CERT Advisory: Cisco IOS DoS vulnerabilities (Just an FYI)

Discussion in 'Cisco' started by Pavlov, Apr 21, 2004.

  1. Pavlov

    Pavlov Guest

    Just passing this info along:

    <snip>

    Cisco IOS SNMP Message Handling Vulnerability

    Original release date: April 20, 2004
    Last revised: --
    Source: US-CERT

    Systems Affected

    * Cisco routers and switches running vulnerable versions of IOS.
    Vulnerable IOS versions known to be affected include:

    * 12.0(23)S4, 12.0(23)S5
    * 12.0(24)S4, 12.0(24)S5
    * 12.0(26)S1
    * 12.0(27)S
    * 12.0(27)SV, 12.0(27)SV1
    * 12.1(20)E, 12.1(20)E1, 12.1(20)E2
    * 12.1(20)EA1
    * 12.1(20)EW, 12.1(20)EW1
    * 12.1(20)EC, 12.1(20)EC1
    * 12.2(12g), 12.2(12h)
    * 12.2(20)S, 12.2(20)S1
    * 12.2(21), 12.2(21a)
    * 12.2(23)
    * 12.3(2)XC1, 12.3(2)XC2
    * 12.3(5), 12.3(5a), 12.3(5b)
    * 12.3(6)
    * 12.3(4)T, 12.3(4)T1, 12.3(4)T2, 12.3(4)T3
    * 12.3(5a)B
    * 12.3(4)XD, 12.3(4)XD1

    Overview

    There is a vulnerability in Cisco's Internetwork Operating System
    (IOS) SNMP service. When vulnerable Cisco routers or switches
    process
    specific SNMP requests, the system may reboot. If repeatedly
    exploited, this vulnerability could result in a sustained denial of
    service (DoS).

    This vulnerability is distinct from the vulnerability described in
    US-CERT Technical Alert TA04-111A issued earlier today. Cisco has
    published an advisory about this distinct SNMP issue at the
    following
    location:

    <http://www.cisco.com/warp/public/707/cisco-sa-20040420-snmp.shtml>

    I. Description

    The Simple Network Management Protocol (SNMP) is a widely deployed
    protocol that is commonly used to monitor and manage network
    devices.
    There are several types of SNMP messages that are used to request
    information or configuration changes, respond to requests,
    enumerate
    SNMP objects, and send both solicited and unsolicited alerts. These
    messages use UDP to communicate network information between SNMP
    agents and managers.

    There is a vulnerability in Cisco's IOS SNMP service in which
    attempts
    to process specific SNMP messages are handled incorrectly. This may
    potentially cause the device to reload.

    Typically, ports 161/udp and 162/udp are used during SNMP
    operations
    to communicate. In addition to these well-known ports, Cisco IOS
    uses
    a randomly selected UDP port in the range from 49152/udp to
    59152/udp
    (and potentially up to 65535) to listen for other types of SNMP
    messages. While SNMPv1 and SNMPv2c formatted messages can trigger
    this
    vulnerability, the greatest risk is exposed when any SNMPv3
    solicited
    operation is sent to a vulnerable port.

    Cisco notes in their advisory:

    "SNMPv1 and SNMPv2c solicited operations to the vulnerable ports
    will
    perform an authentication check against the SNMP community
    string,
    which may be used to mitigate attacks. Through best practices
    of
    hard to guess community strings and community string ACLs, this
    vulnerability may be mitigated for both SNMPv1 and SNMPv2c.
    However, any SNMPv3 solicited operation to the vulnerable ports
    will reset the device. If configured for SNMP, all affected
    versions will process SNMP version 1, 2c and 3 operations."

    Cisco is tracking this issue as CSCed68575. US-CERT is tracking
    this
    issue as VU#162451.

    II. Impact

    A remote, unauthenticated attacker could cause the vulnerable
    device
    to reload. Repeated exploitation of this vulnerability could lead
    to a
    sustained denial of service condition.

    III. Solution

    Upgrade to fixed versions of IOS

    Cisco has published detailed information about upgrading affected
    Cisco IOS software to correct this vulnerability. System managers
    are
    encouraged to upgrade to one of the non-vulnerable releases. For
    additional information regarding availability of repaired releases,
    please refer to the "Software Versions and Fixes" section of the
    Cisco
    Security Advisory.

    <http://www.cisco.com/warp/public/707/cisco-sa-20040420-snmp.shtml>

    Workarounds

    Cisco recommends a number of workarounds, including disabling SNMP
    processing on affected devices. For a complete list of workarounds,
    see the Cisco Security Advisory.

    Appendix A. Vendor Information

    This appendix contains information provided by vendors for this
    advisory. As vendors report new information to US-CERT, we will
    update
    this section and note the changes in our revision history. If a
    particular vendor is not listed below, we have not received their
    comments.

    Cisco Systems

    Please refer to Cisco Security Advisory: "Vulnerabilities in SNMP
    Message Processing". Cisco has published their advisory at the
    following location:

    <http://www.cisco.com/warp/public/707/cisco-sa-20040420-snmp.shtml>
    _________________________________________________________________

    US-CERT thanks Cisco Systems for notifying us about this problem.

    - Pavlov

    Check out my pics!
    http://www.neiu.edu/~akkoziol
     
    Pavlov, Apr 21, 2004
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Alan Lee
    Replies:
    16
    Views:
    711
    Martin Bilgrav
    Jul 23, 2003
  2. Boomer
    Replies:
    1
    Views:
    813
    Hugh Lilly
    Aug 27, 2003
  3. Igor Mamuziæ

    IOS DoS defense causes DoS to itself:)

    Igor Mamuziæ, May 12, 2006, in forum: Cisco
    Replies:
    2
    Views:
    575
    Igor Mamuzic
    May 20, 2006
  4. sponge
    Replies:
    2
    Views:
    496
  5. Ipeefreely
    Replies:
    5
    Views:
    1,081
Loading...

Share This Page