Recently had an issue working with a CCE engineer trying to configure a SIP server group in SPOG 12.5 for a couple of CUBE routers. Turns out SPOG requires the use of telnet to connect to the CUBE routers. Not just that, but the SPOG executes a few commands on CUBE (or any VGW being integrated) and it requires level 15 access to execute a ‘show version’ command on the gateway. If the user account being used doesn’t have level 15 access, SPOG executes the ‘enable 15’ command to elevate privileges for itself.
We discovered this by configuring a custom privilege level for the SPOG user. Even with the custom commands configured for the specified privilege level, SPOG configuration of the SIP server group was failing. We configured an EEM script to log the command being executed by the SPOG and discovered the following commands being executed:
terminal height 0terminal width 0 show privilege show version
Even if grant the user account execute privileges for the ‘show version’ command, the SPOG will still try to elevate it’s privileges to level 15.
In light of not just general security best practices, but also the recent SolarWinds breach that allowed an attacker god-level access, it’s astonishing that Cisco still *requires* telnet for, well, anything, but also doesn’t allow for workarounds such as creating custom privilege levels on the IOS device to create this integration. </rant>