth_fan0 This counter tracks the system fan speed. Acceptable range is 3000 to 6000 RPM. This is a critical counter.

You can configure System Fan Speed by using the Set snmp alarm FAN-SPEED-LOW command to set the lower limit.
cur_syshealth_fan1 This counter tracks the system fan 1 speed. For new platforms, associated pin is connected to CPU supporting fans. For platforms in which it is not connected, it points to System Fan.
cur_syshealth_fan2 This counter tracks the system fan 2 speed. For new platforms, associated pin is connected to CPU supporting fans. For platforms in which it is not connected, it points to System Fan
cur_syshealth_fan3 This counter tracks the speed of Fan 0 if associated pin is connected to health monitoring chip.
cur_syshealth_fan4 This counter tracks the speed of Fan 1 if associated pin is connected to health monitoring chip.
cur_syshealth_fan5 This counter tracks the speed of Fan 2 if associated pin is connected to health monitoring chip.
cur_syshealth_fan6 This counter tracks the speed of Fan 3 if associated pin is connected to health monitoring chip.
cur_syshealth_fancpu0 This counter tracks the CPU Fan 0 speed. Acceptable range is 3000 to 6000 RPM. This is a critical counter.

You can configure CPU Fan 0 Speed by using the Set snmp alarm FAN-SPEED-LOW command to set the lower limit.
cur_syshealth_fancpu1 This counter tracks the CPU Fan 1 speed. Acceptable range is 3000 to 6000 RPM. 7000 platform displays speed of CPU fan 0. This is a critical counter.

You can configure CPU Fan 1 Speed by using the Set snmp alarm FAN-SPEED-LOW command to set the lower limit.
cur_syshealth_misc0 Miscellaneous Counter 0.
cur_syshealth_misc1 Miscellaneous Counter 1.
cur_syshealth_ps1fail This counter tracks the power supply 1 failure status. Values: 0=Not Supported; 1=Not Present; 2=Power Supply Failed; 3=Power Supply OK
cur_syshealth_ps2fail This counter tracks the power supply 2 failure status. Values: 0=Not Supported; 1=Not Present; 2=Power Supply Failed; 3=Power Supply OK
cur_syshealth_ps3fail This counter tracks the power supply 3 failure status. Values: 0=Not Supported; 1=Not Present; 2=Power Supply Failed; 3=Power Supply OK
cur_syshealth_ps4fail This counter tracks the power supply 4 failure status. Values: 0=Not Supported; 1=Not Present; 2=Power Supply Failed; 3=Power Supply OK
cur_syshealth_tcpu0 This counter tracks the CPU 0 temperature. NetScaler 9800 and 9960 platforms display internal chip temperature. This is a critical counter.

You can configure CPU 0 Temperature by using the Set snmp alarm TEMPERATURE-HIGH command to set the upper limit.
cur_syshealth_tcpu1 This counter tracks the CPU 1 temperature. NetScaler 9800 and 9960 platforms display internal chip temperature. NetScaler 7000, 9010 and 10010 platforms display CPU 0 temperature. This is a critical counter.

You can configure CPU 1 Temperature by using the Set snmp alarm TEMPERATURE-HIGH command to set the upper limit.
cur_syshealth_temp0 This counter tracks the temperature of a device connected to health monitoring chip through pin 0.
cur_syshealth_temp1 This counter tracks the temperature of a device connected to health monitoring chip through pin 1.
cur_syshealth_temp2 This counter tracks the temperature of a device connected to health monitoring chip through pin 2.
cur_syshealth_temp3 This counter tracks the temperature of a device connected to health monitoring chip through pin 3.
cur_syshealth_tint This counter tracks the internal temperature of health monitoring chip. This is a critical counter.

You can configure Internal Temperature by using the Set snmp alarm TEMPERATURE-HIGH command to set the upper limit.
cur_syshealth_v12n This counter tracks the power supply -12V output. Acceptable range is -13.20 to -10.80 volts. NetScaler 9800 and 9960 platforms display standard value of -12.0V.
cur_syshealth_v12p This counter tracks the power supply +12V output. Acceptable range is 10.80 to 13.20 volts.
cur_syshealth_v33main You can configure Standby 3.3V Supply Voltage by using the Set snmp alarm VOLTAGE-LOW command to set the lower limit and the Set snmp alarm VOLTAGE-HIGH command to set the upper limit.
cur_syshealth_v33stby This counter tracks the standby power supply +3.3V output. Acceptable range is 2.970 to 3.630 volts. NetScaler 9800 and 9960 platforms display standard value of 3.3V.
cur_syshealth_v50n This counter tracks the power supply -5V output. Acceptable range is -5.50 to -4.50 volts. NetScaler 9800 and 9960 platforms display standard value of -5.0V.
cur_syshealth_v50p This counter tracks the power supply +5V output. Acceptable range is 4.50 through 5.50 volts.
cur_syshealth_v5sb This counter tracks the power Supply 5V Standby Voltage. Currently, only 13k Platforms have a valid value for this counter and for older platforms the value is 0.
cur_syshealth_vbat This counter tracks the onboard battery power supply output. NetScaler 9800 and 9950 platforms display standard value of 5.0V.
cur_syshealth_vcc0 This counter tracks the CPU core 0 voltage. Acceptable range is 1.080 to 1.650 volts.
cur_syshealth_vcc1 This counter tracks the CPU core 1 voltage. Acceptable range is 1.080 to 1.650 volts. If CPU 1 is not connected to the health monitoring chip, then display shows voltage of CPU 0.
cur_syshealth_volt0 This counter tracks the voltage of a device connected to health monitoring chip through pin 0.
cur_syshealth_volt1 This counter tracks the voltage of a device connected to health monitoring chip through pin 1.
cur_syshealth_volt2 This counter tracks the voltage of a device connected to health monitoring chip through pin 2.
cur_syshealth_volt3 This counter tracks the voltage of a device connected to health monitoring chip through pin 3.
cur_syshealth_volt4 This counter tracks the voltage of a device connected to health monitoring chip through pin 4.
cur_syshealth_volt5 This counter tracks the voltage of a device connected to health monitoring chip through pin 5.
cur_syshealth_volt6 This counter tracks the voltage of a device connected to health monitoring chip through pin 6.
cur_syshealth_volt7 This counter tracks the voltage of a device connected to health monitoring chip through pin 7.
cur_syshealth_vsen2 This counter tracks the voltage Sensor 2 Input. Currently, only 13k Platforms have a valid value for this counter and for older platforms the value is 0.
cur_syshealth_vtt This counter tracks the Intel CPU Vtt power. Currently, only 13k Platforms have a valid value for this counter and for older platforms the value is 0.
master_cpu_usage This counter tracks the CPU 0 (currently the master CPU) utilization, as percentage of capacity.
master_cpu_use This counter tracks the CPU0 utilization: percentage * 10.
mem_cur_feature_allocpercent This counter tracks the percentage of NetScaler appliance memory used by the feature.
mem_cur_feature_allocsize This counter tracks the total current NetScaler appliance memory available for use by the feature, in kilobytes.
mem_err_feature_alloc_failed This counter tracks the memory allocation failure for a particular feature.
mem_tot_allocated This counter tracks the currently allocated memory, in megabytes.
mem_tot_allocated_pcnt This counter tracks the currently allocated memory in percent.
mem_tot_MB This counter tracks the total Main memory available for use by packet engine (PE), in megabytes.
mem_tot_use_MB This counter tracks the total NetScaler Memory in use, in megabytes.
mem_usage_pcnt This counter tracks the percentage of memory utilization on NetScaler.
mem_usage_percent This counter tracks the percentage of memory utilization on a NetScaler appliance.
mem_use_MB This counter tracks the main memory currently in use, in megabytes.
mgmt_cpu_usage_pcnt This counter tracks the management CPU utilization percentage.
mgmt_cpu_use This counter tracks the management CPU utilization: percentage * 10.
ns_interval This counter tracks the interval in seconds between performance monitoring records taken on the NetScaler appliance.
ns_time This counter tracks the current time set on the NetScaler appliance.
packet_cpu_usage_pcnt This counter tracks the packet CPU utilization percentage.
per_cpu_usage This counter tracks the CPU utilization percentage.
shmem_cur_alloc_pcnt This counter tracks the shared memory in use percent.
shmem_cur_allocsize This counter tracks the shared memory in use, in megabytes.
shmem_max_allowed This counter tracks the total shared memory allowed to allocate, in megabytes.
slave_cpu_usage This counter tracks the CPU 1 (currently the slave CPU) utilization, as percentage of capacity. Not applicable for a single-CPU system.
slave_cpu_use This counter tracks the CPU1 utilization, percentage * 10.
sys_cpus This counter tracks the number of CPUs on the NetScaler appliance.
sys_cpus_1 This counter tracks the number of CPUs on the NetScaler appliance.
sys_cur_duration_sincestart This counter tracks the seconds after the NetScaler appliance started.
sys_memorysize_MB This counter tracks the total amount of system memory, in megabytes.
sys_starttime This counter tracks the time when the NetScaler appliance was last started.
sys_tot_config_changes This counter tracks the number of times a configuration change was made on the NetScaler appliance.
sys_tot_save_configs This counter tracks the number of times the system configuration was saved on the NetScaler appliance.

Related:

Cisco FXOS and NX-OS Software Authenticated Simple Network Management Protocol Denial of Service Vulnerability

A vulnerability in the Simple Network Management Protocol (SNMP) input packet processor of Cisco FXOS Software and Cisco NX-OS Software could allow an authenticated, remote attacker to cause the SNMP application on an affected device to restart unexpectedly.

The vulnerability is due to improper validation of Abstract Syntax Notation One (ASN.1)-encoded variables in SNMP packets. An attacker could exploit this vulnerability by sending a crafted SNMP packet to the SNMP daemon on the affected device. A successful exploit could allow the attacker to cause the SNMP application to restart multiple times, leading to a system-level restart and a denial of service (DoS) condition.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-fxnxos-snmp-dos

This advisory is part of the August 2019 Cisco FXOS and NX-OS Software Security Advisory Bundled Publication, which includes five Cisco Security Advisories that describe five vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: August 2019 Cisco FXOS and NX-OS Software Security Advisory Bundled Publication.

Security Impact Rating: High

CVE: CVE-2019-1963

Related: