What is the impact in Spectrum of disabling mibs on Cisco devices affected by the SNMP Remote Code Execution Vulnerabilities in Cisco IOS and IOS XE Software

Document ID : KB000015966
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

What is the impact in Spectrum of disabling mibs on Cisco devices affected by the SNMP Remote Code Execution Vulnerabilities in Cisco IOS and IOS XE Software?

 

 

Answer:

The SNMP Remote Code Execution Vulnerabilities in Cisco IOS and IOS XE Software  Cisco Security Advisory states the following:

In addition, administrators can mitigate these vulnerabilities by disabling the following MIBs on a device:

ADSL-LINE-MIB

ALPS-MIB

CISCO-ADSL-DMT-LINE-MIB

CISCO-BSTUN-MIB

CISCO-MAC-AUTH-BYPASS-MIB

CISCO-SLB-EXT-MIB

CISCO-VOICE-DNIS-MIB

CISCO-VOICE-NUMBER-EXPANSION-MIB

TN3270E-RT-MIB

 

Disabling the above mibs will have the following impact in Spectrum:

MIBOIDImpact on Spectrum
snmpUsmMIB 1.3.6.1.6.3.15No impact
snmpVacmMIB 1.3.6.1.6.3.16Checkpoint Firewall Virtual Context functionality is impacted . Reference the "Certifying and supporting virtual systems within Check Point Firewall" section of the documentation located at https://docops.ca.com/ca-spectrum/10-2-1/en/managing-network/certifying-and-supporting-virtual-systems-within-check-point-firewall 
snmpCommunityMIB 1.3.6.1.6.3.18No impact
CISCO-TAP-MIB1.3.6.1.4.1.9.9.252No impact
adsltcmib 1.3.6.1.2.1.10.94No impact
tn3270eRtMIB 1.3.6.1.2.1.34.9No impact
ciscoBstunMIB1.3.6.1.4.1.9.9.35The stunPeerStateChangeNotification trap will not be sent by the device.
ciscoAlpsMIB 1.3.6.1.4.1.9.9.95No impact
ciscoAdslDmtLineMIB 1.3.6.1.4.1.9.9.130No impact
ciscoVoiceDnisMIB 1.3.6.1.4.1.9.9.219The cvDnisMappingUrlInaccessible trap will not be sent by the device.
ciscoSlbExtMIB 1.3.6.1.4.1.9.9.254The cslbxFtStateChange trap will not be sent by the device.
ciscoMabMIB 1.3.6.1.4.1.9.9.654 No impact
ciscoExperiment 1.3.6.1.4.1.9.10No impact
Additional Information:

It is important to note the SNMP Remote Code Execution Vulnerabilities in Cisco IOS and IOS XE Software  Cisco Security Advisory states the following:

"Administrators are advised to allow only trusted users to have SNMP access on an affected system."

If Spectrum is considered a "trusted user" then there should be no need to disable these mibs.

 

Additionally, the SNMP Remote Code Execution Vulnerabilities in Cisco IOS and IOS XE Software  Cisco Security Advisory states there are software updates to address these vulnerabilities negating the reason for disabling these mibs.