Is Cisco router using "default community string" & its vulnerabilities

Q1:
Where or how do I check if a Cisco router is using "default community string"?
is a security VA scan report

Q2:
Following output below is from "sho ver" output on the said Cisco router.
Where can a list of its vulnerabilities (eg: various security vulnerabilities
like Openssl heartbleed, FREAK) for the version shown below & where can
I get the patch for these.

===================== "show version" output ============================

Cisco IOS Software, IOS-XE Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 1                                                                                        5.3(2)S, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Mon 25-Mar-13 15:39 by mcpre

IOS XE Version: 03.09.00.S

Cisco IOS-XE software, Copyright (c) 2005-2013 by cisco Systems, Inc.
All rights reserved.  Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0.  The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY.  You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0.  For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.


ROM: IOS-XE ROMMON

BDD2EDRT01 uptime is 1 year, 38 weeks, 2 days, 8 hours, 28 minutes
Uptime for this control processor is 1 year, 38 weeks, 2 days, 8 hours, 29 minut                                                                                        es
System returned to ROM by reload at 02:35:15 SGP Sun Jul 14 2013
System restarted at 02:38:26 SGP Sun Jul 14 2013
System image file is "bootflash:/asr1001-universalk9.03.09.00.S.153-2.S.bin"
Last reload reason: Reload Command



This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

License Level: adventerprise
License Type: Permanent
Next reload license Level: adventerprise

cisco ASR1001 (1RU) processor with 3796478K/6147K bytes of memory.
Processor board ID SSI162102XY
8 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
8388608K bytes of physical memory.
7741439K bytes of eUSB flash at bootflash:.

Configuration register is 0x2102
sunhuxAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Daniel SheppardSenior Network Analyst - Core & PerimeterCommented:
Q1:
show running | inc snmp-server | community

If you see "public" or "private" after community, you are using the defaults.

Q2:
You will want to check the Cisco Bug Checker for Vulnerabilities.
https://tools.cisco.com/bugsearch/

To receive an upgrade, you need to have a valid Cisco SmartNET contract or be within 90 days of purchase
sunhuxAuthor Commented:
Thanks.

>If you see "public" or "private" after community, you are using the defaults.
So how do people generally mitigate the above?  By removing that line
completely, ie  "no snmp ... "?  What's the best practice to secure this
so the VA scan doesn't report it anymore?
sunhuxAuthor Commented:
An additional question:
the VA scan reported similar snmp issue with our Arista switches.
What's the command to find out if we use similar default "public" or
"private" snmp community & how to mitigate it as well?
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Daniel SheppardSenior Network Analyst - Core & PerimeterCommented:
I am not familiar with Arista switches.

To mitigate, I would perform a "no snmp-server ..." and then "snmp-server community <custom community name> rw

For my own community names, I generally use a random generated string 10+ characters long.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sunhuxAuthor Commented:
Btw, is the command given above missing an "inc" ie
> show running | inc snmp-server | community
     should read
show running | inc snmp-server | inc community        ?
sunhuxAuthor Commented:
"no snmp-server ..."
   and then
"snmp-server community <custom community name> rw

In general, will the above change have any impact?  Or it's only
if we use snmp for monitoring purposes that the monitoring
will not work after the above changes unless we adapt our
monitoring tool (ie HP Sitescope in our case) accordinglY?
Daniel SheppardSenior Network Analyst - Core & PerimeterCommented:
Additionally, it is always recommended to filter with some form of access list or firewall on the interfaces.  For example (since this is a ASR1001):
ip access-list extended restrict-mgmt
 permit tcp <your computer's IP> <interface IP> eq 22
 permit tcp <your computer's IP> <interface IP>  eq 443
 permit udp <your computer's IP> <interface IP> eq 161
 deny tcp any any eq 22
 deny tcp any any eq 23
 deny tcp any any eq 80
 deny tcp any any eq 443
 deny tcp any any eq 161
 permit ip any any

 interface Gi0/0/0
  ip access-group restrict-mgmt in

Open in new window


This allows your computer to access the management on the interface Gi0/0/0 but denies everyone else.  You can modify it to suit your needs.  On a "WAN" interface, you can just deny TCP, UDP management for example.  On a inside interface, you might only allow it from your workstation.
Daniel SheppardSenior Network Analyst - Core & PerimeterCommented:
When piping with Cisco, the first pipe is a pipe.  Any subsequent pipes are "OR's"

show running | inc ip | address

Open in new window

is in reality:
show running | include (ip OR address)

Open in new window


I really should have just put "show running | include snmp-server community" to be proper.

If you don't use SNMP for monitoring, you can just use the no snmp and disable snmp.  If you use SNMP, your tools will have to be modified.
sunhuxAuthor Commented:
Thanks, so for the lines below, it's only my community string is too simple or
I'll need to set the public with a password?

ie  
"enable"
"no snmp-server community pr0u6dbbb RO"
"no snmp-server community public RO"
"snmp-server community M0re_C0mp1ex_than_pr0u6dbbb rw"
"copy run start"

D2DDEERT01#show run | inc snmp
snmp-server community pr0u6dbbb RO
snmp-server community public RO
snmp-server trap-source GigabitEthernet0
snmp-server chassis-id D2DDEERT01
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps bgp
snmp-server enable traps config
snmp-server enable traps hsrp
snmp-server enable traps cpu threshold
snmp-server enable traps syslog
snmp-server host 172.22.5.55 vrf Mgmt-intf pr0u6dbbb
snmp-server host 172.22.215.55 vrf Mgmt-intf public
sunhuxAuthor Commented:
snmp-server host 172.22.5.55 vrf Mgmt-intf pr0u6dbbb
snmp-server host 172.22.215.55 vrf Mgmt-intf public

From the above 2 lines, can I say that we do use Snmp traps for monitoring
of this cisco device?  Also, any other of the listed lines need to change to
make it more secure?
Daniel SheppardSenior Network Analyst - Core & PerimeterCommented:
I would remove the public line for sure.  The other one is probably your community string you are using for monitoring.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.