Welcome to the new Schneider Electric Community

It's your place to connect with experts and peers, get continuous support, and share knowledge.

  • Explore the new navigation for even easier access to your community.
  • Bookmark and use our new, easy-to-remember address (community.se.com).
  • Get ready for more content and an improved experience.

Contact SchneiderCommunity.Support@se.com if you have any questions.

Close
Invite a Co-worker
Send a co-worker an invite to the Exchange portal.Just enter their email address and we’ll connect them to register. After joining, they will belong to the same company.
Send Invite Cancel
84572members
353845posts

SNMP vulnerability in disaster recovery node

EcoStruxure IT forum

A support forum for Data Center Operation, Data Center Expert, and EcoStruxure IT product users to share knowledge on installation, configuration, and general product use.

DCIM_Support
Picard
Picard
0 Likes
7
572

SNMP vulnerability in disaster recovery node

This question was originally posted on DCIM Support by Michael on 2019-06-04


There have been a lot of discussions here about the default SNMPv1 community string but didn't find anything related to DCO Disaster recovery node (High Availability). The problem is that our security scanners are reporting a vulnerability since the DR seems to be using the default "public" even though we have disabled the SNMPv1 and in addition changed it from "public" to something else.

It seems that these configurations are not taken into use if the DR is not promoted to master? Scans were fine when the DR was the master but once dropped to being a DR, the same vulnerability was found.

(CID:144313595)

7 Replies 7
DCIM_Support
Picard
Picard
0 Likes
5
573

Re: SNMP vulnerability in disaster recovery node

This answer was originally posted on DCIM Support by Jef Faridi on 2019-06-04


Hi Michael,

SNMP v1 can be disabled both on the master node and the DR node, if haven't tried it yet, please go to server (both master and DR) webmin interface,  StruxureWare DC Operation > Setup , un-check the v1 option for "Enable SNMP server", and then push the Setup button:

And then check your vulnerability scans to See if that helps, otherwise it would be great if I could have details about your scanning tool and its DCO related reports, thanks.

Kind regards

(CID:144313614)

DCIM_Support
Picard
Picard
0 Likes
0
573

Re: SNMP vulnerability in disaster recovery node

This comment was originally posted on DCIM Support by Michael on 2019-06-04


Hi Jef!

The SNMPv1 is disabled on both servers. Before disabling, we also changed the community from "public" to something else. Master node passes the scans with no problems, so does the DR if it's promoted to master. But when it is in "standby" as a DR, the scans report: "Default or Guessable SNMP community names: public". So it seems it uses some default values when working as a DR. I'll ask some more information from our IT Security.

(CID:144313625)

DCIM_Support
Picard
Picard
0 Likes
0
573

Re: SNMP vulnerability in disaster recovery node

This comment was originally posted on DCIM Support by Jef Faridi on 2019-06-04


Hi Michael,

Thanks for the info - I will send you an invite to my =S= box shortly so the data safely can be shared with me, thanks.

Kind regards

(CID:144313664)

DCIM_Support
Picard
Picard
0 Likes
0
573

Re: SNMP vulnerability in disaster recovery node

This comment was originally posted on DCIM Support by Jef Faridi on 2019-06-04


Hi Michael,

What is the version of your DCO servers?

Kind regards

(CID:144313851)

DCIM_Support
Picard
Picard
0 Likes
0
572

Re: SNMP vulnerability in disaster recovery node

This comment was originally posted on DCIM Support by Michael on 2019-06-04


Currently on 8.2.2.

(CID:144313859)

DCIM_Support
Picard
Picard
0 Likes
0
572

Re: SNMP vulnerability in disaster recovery node

This comment was originally posted on DCIM Support by Jef Faridi on 2019-06-11


Hi Michael,

I have had a setup (DCO+DR node) using the latest release version (DCO 8.3) that were running the last few days. This setup were included in our daily security scanning without any SNMP security notifications.

In general, it is recommended to update the product (DCO) to latest release version, which should also contain OS related updates.

Kind regards

(CID:144868637)

DCIM_Support
Picard
Picard
0 Likes
0
572

🔒 Closed

This question is closed for comments. You're welcome to start a new topic if you have further comments on this issue.