[cisco-ttl] FW: US-CERT Technical Cyber Security Alert TA04-111B -- Cisco IOS SNMP Message Handling Vulnerability

From: Cumhur (yahoo_at_cumhur.com)
Date: Wed Apr 21 2004 - 14:38:19 GMT

  • Next message: ssafak: "RE: [cisco-ttl] Coax kablo ile iki Cisco'yu birbirine baglama"

    Bilginize.

    Cumhur

    -----Original Message-----
    From: CERT Advisory [mailto:cert-advisory_at_cert.org]
    Sent: Wednesday, April 21, 2004 05:05
    To: cert-advisory_at_cert.org
    Subject: US-CERT Technical Cyber Security Alert TA04-111B -- Cisco IOS SNMP
    Message Handling Vulnerability

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Cisco IOS SNMP Message Handling Vulnerability

       Original release date: April 20, 2004
       Last revised: --
       Source: US-CERT

    Systems Affected

         * Cisco routers and switches running vulnerable versions of IOS.
           Vulnerable IOS versions known to be affected include:

         * 12.0(23)S4, 12.0(23)S5
         * 12.0(24)S4, 12.0(24)S5
         * 12.0(26)S1
         * 12.0(27)S
         * 12.0(27)SV, 12.0(27)SV1
         * 12.1(20)E, 12.1(20)E1, 12.1(20)E2
         * 12.1(20)EA1
         * 12.1(20)EW, 12.1(20)EW1
         * 12.1(20)EC, 12.1(20)EC1
         * 12.2(12g), 12.2(12h)
         * 12.2(20)S, 12.2(20)S1
         * 12.2(21), 12.2(21a)
         * 12.2(23)
         * 12.3(2)XC1, 12.3(2)XC2
         * 12.3(5), 12.3(5a), 12.3(5b)
         * 12.3(6)
         * 12.3(4)T, 12.3(4)T1, 12.3(4)T2, 12.3(4)T3
         * 12.3(5a)B
         * 12.3(4)XD, 12.3(4)XD1

    Overview

       There is a vulnerability in Cisco's Internetwork Operating System
       (IOS) SNMP service. When vulnerable Cisco routers or switches process
       specific SNMP requests, the system may reboot. If repeatedly
       exploited, this vulnerability could result in a sustained denial of
       service (DoS).

       This vulnerability is distinct from the vulnerability described in
       US-CERT Technical Alert TA04-111A issued earlier today. Cisco has
       published an advisory about this distinct SNMP issue at the following
       location:

       <http://www.cisco.com/warp/public/707/cisco-sa-20040420-snmp.shtml>

    I. Description

       The Simple Network Management Protocol (SNMP) is a widely deployed
       protocol that is commonly used to monitor and manage network devices.
       There are several types of SNMP messages that are used to request
       information or configuration changes, respond to requests, enumerate
       SNMP objects, and send both solicited and unsolicited alerts. These
       messages use UDP to communicate network information between SNMP
       agents and managers.

       There is a vulnerability in Cisco's IOS SNMP service in which attempts
       to process specific SNMP messages are handled incorrectly. This may
       potentially cause the device to reload.

       Typically, ports 161/udp and 162/udp are used during SNMP operations
       to communicate. In addition to these well-known ports, Cisco IOS uses
       a randomly selected UDP port in the range from 49152/udp to 59152/udp
       (and potentially up to 65535) to listen for other types of SNMP
       messages. While SNMPv1 and SNMPv2c formatted messages can trigger this
       vulnerability, the greatest risk is exposed when any SNMPv3 solicited
       operation is sent to a vulnerable port.

       Cisco notes in their advisory:

       "SNMPv1 and SNMPv2c solicited operations to the vulnerable ports will
           perform an authentication check against the SNMP community string,
           which may be used to mitigate attacks. Through best practices of
           hard to guess community strings and community string ACLs, this
           vulnerability may be mitigated for both SNMPv1 and SNMPv2c.
           However, any SNMPv3 solicited operation to the vulnerable ports
           will reset the device. If configured for SNMP, all affected
           versions will process SNMP version 1, 2c and 3 operations."

       Cisco is tracking this issue as CSCed68575. US-CERT is tracking this
       issue as VU#162451.

    II. Impact

       A remote, unauthenticated attacker could cause the vulnerable device
       to reload. Repeated exploitation of this vulnerability could lead to a
       sustained denial of service condition.

    III. Solution

    Upgrade to fixed versions of IOS

       Cisco has published detailed information about upgrading affected
       Cisco IOS software to correct this vulnerability. System managers are
       encouraged to upgrade to one of the non-vulnerable releases. For
       additional information regarding availability of repaired releases,
       please refer to the "Software Versions and Fixes" section of the Cisco
       Security Advisory.

       <http://www.cisco.com/warp/public/707/cisco-sa-20040420-snmp.shtml>

    Workarounds

       Cisco recommends a number of workarounds, including disabling SNMP
       processing on affected devices. For a complete list of workarounds,
       see the Cisco Security Advisory.

    Appendix A. Vendor Information

       This appendix contains information provided by vendors for this
       advisory. As vendors report new information to US-CERT, we will update
       this section and note the changes in our revision history. If a
       particular vendor is not listed below, we have not received their
       comments.

    Cisco Systems

       Please refer to Cisco Security Advisory: "Vulnerabilities in SNMP
       Message Processing". Cisco has published their advisory at the
       following location:

       <http://www.cisco.com/warp/public/707/cisco-sa-20040420-snmp.shtml>
         _________________________________________________________________

       US-CERT thanks Cisco Systems for notifying us about this problem.
         _________________________________________________________________

       Feedback can be directed to the authors: Jeff Havrilla, Shawn Hernan,
       Damon Morda

       The latest version of this document can be found at:

         <http://www.us-cert.gov/cas/techalerts/TA04-111B.html>
         _________________________________________________________________

       Copyright 2004 Carnegie Mellon University.

       Terms of use:
     
         <http://www.us-cert.gov/legal.html>

       Revision History

       April 20, 2004: Initial release

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.1 (GNU/Linux)

    iD8DBQFAhdSYXlvNRxAkFWARAqPXAJ98/hPua542rVKLAgmOVFRJEbLgHACgsBYS
    vP+68misX1RV+A2fWyU2NQA=
    =jID6
    -----END PGP SIGNATURE-----

    ---
     
    Checked by AVG anti-virus system (http://www.grisoft.com).
    Version: 6.0.661 / Virus Database: 424 - Release Date: 19-04-2004
     
    ---
    Outgoing mail is certified Virus
    Free.http://www.grisoft.com/us/us_dwnl_free.php
    Checked by AVG anti-virus system (http://www.grisoft.com).
    Version: 6.0.661 / Virus Database: 424 - Release Date: 19-04-2004
     
    ------------------------ Yahoo! Groups Sponsor ---------------------~-->
    Buy Ink Cartridges or Refill Kits for your HP, Epson, Canon or Lexmark
    Printer at MyInks.com.  Free s/h on orders $50 or more to the US & Canada.
    http://www.c1tracking.com/l.asp?cid=5511
    http://us.click.yahoo.com/mOAaAA/3exGAA/qnsNAA/26EolB/TM
    ---------------------------------------------------------------------~->
    Bu listenin Cisco Systems ile dogrudan herhangi bir baglantisi bulunmamaktadir. 
    Listeden cikmak için cisco-ttl-unsubscribe_at_yahoogroups.com adresine bir e-posta gönderebilirsiniz. 
    Yahoo! Groups Links
    <*> To visit your group on the web, go to:
         http://groups.yahoo.com/group/cisco-ttl/
    <*> To unsubscribe from this group, send an email to:
         cisco-ttl-unsubscribe_at_yahoogroups.com
    <*> Your use of Yahoo! Groups is subject to:
         http://docs.yahoo.com/info/terms/
     
    


    This archive was generated by hypermail 2.1.5 : Wed Apr 21 2004 - 18:39:45 GMT