what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Technical Cyber Security Alert 2004-111B

Technical Cyber Security Alert 2004-111B
Posted Apr 20, 2004
Authored by US-CERT | Site cert.org

Technical Cyber Security Alert TA04-111B - There is a vulnerability in Cisco's Internetwork Operating System (IOS) SNMP service. When vulnerable Cisco routers or switches process specific SNMP requests, the system may reboot. If repeatedly exploited, this vulnerability could result in a sustained denial of service (DoS).

tags | advisory, denial of service
systems | cisco
SHA-256 | 3fed4b1233387104fb4e7e1bcf2dc6aba32e42412482673afff6ef774107c8b3

Technical Cyber Security Alert 2004-111B

Change Mirror Download

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cisco IOS SNMP Message Handling Vulnerability

Original release date: April 20, 2004
Last revised: --
Source: US-CERT

Systems Affected

* Cisco routers and switches running vulnerable versions of IOS.
Vulnerable IOS versions known to be affected include:

* 12.0(23)S4, 12.0(23)S5
* 12.0(24)S4, 12.0(24)S5
* 12.0(26)S1
* 12.0(27)S
* 12.0(27)SV, 12.0(27)SV1
* 12.1(20)E, 12.1(20)E1, 12.1(20)E2
* 12.1(20)EA1
* 12.1(20)EW, 12.1(20)EW1
* 12.1(20)EC, 12.1(20)EC1
* 12.2(12g), 12.2(12h)
* 12.2(20)S, 12.2(20)S1
* 12.2(21), 12.2(21a)
* 12.2(23)
* 12.3(2)XC1, 12.3(2)XC2
* 12.3(5), 12.3(5a), 12.3(5b)
* 12.3(6)
* 12.3(4)T, 12.3(4)T1, 12.3(4)T2, 12.3(4)T3
* 12.3(5a)B
* 12.3(4)XD, 12.3(4)XD1

Overview

There is a vulnerability in Cisco's Internetwork Operating System
(IOS) SNMP service. When vulnerable Cisco routers or switches process
specific SNMP requests, the system may reboot. If repeatedly
exploited, this vulnerability could result in a sustained denial of
service (DoS).

This vulnerability is distinct from the vulnerability described in
US-CERT Technical Alert TA04-111A issued earlier today. Cisco has
published an advisory about this distinct SNMP issue at the following
location:

<http://www.cisco.com/warp/public/707/cisco-sa-20040420-snmp.shtml>

I. Description

The Simple Network Management Protocol (SNMP) is a widely deployed
protocol that is commonly used to monitor and manage network devices.
There are several types of SNMP messages that are used to request
information or configuration changes, respond to requests, enumerate
SNMP objects, and send both solicited and unsolicited alerts. These
messages use UDP to communicate network information between SNMP
agents and managers.

There is a vulnerability in Cisco's IOS SNMP service in which attempts
to process specific SNMP messages are handled incorrectly. This may
potentially cause the device to reload.

Typically, ports 161/udp and 162/udp are used during SNMP operations
to communicate. In addition to these well-known ports, Cisco IOS uses
a randomly selected UDP port in the range from 49152/udp to 59152/udp
(and potentially up to 65535) to listen for other types of SNMP
messages. While SNMPv1 and SNMPv2c formatted messages can trigger this
vulnerability, the greatest risk is exposed when any SNMPv3 solicited
operation is sent to a vulnerable port.

Cisco notes in their advisory:

"SNMPv1 and SNMPv2c solicited operations to the vulnerable ports will
perform an authentication check against the SNMP community string,
which may be used to mitigate attacks. Through best practices of
hard to guess community strings and community string ACLs, this
vulnerability may be mitigated for both SNMPv1 and SNMPv2c.
However, any SNMPv3 solicited operation to the vulnerable ports
will reset the device. If configured for SNMP, all affected
versions will process SNMP version 1, 2c and 3 operations."

Cisco is tracking this issue as CSCed68575. US-CERT is tracking this
issue as VU#162451.

II. Impact

A remote, unauthenticated attacker could cause the vulnerable device
to reload. Repeated exploitation of this vulnerability could lead to a
sustained denial of service condition.

III. Solution

Upgrade to fixed versions of IOS

Cisco has published detailed information about upgrading affected
Cisco IOS software to correct this vulnerability. System managers are
encouraged to upgrade to one of the non-vulnerable releases. For
additional information regarding availability of repaired releases,
please refer to the "Software Versions and Fixes" section of the Cisco
Security Advisory.

<http://www.cisco.com/warp/public/707/cisco-sa-20040420-snmp.shtml>


Workarounds

Cisco recommends a number of workarounds, including disabling SNMP
processing on affected devices. For a complete list of workarounds,
see the Cisco Security Advisory.

Appendix A. Vendor Information

This appendix contains information provided by vendors for this
advisory. As vendors report new information to US-CERT, we will update
this section and note the changes in our revision history. If a
particular vendor is not listed below, we have not received their
comments.

Cisco Systems

Please refer to Cisco Security Advisory: "Vulnerabilities in SNMP
Message Processing". Cisco has published their advisory at the
following location:

<http://www.cisco.com/warp/public/707/cisco-sa-20040420-snmp.shtml>
_________________________________________________________________

US-CERT thanks Cisco Systems for notifying us about this problem.
_________________________________________________________________

Feedback can be directed to the authors: Jeff Havrilla, Shawn Hernan,
Damon Morda

The latest version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA04-111B.html>
_________________________________________________________________

Copyright 2004 Carnegie Mellon University.

Terms of use:

<http://www.us-cert.gov/legal.html>

Revision History

April 20, 2004: Initial release

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFAhdSYXlvNRxAkFWARAqPXAJ98/hPua542rVKLAgmOVFRJEbLgHACgsBYS
vP+68misX1RV+A2fWyU2NQA=
=jID6
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close