Vulnerability Development mailing list archives

Re: SNMP vul, Cisco routers, DoS without a community string possible?

From: Eric Brandwine <ericb () UU NET>
Date: 15 Feb 2002 16:37:25 +0000

"jw" == Joshua Wright <Joshua.Wright () jwu edu> writes:


jw> I have been experimenting with the PROTOS SNMP test cases for req-app test
jw> material against my Cisco 2621 running 12.0(7)T.  I have been able to
jw> reliably force the router to crash/dump and reload when I have "snmp-server
jw> community public RO" or "snmp-server host 1.1.1.1 public" configured on the
jw> router, but am unable to DoS the router when configured with a community
jw> string that does not match the one used in the PROTOS test cases.

jw> The CERT advisory indicates that simply changing the community to a
jw> hard-to-guess value is "not sufficient to mitigate the impact of these
jw> vulnerabilities".  Cisco also recommends applying ACL's to stop unspecified
jw> hosts from contacting UDP/161 on the router.

jw> Has anyone confirmed that Cisco and other vendors are subject to a DoS
jw> through the PROTOS test suite without prior knowledge of the SNMP community
jw> string?

Cisco in particular has a hefty problem on their hands.  They have
such a broad product range, and so many versions of software, that no
one person has their head around the entire thing.  Add in other
vendors, and you've got a real party.  Be very specific when asking
these questions, or you'll get conflicting answers.

Some versions of Cisco IOS on some platforms are vulnerable,
regardless of community string and ACL.  Some are only vulnerable if
you have a valid string and know what IP to source your packets from.
The same is true of other vendors products.  Many are safe unless you
know the string, but there are enough for which the string does not
matter at all.  

Just due to the nature, rec-enc is more likely to cause problems when
you don't know the string.

ericb
-- 
Eric Brandwine     |  UNIX is the answer, but only if you phrase the question
UUNetwork Security |  very carefully.
ericb () uu net       |
+1 703 886 6038    |      - Usenet
Key fingerprint = 3A39 2C2F D5A0 FC7C  5F60 4118 A84A BD5D  59D7 4E3E

Current thread:

SNMP vul, Cisco routers, DoS without a community string possible? Joshua Wright (Feb 14)
- Re: SNMP vul, Cisco routers, DoS without a community string possible? Eric Brandwine (Feb 15)