AOS SNMPv2 security issue

Anonymous user · ‎2021-06-28

Hello,

I noticed some unexpected behaviour of the SNMP server.

The manual, etc. says that only SNMPv1 and v3 is supported (no SNMPv2).

The webinterface also implies this.

But I noticed that AOS 6.2 (older versions too) is responding to SNMPv2 requests too accepting the same communities as SNMPv1.

The requests are accepted even if SNMPv1 is disabled.

It seems like SNMPv2 is always enabled using the same read/write communities as SNMPv1.

The only way to prevent access seems to be to disable the actual communities at the SNMPv1 access control page.

BillP · ‎2021-06-28

Hi - we actually support SNMPv2c and I did find this issue earlier this year and logged it as a security bug/issue. It will be fixed in the next version of firmware.

There is some info on v2c here (http://www.schneider-electric.us/support/index?page=content&country=ITB〈=en&locale=en_US&id=FA156193) that I had updated since originally I thought v2c settings used v3 settings but confirmed it does use the v1 community names. I need to make sure they reference v2c in the future user's guides as well.

See Answer In Context

BillP · ‎2021-06-28

Hi - we actually support SNMPv2c and I did find this issue earlier this year and logged it as a security bug/issue. It will be fixed in the next version of firmware.

There is some info on v2c here (http://www.schneider-electric.us/support/index?page=content&country=ITB〈=en&locale=en_US&id=FA156193) that I had updated since originally I thought v2c settings used v3 settings but confirmed it does use the v1 community names. I need to make sure they reference v2c in the future user's guides as well.