Update:

Jan reported in the comments that the problem exists also with SNMPv2 – and that’s correct – Just didn’t see that as we’re using only SNMPv3

show configuration "snmp" detail

shows following

configure snmpv3 add community private name private user v1v2c_rw

configure snmpv3 add community public name public user v1v2c_ro

You need to delete that with:

configure snmpv3 del community private

configure snmpv3 del community public

Original article:

A college of mine just found something by performing security hardening on our Extreme Network switches (Thx for this!). We’ve moved away from SNMPv2 sometime ago and are using only SNMPv3. So as we did

disable snmp access snmp-v1v2c

and configured our own SNMPv3 users and we thoughed we’re safe. But that is not true even if typing

show configuration "snmp"

shows only your own users. Typing

show configuration "snmp" detail (detail = display all configuration data including default, otherwise default would not be displayed)

shows following

configure snmpv3 engine-id xxxxx

configure snmpv3 add user admin authentication md5 auth-encrypted hex 35:dc:03:fb:58:13:d3:54:92:0e:1d:fd:ab:3f:b5:9a privacy privacy-encrypted hex 35:dc:03:fb:58:13:d3:54:92:0e:1d:fd:ab:3f:b5:9a

configure snmpv3 add user initial

configure snmpv3 add user initialmd5 authentication md5 auth-encrypted hex 72:e7:51:a0:6b:37:81:a1:26:a5:f0:a1:b8:25:e6:b6

configure snmpv3 add user initialsha authentication sha auth-encrypted hex e9:9d:30:c1:6a:bf:21:45:7e:20:e4:ff:14:2e:28:5f:9c:2e:f3:30

configure snmpv3 add user initialmd5Priv authentication md5 auth-encrypted hex d1:67:eb:88:85:19:4d:7b:c7:09:a4:d4:d5:ba:21:eb privacy privacy-encrypted hex d1:67:eb:88:85:19:4d:7b:c7:09:a4:d4:d5:ba:21:eb

configure snmpv3 add user initialshaPriv authentication sha auth-encrypted hex 34:1d:66:c1:a2:ba:4d:26:8a:da:f5:f6:00:2a:e6:04:88:47:f0:4c privacy privacy-encrypted hex 34:1d:66:c1:a2:ba:4d:26:8a:da:f5:f6:00:2a:e6:04:88:47:f0:4c

configure snmpv3 add group v1v2c_ro user v1v2c_ro sec-model snmpv1

configure snmpv3 add group v1v2c_rw user v1v2c_rw sec-model snmpv1

configure snmpv3 add group v1v2c_ro user v1v2c_ro sec-model snmpv2c

configure snmpv3 add group v1v2c_rw user v1v2c_rw sec-model snmpv2c

configure snmpv3 add group v1v2cNotifyGroup user v1v2cNotifyUser1 sec-model snmpv2c

configure snmpv3 add group v1v2cNotifyGroup user v1v2cNotifyUser2 sec-model snmpv2c

configure snmpv3 add group admin user admin sec-model usm

configure snmpv3 add group initial user initial sec-model usm

configure snmpv3 add group initial user initialmd5 sec-model usm

configure snmpv3 add group initial user initialsha sec-model usm

configure snmpv3 add group initial user initialmd5Priv sec-model usm

configure snmpv3 add group initial user initialshaPriv sec-model usm

configure snmpv3 add access admin sec-model usm sec-level priv read-view defaultAdminView write-view defaultAdminView notify-view defaultNotifyView

configure snmpv3 add access initial sec-model usm sec-level noauth read-view defaultUserView notify-view defaultNotifyView

configure snmpv3 add access initial sec-model usm sec-level authnopriv read-view defaultUserView write-view defaultUserView notify-view defaultNotifyView

configure snmpv3 add access v1v2c_ro sec-model snmpv1 sec-level noauth read-view defaultUserView notify-view defaultNotifyView

configure snmpv3 add access v1v2c_ro sec-model snmpv2c sec-level noauth read-view defaultUserView notify-view defaultNotifyView

configure snmpv3 add access v1v2c_rw sec-model snmpv1 sec-level noauth read-view defaultUserView write-view defaultUserView notify-view defaultNotifyView

configure snmpv3 add access v1v2c_rw sec-model snmpv2c sec-level noauth read-view defaultUserView write-view defaultUserView notify-view defaultNotifyView

configure snmpv3 add access snmpv3group sec-model usm sec-level priv read-view defaultAdminView write-view None notify-view None

configure snmpv3 add access v1v2cNotifyGroup sec-model snmpv1 sec-level noauth notify-view defaultNotifyView

configure snmpv3 add access v1v2cNotifyGroup sec-model snmpv2c sec-level noauth notify-view defaultNotifyView

....

enable snmp access

disable snmp access snmp-v1v2c

enable snmp access snmpv3

enable snmpv3 default-group

enable snmpv3 default-user

enable snmp traps

configure snmp compatibility ip-fragmentation disallow

enable snmp access vr VR-Default

enable snmp access vr VR-Mgmt

Oh my god what are these users? A check into the manual (one of 1732 pages) shows following:

Yes, these are all default users, with published passwords – and sure it works as following shows:

$ snmpwalk -u admin -A password -a MD5 -X password -x DES -l authPriv switchIpAddress -v3

iso.3.6.1.2.1.1.1.0 = STRING: "ExtremeXOS (X450e-48p) version 15.3.4.6 v1534b6-patch1-8 by release-manager on Thu Oct 30 13:07:09 EDT 2014"

iso.3.6.1.2.1.1.2.0 = OID: iso.xxxxxxxxxxxxxx

.....

I really don’t know what the engineers smoked when they put default SNMPv3 users into the switch configuration! Whats the purpose? And then hiding them from show configuration ! What do you need to do to fix this?

disable snmpv3 default-group

disable snmpv3 default-user

Now you get:

$ snmpwalk -u admin -A password -a MD5 -X password -x DES -l authPriv switchIpAddress -v3

Error in packet.

Reason: authorizationError (access denied to that object)

If you delete the users additionally with following commands:

configure snmpv3 delete user admin

configure snmpv3 delete user initial

configure snmpv3 delete user initialmd5

configure snmpv3 delete user initialsha

configure snmpv3 delete user initialmd5Priv

configure snmpv3 delete user initialshaPriv

You’ll get:

$ snmpwalk -u admin -A password -a MD5 -X password -x DES -l authPriv switchIpAddress -v3

snmpwalk: Unknown user name



I recommend deleting every configuration line (be it user or group) you don’t need. Only 2 lines protect you otherwise from a completely open switch …. some firmware did make the switch to forget a config line (e.g. when the syntax changed) … so lets be more save by also removing the users.