TANDBERG <F9.0 SNMP DOS

["David Klein" <David.Klein () ipfocus com au>]

============================================================================
Vendor: TANDBERG part of Cisco.
Author: David Klein, IP Focus.
-------
Timeline:
29032010 - Vendor notified of verbose snmp resp regardless of community.
31032010 - Research at IP Focus turned this into a Denial of Service.
06042010 - IP Focus requested confirmation of DoS.
08042010 - Vendor confirmed.
24062010 - Vendor advised of beta FW to test.
02072010 - Confirmed initial DoS condition has been eliminated.
23082010 - Firmware 9.0 released.

-------
Details:
Sending 1xSNMP packet with a spoofed source IP of the target to Tandberg MXP
series causes a reboot. Payload in data field is '30 26'h

Community name does not need to be valid. 

The reason for the crash is that any sent SNMP packet the Tandberg will
respond, faking the source IP and sending the response back to itself, this
response then loops until memory runs out. Takes <1 minute.

-------
Systems:

Only MXP Systems are vulnerable to this condition.

-------
Workaround:

Upgrade to Firmware version 9.0

ftp://ftp.tandberg.com/pub/software/endpoints/mxp/f90/

============================================================================


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/