SNMP vul, Cisco routers, DoS without a community string possible?

[Joshua Wright <Joshua.Wright () jwu edu>]

I have been experimenting with the PROTOS SNMP test cases for req-app test
material against my Cisco 2621 running 12.0(7)T.  I have been able to
reliably force the router to crash/dump and reload when I have "snmp-server
community public RO" or "snmp-server host 1.1.1.1 public" configured on the
router, but am unable to DoS the router when configured with a community
string that does not match the one used in the PROTOS test cases.

The CERT advisory indicates that simply changing the community to a
hard-to-guess value is "not sufficient to mitigate the impact of these
vulnerabilities".  Cisco also recommends applying ACL's to stop unspecified
hosts from contacting UDP/161 on the router.

Has anyone confirmed that Cisco and other vendors are subject to a DoS
through the PROTOS test suite without prior knowledge of the SNMP community
string?

Many thanks.

-Joshua Wright
Team Leader, Networks and Systems
Johnson & Wales University
Joshua.Wright () jwu edu 

pgpkey: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xD44B4A73
fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73