DCE/DCO and "writable snmp vulnerability"

Anonymous user · ‎2022-01-19

Hello!

During recent Vulnerability Assessment scan, a "writable SNMP community" vulnerability was discovered within DCE/DCO.

I can see option to change default name for writable SNMP community, but I don't see an option to disable it completely or set password for it.

Can you advise how to protect it/remediate it?

Jef · ‎2022-01-19

Hi Przemyslaw,

I will answer for DCO/ITA, you can configure it via the server webmin interface.

For DCO:
https://<DCO server IP>:10000
StruxureWare DC Operation > Setup

For ITA:
https://<ITA server IP>:10000
EcoStruxure IT Advisor > Setup

where you can enable or disable SNMP options (v1 and v3) and/or set password.

SNMP v1 is disabled by default in latest versions of ITA.

Kind regards,

Jef

APC_Steve · ‎2022-01-19

Hi @Anonymous user ,

To disable SNMP read/write on DCE, simply uncheck "Enable" on the following page (it is disabled by default):

There is only SNMP version 1 so there is no password option. There are only community names.

You do not have the option to enable or disable read/write individually. You get both read/write, or you get neither.

Thanks,

Steve

silvia_scv · ‎2022-01-19

Hi Steve,

having disabled SNMP in DCE server I now get the alarm you can see in attachment. In the DCO though in external system config it's still in ok status and it passes the test. I saw an old conversation on this topic Solved: snmp vunerability - Communities (se.com) and I see indeed in my DCE the DCE server itself is found as an item. What can I do in this case to still keep SNMP disabled but have DCO and DCE communicating?

Thank you in advance

Silvia

APC_Steve · ‎2022-01-19

hi @silvia_scv

That would seem to indicate that "usdcepal01.internal...." is the server itself and that it is being monitored via SNMP. As I mentioned, you have the option to enable SNMP or disable it. If you disable it, you will obviously not be able to monitor it using SNMP. You have to make the choice, enabled or disabled.

If enabled, all I can suggest for higher security is that you use a more complex write community string and don't give it out but if it being enabled at all is the issue, you're back to the choice of enabled or disabled.

Steve

Anonymous user · ‎2022-01-19

Steve, how can we check if the device is monitored by SNMP or how to change it to some other monitoring method?

In the properties of the server, there is nothing clearly visible that would indicate SNMP monitoring 😞

APC_Steve · ‎2022-01-19

Hi @Anonymous user

There is no other alternative in DCE to monitor another (or the same) DCE server other than SNMP. Your device discovery options in DCE are SNMP, Modbus (which we don't do to monitor the server) and NetBotz which can't be used to monitor the server.

You also disabled SNMP and stated that you lost com at that point so with all of this info, it's pretty obvious that this was how you were monitoring it.

Again, your options are to enable SNMP and allow it to be monitored or disable it and don't monitor it. There's very little info available via SNMP so you're not losing that much. To see what you have set up in DCE to monitor any system using SNMP is to go to the device menu --> SNMP Device Communications Settings --> Device Scan Settings and look for the IP or hostname of the server. Check it and click edit device settings to see the configuration.

Thanks,

Steve

Anonymous user · ‎2022-01-19

Thank you very much, it's all clear now.

If we would like to keep SNMP running, is there any possibility to enable some DCE firewalling or within Struxureware, which would limit the SNMP communication just internally and disable all external connectivity?

APC_Steve · ‎2022-01-19

hi @Anonymous user

Sorry but no, the options for SNMP are as you see them on the previous page that I sent as a screenshot. There is no way to set only a specific IP / system to monitor DCE. There is no way to keep it internal to the system.

Steve