nv-l
[Top] [All Lists]

[nv-l] US-CERT Technical Cyber Security Alert TA04-111B -- Cisco IOS SNM

To: nv-l@lists.us.ibm.com
Subject: [nv-l] US-CERT Technical Cyber Security Alert TA04-111B -- Cisco IOS SNMP Message Handling Vulnerability
From: Paul <pstroud@bellsouth.net>
Date: Wed, 21 Apr 2004 07:16:46 -0400
Delivery-date: Wed, 21 Apr 2004 12:36:20 +0100
Envelope-to: nv-l-archive@lists.skills-1st.co.uk
Reply-to: nv-l@lists.us.ibm.com
Sender: owner-nv-l@lists.us.ibm.com
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6b) Gecko/20031205 Thunderbird/0.4
Thought this might be of interest to a large portion of this
list. You should be able to find additional information at the
CERT site(along with the TCP(BGP) routing problem). Not a
good day for the internet in total I would say. Anyhow, here
it is....

Cisco IOS SNMP Message Handling Vulnerability

  Original release date: April 20, 2004
  Last revised: --
  Source: US-CERT

Systems Affected

    * Cisco routers and switches running vulnerable versions of IOS.
      Vulnerable IOS versions known to be affected include:

    * 12.0(23)S4, 12.0(23)S5
    * 12.0(24)S4, 12.0(24)S5
    * 12.0(26)S1
    * 12.0(27)S
    * 12.0(27)SV, 12.0(27)SV1
    * 12.1(20)E, 12.1(20)E1, 12.1(20)E2
    * 12.1(20)EA1
    * 12.1(20)EW, 12.1(20)EW1
    * 12.1(20)EC, 12.1(20)EC1
    * 12.2(12g), 12.2(12h)
    * 12.2(20)S, 12.2(20)S1
    * 12.2(21), 12.2(21a)
    * 12.2(23)
    * 12.3(2)XC1, 12.3(2)XC2
    * 12.3(5), 12.3(5a), 12.3(5b)
    * 12.3(6)
    * 12.3(4)T, 12.3(4)T1, 12.3(4)T2, 12.3(4)T3
    * 12.3(5a)B
    * 12.3(4)XD, 12.3(4)XD1

Overview

  There is a vulnerability in Cisco's Internetwork Operating System
  (IOS) SNMP service. When vulnerable Cisco routers or switches process
  specific SNMP requests, the system may reboot. If repeatedly
  exploited, this vulnerability could result in a sustained denial of
  service (DoS).

  This vulnerability is distinct from the vulnerability described in
  US-CERT Technical Alert TA04-111A issued earlier today. Cisco has
  published an advisory about this distinct SNMP issue at the following
  location:

  <http://www.cisco.com/warp/public/707/cisco-sa-20040420-snmp.shtml>

I. Description

  The Simple Network Management Protocol (SNMP) is a widely deployed
  protocol that is commonly used to monitor and manage network devices.
  There are several types of SNMP messages that are used to request
  information or configuration changes, respond to requests, enumerate
  SNMP objects, and send both solicited and unsolicited alerts. These
  messages use UDP to communicate network information between SNMP
  agents and managers.

  There is a vulnerability in Cisco's IOS SNMP service in which attempts
  to process specific SNMP messages are handled incorrectly. This may
  potentially cause the device to reload.

  Typically, ports 161/udp and 162/udp are used during SNMP operations
  to communicate. In addition to these well-known ports, Cisco IOS uses
  a randomly selected UDP port in the range from 49152/udp to 59152/udp
  (and potentially up to 65535) to listen for other types of SNMP
  messages. While SNMPv1 and SNMPv2c formatted messages can trigger this
  vulnerability, the greatest risk is exposed when any SNMPv3 solicited
  operation is sent to a vulnerable port.

  Cisco notes in their advisory:

  "SNMPv1 and SNMPv2c solicited operations to the vulnerable ports will
      perform an authentication check against the SNMP community string,
      which may be used to mitigate attacks. Through best practices of
      hard to guess community strings and community string ACLs, this
      vulnerability may be mitigated for both SNMPv1 and SNMPv2c.
      However, any SNMPv3 solicited operation to the vulnerable ports
      will reset the device. If configured for SNMP, all affected
      versions will process SNMP version 1, 2c and 3 operations."

  Cisco is tracking this issue as CSCed68575. US-CERT is tracking this
  issue as VU#162451.

II. Impact

  A remote, unauthenticated attacker could cause the vulnerable device
  to reload. Repeated exploitation of this vulnerability could lead to a
  sustained denial of service condition.

III. Solution

Upgrade to fixed versions of IOS

  Cisco has published detailed information about upgrading affected
  Cisco IOS software to correct this vulnerability. System managers are
  encouraged to upgrade to one of the non-vulnerable releases. For
  additional information regarding availability of repaired releases,
  please refer to the "Software Versions and Fixes" section of the Cisco
  Security Advisory.

  <http://www.cisco.com/warp/public/707/cisco-sa-20040420-snmp.shtml>


Workarounds

  Cisco recommends a number of workarounds, including disabling SNMP
  processing on affected devices. For a complete list of workarounds,
  see the Cisco Security Advisory.

Appendix A. Vendor Information

  This appendix contains information provided by vendors for this
  advisory. As vendors report new information to US-CERT, we will update
  this section and note the changes in our revision history. If a
  particular vendor is not listed below, we have not received their
  comments.

Cisco Systems

  Please refer to Cisco Security Advisory: "Vulnerabilities in SNMP
  Message Processing". Cisco has published their advisory at the
  following location:

  <http://www.cisco.com/warp/public/707/cisco-sa-20040420-snmp.shtml>
    _________________________________________________________________

  US-CERT thanks Cisco Systems for notifying us about this problem.
    _________________________________________________________________

  Feedback can be directed to the authors: Jeff Havrilla, Shawn Hernan,
  Damon Morda

  The latest version of this document can be found at:

    <http://www.us-cert.gov/cas/techalerts/TA04-111B.html>
    _________________________________________________________________

  Copyright 2004 Carnegie Mellon University.

  Terms of use:

    <http://www.us-cert.gov/legal.html>

  Revision History

  April 20, 2004: Initial release

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFAhdSYXlvNRxAkFWARAqPXAJ98/hPua542rVKLAgmOVFRJEbLgHACgsBYS
vP+68misX1RV+A2fWyU2NQA=
=jID6
-----END PGP SIGNATURE-----



<Prev in Thread] Current Thread [Next in Thread>
  • [nv-l] US-CERT Technical Cyber Security Alert TA04-111B -- Cisco IOS SNMP Message Handling Vulnerability, Paul <=

Archive operated by Skills 1st Ltd

See also: The NetView Web