SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#123140

Cisco products contain hard-coded SNMP values

Overview

Certain versions of the Cisco IOS software have a hard-coded SNMP read-write community string that cannot be changed by an administrator.

I. Description

Some versions of the Cisco IOS have a hardcoded SNMP read-write community string. This community string is designed to ensure that DOCSIS-compliant cable modems adhere to RFC 2669.

A vulnerability exists in the enabling of these strings in Cisco IOS versions which do not run on cable modems. An attacker may be able to take control of an affected device by using standard SNMP commands.

Cisco states that the following devices are affected by this vulnerability:

  • Cisco IAD2430 Integrated Access Device
  • Cisco IAD2431 Integrated Access Device
  • Cisco IAD2432 Integrated Access Device
  • Cisco VG224 Analog Phone Gateway
  • Cisco MWR 1900 Mobile Wireless Edge Router
  • Cisco MWR 1941 Mobile Wireless Edge Router

II. Impact

A remote attacker may be able to take control of an affected device.

III. Solution

Update

Cisco has released updates that address this issue. Please see Cisco Security Advisory cisco-sa-20060920-docsis for more details.

In addition to the updates indicated above, Cisco has published a number of workarounds for this issue. Users, particularly those who are not able to apply the updates, are encouraged to implement these workarounds.

Systems Affected

VendorStatusDate NotifiedDate Updated
Cisco Systems, Inc.Vulnerable13-Oct-2006

References


http://www.cisco.com/warp/public/707/cisco-sa-20060920-docsis.shtml
http://secunia.com/advisories/21974/

Credit

Thanks to Cisco for providing information about this vulnerability.

This document was written by Ryan Giobbi.

Other Information

Date Public:2006-09-20
Date First Published:2006-10-13
Date Last Updated:2006-10-13
CERT Advisory: 
CVE-ID(s):CVE-2006-4950
NVD-ID(s):CVE-2006-4950
US-CERT Technical Alerts: 
Metric:7.27
Document Revision:33

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Produced 2006 by US-CERT, a government organization
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader