knowledge base


CISCO disable unneeded MIBs


  • Administrators are advised to allow only trusted users to have SNMP access on an affected system.
  • Administrators are also advised to monitor affected systems by using the show snmp host command in the CLI.
  • In addition, administrators can mitigate these vulnerabilities by disabling the following MIBs on a device: ADSL-LINE-MIB ALPS-MIB CISCO-ADSL-DMT-LINE-MIB CISCO-BSTUN-MIB CISCO-MAC-AUTH-BYPASS-MIB CISCO-SLB-EXT-MIB CISCO-VOICE-DNIS-MIB CISCO-VOICE-NUMBER-EXPANSION-MIB TN3270E-RT-MIB To create or update a view entry and disable the affected MIBs, administrators can use the snmp-server view global configuration command, as shown in the following example: snmp-server view NO_BAD_SNMP iso included snmp-server view NO_BAD_SNMP internet included snmp-server view NO_BAD_SNMP snmpUsmMIB excluded snmp-server view NO_BAD_SNMP snmpVacmMIB excluded snmp-server view NO_BAD_SNMP snmpCommunityMIB excluded snmp-server view NO_BAD_SNMP ciscoMgmt.252 excluded snmp-server view NO_BAD_SNMP transmission.94 excluded snmp-server view NO_BAD_SNMP mib-2.34.9 excluded snmp-server view NO_BAD_SNMP ciscoMgmt.35 excluded snmp-server view NO_BAD_SNMP ciscoMgmt.95 excluded snmp-server view NO_BAD_SNMP ciscoMgmt.130 excluded snmp-server view NO_BAD_SNMP ciscoMgmt.219 excluded snmp-server view NO_BAD_SNMP ciscoMgmt.254 excluded snmp-server view NO_BAD_SNMP ciscoMabMIB excluded snmp-server view NO_BAD_SNMP ciscoExperiment.997 excluded To then apply this configuration to a community string, administrators can use the following command: snmp-server community mycomm view NO_BAD_SNMP RO For SNMP Version 3, administrators can use the following command: snmp-server group v3group auth read NO_BAD_SNMP write NO_BAD_SNMP