Beware: Extreme Networks EXOS ships with hidden SNMPv3 default admin user

July 28, 2015

Update:

Jan reported in the comments that the problem exists also with SNMPv2 – and that’s correct – Just didn’t see that as we’re using only SNMPv3

show configuration "snmp" detail

shows following

configure snmpv3 add community private name private user v1v2c_rw
configure snmpv3 add community public name public user v1v2c_ro

You need to delete that with:

configure snmpv3 del community private
configure snmpv3 del community public

Original article:

A college of mine just found something by performing security hardening on our Extreme Network switches (Thx for this!). We’ve moved away from SNMPv2 sometime ago and are using only SNMPv3. So as we did

disable snmp access snmp-v1v2c

and configured our own SNMPv3 users and we thoughed we’re safe. But that is not true even if typing

show configuration "snmp"

shows only your own users.  Typing

show configuration "snmp" detail     (detail = display all configuration data including default, otherwise default would not be displayed)

shows following

configure snmpv3 engine-id xxxxx
configure snmpv3 add user admin authentication md5 auth-encrypted hex 35:dc:03:fb:58:13:d3:54:92:0e:1d:fd:ab:3f:b5:9a privacy privacy-encrypted hex 35:dc:03:fb:58:13:d3:54:92:0e:1d:fd:ab:3f:b5:9a
configure snmpv3 add user initial
configure snmpv3 add user initialmd5 authentication md5 auth-encrypted hex 72:e7:51:a0:6b:37:81:a1:26:a5:f0:a1:b8:25:e6:b6
configure snmpv3 add user initialsha authentication sha auth-encrypted hex e9:9d:30:c1:6a:bf:21:45:7e:20:e4:ff:14:2e:28:5f:9c:2e:f3:30
configure snmpv3 add user initialmd5Priv authentication md5 auth-encrypted hex d1:67:eb:88:85:19:4d:7b:c7:09:a4:d4:d5:ba:21:eb privacy privacy-encrypted hex d1:67:eb:88:85:19:4d:7b:c7:09:a4:d4:d5:ba:21:eb
configure snmpv3 add user initialshaPriv authentication sha auth-encrypted hex 34:1d:66:c1:a2:ba:4d:26:8a:da:f5:f6:00:2a:e6:04:88:47:f0:4c privacy privacy-encrypted hex 34:1d:66:c1:a2:ba:4d:26:8a:da:f5:f6:00:2a:e6:04:88:47:f0:4c
configure snmpv3 add group v1v2c_ro user v1v2c_ro sec-model snmpv1
configure snmpv3 add group v1v2c_rw user v1v2c_rw sec-model snmpv1
configure snmpv3 add group v1v2c_ro user v1v2c_ro sec-model snmpv2c
configure snmpv3 add group v1v2c_rw user v1v2c_rw sec-model snmpv2c
configure snmpv3 add group v1v2cNotifyGroup user v1v2cNotifyUser1 sec-model snmpv2c
configure snmpv3 add group v1v2cNotifyGroup user v1v2cNotifyUser2 sec-model snmpv2c
configure snmpv3 add group admin user admin sec-model usm
configure snmpv3 add group initial user initial sec-model usm
configure snmpv3 add group initial user initialmd5 sec-model usm
configure snmpv3 add group initial user initialsha sec-model usm
configure snmpv3 add group initial user initialmd5Priv sec-model usm
configure snmpv3 add group initial user initialshaPriv sec-model usm
configure snmpv3 add access admin sec-model usm sec-level priv read-view defaultAdminView write-view defaultAdminView notify-view defaultNotifyView
configure snmpv3 add access initial sec-model usm sec-level noauth read-view defaultUserView notify-view defaultNotifyView
configure snmpv3 add access initial sec-model usm sec-level authnopriv read-view defaultUserView write-view defaultUserView notify-view defaultNotifyView
configure snmpv3 add access v1v2c_ro sec-model snmpv1 sec-level noauth read-view defaultUserView notify-view defaultNotifyView
configure snmpv3 add access v1v2c_ro sec-model snmpv2c sec-level noauth read-view defaultUserView notify-view defaultNotifyView
configure snmpv3 add access v1v2c_rw sec-model snmpv1 sec-level noauth read-view defaultUserView write-view defaultUserView notify-view defaultNotifyView
configure snmpv3 add access v1v2c_rw sec-model snmpv2c sec-level noauth read-view defaultUserView write-view defaultUserView notify-view defaultNotifyView
configure snmpv3 add access snmpv3group sec-model usm sec-level priv read-view defaultAdminView write-view None notify-view None
configure snmpv3 add access v1v2cNotifyGroup sec-model snmpv1 sec-level noauth notify-view defaultNotifyView
configure snmpv3 add access v1v2cNotifyGroup sec-model snmpv2c sec-level noauth notify-view defaultNotifyView
....
enable snmp access
disable snmp access snmp-v1v2c
enable snmp access snmpv3
enable snmpv3 default-group
enable snmpv3 default-user
enable snmp traps
configure snmp compatibility ip-fragmentation disallow
enable snmp access vr VR-Default
enable snmp access vr VR-Mgmt

Oh my god what are these users? A check into the manual (one of 1732 pages) shows following:

snmpv3defaultuser

Yes, these are all default users, with published passwords – and sure it works as following shows:

$ snmpwalk -u admin -A password -a MD5 -X password -x DES -l authPriv switchIpAddress -v3
iso.3.6.1.2.1.1.1.0 = STRING: "ExtremeXOS (X450e-48p) version 15.3.4.6 v1534b6-patch1-8 by release-manager on Thu Oct 30 13:07:09 EDT 2014"
iso.3.6.1.2.1.1.2.0 = OID: iso.xxxxxxxxxxxxxx
.....

I really don’t know what the engineers smoked when they put default SNMPv3 users into the switch configuration! Whats the purpose? And then hiding them from show configuration! What do you need to do to fix this?

disable snmpv3 default-group
disable snmpv3 default-user

Now you get:

$ snmpwalk -u admin -A password -a MD5 -X password -x DES -l authPriv switchIpAddress -v3
Error in packet.
Reason: authorizationError (access denied to that object)

If you delete the users additionally with following commands:

configure snmpv3 delete user admin
configure snmpv3 delete user initial
configure snmpv3 delete user initialmd5
configure snmpv3 delete user initialsha
configure snmpv3 delete user initialmd5Priv
configure snmpv3 delete user initialshaPriv

You’ll get:

$ snmpwalk -u admin -A password -a MD5 -X password -x DES -l authPriv switchIpAddress -v3
snmpwalk: Unknown user name

I recommend deleting every configuration line (be it user or group) you don’t need. Only 2 lines protect you otherwise from a completely open switch …. some firmware did make the switch to forget a config line (e.g. when the syntax changed) … so lets be more save by also removing the users.

5 Comments »

RSS feed for comments on this post. TrackBack URI

  1. Hey, there are also hidden communities for snmpv2 – “private” and “public”.

    Best regards

    Jan

    Comment by Jan — July 29, 2015 #

  2. Thx for the info – We’ve disabled SNMPv2 so I didn’t check. But you’re correct. Is also needed:

    configure snmpv3 del community private
    configure snmpv3 del community public

    Comment by robert — July 29, 2015 #

  3. “snmpwalk: Unknown user name”

    Ugh, a simple “Access Denied” would have sufficed here. Seriously, what is Extreme smoking over there?

    Comment by Brodie7838 — July 29, 2015 #

  4. Hello

    Thank you for the article!

    Is it possible to revert

    >configure snmpv3 del community private
    >configure snmpv3 del community public

    I have a need to enable SNMPv2 for a short term

    Comment by Neo2SHYAlien — February 1, 2017 #

  5. sure use “add” instead of “del”.

    Comment by robert — February 1, 2017 #

Leave a comment

XHTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Powered by WordPress
Entries and comments feeds. Valid XHTML and CSS. 44 queries. 0.117 seconds.