Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
(Cisco Issues Advisory) Re: Many Simple Network Management Protocol (SNMP) Implementations Allow Remote Users to Deny Service or Obtain Access to the System
|
|
SecurityTracker Alert ID: 1003531 |
|
SecurityTracker URL: http://securitytracker.com/id/1003531
|
|
CVE Reference:
CAN-2002-0012, CAN-2002-0013
(Links to External Site)
|
Date: Feb 13 2002
|
Impact:
Denial of service via network, Execution of arbitrary code via network, Root access via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
|
Description:
CERT reported that the University of Oulu (Finland) has discovered vulnerabilities in many vendor implementations of the Simple Network Management Protocol (SNMP) version 1.
The Oulu University Secure Programming Group (OUSPG, http://www.ee.oulu.fi/research/ouspg/) reports that there are numerous vulnerabilities in SNMPv1 implementations from many different vendors. A remote user can reportedly cause denial of service attacks.
Cisco confirms that there are multiple Cisco products that contain vulnerabilities in the processing of SNMP messages and that the vulnerabilities can be repeatedly exploited to produce a denial of service.
A long list of products is affected, including IOS and non-IOS based software versions. To see if your Cisco product and sofware version is affected, see the Cisco advisories:
http://www.cisco.com/warp/public/707/cisco-malformed-snmp-msgs-pub.shtml.
http://www.cisco.com/warp/public/707/cisco-malformed-snmp-msgs-non-ios-pub.shtml
|
Impact:
A remote user may be able to cause denial of service conditions. Cisco reports that the vulnerability can be exploited to cause an affected Cisco product to crash and reload.
|
Solution:
Cisco has released fixes for some releases and is planning to release fixes for additional releases. To see if a fix is available or to see when a fix will be available for your product and software version, refer to the Cisco advisory at:
http://www.cisco.com/warp/public/707/cisco-malformed-snmp-msgs-pub.shtml
|
Vendor URL: www.cisco.com/warp/public/707/cisco-malformed-snmp-msgs-pub.shtml (Links to External Site)
|
Cause:
Access control error, Boundary error, Input validation error
|
Underlying OS:
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Tue, 12 Feb 2002 20:13:51 -0500
Subject: Cisco Security Advisory: Malformed SNMP Message-Handling Vulnerabilities
|
[Editor's Note: The following is a Cisco Advisory in text format. The advisory
has not been modified, per Cisco's requirements. To view the text tables, we
recommend viewing the original advisory, available at:
http://www.cisco.com/warp/public/707/cisco-malformed-snmp-msgs-pub.shtml]
Cisco Security Advisory: Malformed SNMP Message-Handling Vulnerabilities
Revision 1.0
For Public Release 2002 February 12 20:00 GMT
Please provide your feedback on this document.
Summary
Multiple Cisco products contain vulnerabilities in the processing of Simple
Network Management Protocol (SNMP) messages. The vulnerabilities can be
repeatedly exploited to produce a denial of service. In most cases, workarounds
are available that may mitigate the impact. These vulnerabilities are identified
by various groups as VU#617947, VU#107186, OUSPG #0100, CAN-2002-0012, and
CAN-2002-0013.
This advisory is available at
http://www.cisco.com/warp/public/707/cisco-malformed-snmp-msgs-pub.shtml.
Affected Products
This security advisory applies to a broad range of Cisco products. To determine
if a product is vulnerable, review the list below. If software versions or
configuration information is included, then only those combinations are affected
(or unaffected). If the product or series is listed without any qualifying
software version information, then consult the Software Versions and Fixes
section to determine if the product is running an affected version of software.
Additional information per product is provided in the Details and Workarounds
sections below.
The following Cisco products are vulnerable if they are running an affected
version of software:
800, 1000, 1005, 1400, 1600, 1700, 2500, 2600, 3600, MC3810, 4000, 4500, 4700,
6200, 6400 NRP, 6400 NSP series Cisco routers
ubr900 and ubr920 universal broadband routers
Catalyst 1500, 290x, 292x, 2900XL, 2948g, 2948g-l3, 2950, 3000, 3200, 3500XL,
3550, 4000, 4232, 4232-l3, 4840g, 4908g-l3, 4912g, 5000, 6000 RSFC series
switches
AS5200, AS5300, AS5800 series access servers
Catalyst 6000 MSM, 6000 Hybrid Mode, 6000 Native Mode, 6000 Supervisor Module,
Catalyst ATM Blade, Catalyst 6000 Network Analysis Module (NAM)
RSM, 7000, 7010, 7100, 7200, ubr7200, 7500, 7600 OSR, 10000 ESR, and 12000 GSR
series Cisco routers
Lightstream 1010 ATM switches
DistributedDirector
Catalyst 8510CSR, 8510MSR, 8540CSR, 8540MSR series switches.
BPX, IGX, MGX WAN switches, and the Service Expansion Shelf
WAN Manager
Cisco Secure PIX firewall
Cisco Secure Intrusion Detection System (NetRanger) appliance and IDS Module
BR340, WGB340, AP340, AP350, BR350 Cisco/Aironet wireless products
CSS11000 (Arrowpoint) Content Services Switch
Cache Engine 505 and 570 running 2.3 or 2.5
Content Engine 507, 560 and 590 running 2.3 or 2.5
Content Engine 507, 560, 590, and 7320 running 3.1, 4.0, or 4.1
LocalDirector
Internet CDN
VPN3000 (Altiga) VPN Concentrator
VPN5000 VPN Concentrator
Access Registrar running on Solaris 8
Cisco ws-x6608 and ws-x6624 IP Telephony Modules
Traffic Director
Cisco Info Center
Switch Probe
CiscoWorks Windows
Hosting Solution Engine
User Registration Tool VLAN Policy Server
Cisco Element Management Framework
Products Not Affected
The following Cisco products are not affected by this vulnerability in the
specified configuration, either because they do not contain the associated
defect or because they do not support SNMP. If software version information is
provided, then only that specific combination of product and software version is
not vulnerable.
Catalyst 1900s switch running any version of CatOS
FastHub 300 Ethernet repeater
Cache Engine 505 and 570 running version 2.3 or 2.5.x
Cache Engine and Content Delivery Manager running CDM Enterprise 3.0.x
CR-4430B running CDM Enterprise 3.0.x
IP/TV
Device Fault Manager
ME1100 series
Voice Manager
RTM
IP Phone (all models)
SN5400 series storage routers
CallManager
Unity Server
Access Registrar running on Solaris 7.5.1
No other Cisco product is known to be affected by this vulnerability.
Details
Simple Network Management Protocol (SNMP) defines a standard mechanism for
remote management and monitoring of devices in an Internet Protocol (IP)
network.
There are three types of SNMP messages: "get" requests to request information,
"set" requests which modify the configuration of the remote device, and "trap"
messages which provide a monitoring function.
An Object Identifier (OID) is the label employed by SNMP to uniquely specify an
item to be managed. OIDs in human-readable format are displayed as long strings
of decimal integers separated by periods, but they are packed into a more
efficient binary form for use within SNMP.
The largest group of vulnerabilities described in this advisory result from
insufficient checking of SNMP messages as they are received and processed by an
affected system. Malformed SNMP messages received by affected systems can cause
various parsing and processing functions to fail, resulting in a system crash
and a reload in most circumstances. Under some conditions, the affected device
can not reload. In a specific combination with an unrelated software defect, the
device reloads continuously and requires manual intervention to resume normal
operation.
These vulnerabilities can be easily and repeatedly demonstrated with the use of
the University of Oulu Secure Programming Group (OUSPG) "PROTOS" Test Suite for
SNMP. The test suite is generally used to analyze a protocol and produce
messages that probe various design limits within an implementation of a
protocol. Examples such as overly-long OIDs, malformed OIDs, and other
combinations of values appropriate to SNMP can be programmatically generated and
then transmitted to a network device under test. The test suite for SNMP, as
distributed, contains approximately 53,000 individual test cases. The authors
intend to make the SNMP test suite available to the public at the same time that
this advisory is published.
Impact
The vulnerability can be exploited to produce a Denial of Service (DoS) attack.
When the vulnerability is exploited, it can cause an affected Cisco product to
crash and reload.
SNMP messages are transported using User Datagram Protocol (UDP) and are subject
to IP source address spoofing. In any circumstance where ingress and egress
source IP address filtering is lacking, it is more likely that an attacker could
spoof the source IP address and circumvent access control mechanisms to cause a
vulnerable system to fail.
If an attacker is able to guess or otherwise obtain a read-only community string
for an affected device, then he or she could bypass SNMP access control relying
on the community string.
Software Versions and Fixes
Cisco IOS Software
Each row of the Cisco IOS software table (below) describes a release train and
the platforms or products for which it is intended. If a given release train is
vulnerable, then the earliest possible releases that contain the fix (the "First
Fixed Release") and the anticipated date of availability for each are listed in
the "Rebuild," "Interim," and "Maintenance" columns. A device running a release
in the given train that is earlier than the release in a specific column (less
than the First Fixed Release) is known to be vulnerable. The release should be
upgraded at least to the indicated release or a later version (greater than or
equal to the First Fixed Release label). When selecting a release, keep in mind
the following definitions:
Maintenance
Most heavily tested, stable, and highly recommended release of a release
train in any given row of the table.
Rebuild
Constructed from the previous maintenance or major release in the same
train, it contains the fix for a specific defect. Although it receives less
testing, it contains only the minimal changes necessary to repair the
vulnerability.
Interim
Built at regular intervals between maintenance releases and receives less
testing. Interims should be selected only if there is no other suitable
release that addresses the vulnerability. Interim images should be upgraded
to the next available maintenance release as soon as possible. Interim
releases are not available through manufacturing, and usually they are not
available for customer download from CCO without prior arrangement with the
Cisco TAC.
In all cases, customers should exercise caution to confirm that the devices to
be upgraded contain sufficient memory and that current hardware and software
configurations will continue to be supported properly by the new software
release. If the information is not clear, contact the Cisco TAC for assistance
as shown in the "Obtaining Fixed Software" section.
More information on Cisco IOS software release names and abbreviations is
available at http://www.cisco.com/warp/public/620/1.html.
TrainImage Description or PlatformAvailability of Fixed Releases*
11.x ReleasesRebuildInterim**Maintenance
11.0 11.0(22b)
2002/02/11
11.1 11.1(24b)
TBD
11.1AA 11.1(20)AA4
2002/02/11
11.1CA 11.1(36)CA2
2002/02/11
11.1CC 11.1(36)CC4
2002/02/11
11.1CT 11.1(28a)CT
TBD
11.1IA 11.1(28a)IA
TBD
11.2 11.2(26b)
2002/02/12
11.2BC 11.2(23a)BC1
TBD
11.2GS 11.2(19a)GS6
TBD
11.2P 11.2(26)P1
2002/02/15
11.2SA 11.2(8.9)SA6
2002/02/12
11.3 11.3(11c)
2002/02/11
11.3DB 11.3(7)DB1
TBD
11.3DB 11.3(8)DB2
TBD
11.3T 11.3(11b)T2
2002/02/11
12.0 12.0(21a)
2002/02/12
12.0 12.0(8a)
2002/02/11
12.0 12.0(9a)
2002/02/12
12.0 12.0(10a)
2002/02/12
12.0 12.0(11a)
2002/02/12
12.0 12.0(12a)
2002/02/12
12.0 12.0(13a)
2002/02/12
12.0 12.0(14a)
2002/02/12
12.0 12.0(15a)
2002/02/12
12.0 12.0(16a)
2002/02/11
12.0 12.0(17a)
2002/02/11
12.0 12.0(2b)
2002/02/11
12.0 12.0(3d)
2002/02/12
12.0 12.0(5a)
2002/02/12
12.0 12.0(6a)
2002/02/11
12.0 12.0(19a)
2002/02/11
12.0 12.0(20a)
2002/02/11
12.0 12.0(18b)
TBD
12.0WT 12.0(13)WT6(1)
TBD
12.0(2)XE 12.0(2)XE?
TBD
12.0(2)XF 12.0(2)XF?
TBD
12.0(20)SX 12.0(21)SX
TBD
12.0(4)XE 12.0(4)XE1
2002/02/11
12.0(4)XM 12.0(4)XM1
2002/02/12
12.0(5)WC 2900XL-LRE 12.0(5)WC2b
2002/02/11
12.0(5)XE 12.0(5)XE3
2002/02/11
12.0(5)XK 12.0(5)XK2
2002/02/12
12.0(5)XN 12.0(5)XN1
TBD
12.0(5)XP, 2900XL, 3500XL platform 12.0(5)WC3
2002/02/12
12.0(5)XS 12.0(5)XS2
TBD
12.0(5)XU 2900XL, 3500XL platform 12.0(5)WC3
2002/02/12
12.0(7)XE 12.0(7)XE1
2002/02/11
12.0(7)XF 12.0(7)XF1
TBD
12.0(7)XK 12.0(7)XK3
2002/02/11
12.0(7)XV 12.0(7)XV
TBD
12.0DB 12.0(7)DB2
TBD
12.0DC 12.0(7)DC1
TBD
12.0S 12.0(16)S8
2002/02/12
12.0S 12.0(21)S1
2002/02/15
12.0S 12.0(13)S6
2002/02/15
12.0S 12.0(9)S8
2002/02/15
12.0S 12.0(17)S4
2002/02/15
12.0S 12.0(15)S6
2002/02/15
12.0S 12.0(18)S5
2002/02/15
12.0S 12.0(19)S2
2002/02/15
12.0S 12.0(12)S3
2002/02/12
12.0S 12.0(14)S7
2002/02/12
12.0S 12.0(10)S7
2002/02/12
12.0S 12.0(11)S6
2002/02/15
12.0S 12.0(8)S1
2002/02/15
12.0SC 12.0(16)SC3
2002/02/11
12.0SL 12.0(17)SL6
2002/02/15
12.0SL 12.0(19)SL4
2002/02/12
12.0SP 12.0(20)SP1
2002/02/12
12.0ST 12.0(17)ST5
2002/02/15
12.0ST 12.0(19)ST2
2002/02/12
12.0ST 12.0(11)ST4
2002/02/12
12.0ST 12.0(14)ST3
2002/02/15
12.0ST 12.0(16)ST1
2002/02/12
12.0ST 12.0(18)ST1
2002/02/12
12.0ST 12.0(20)ST2
2002/02/12
12.0ST 12.0(21)ST
TBD
12.0T 12.0(7)T2
2002/02/12
12.0W5cat2948g-L3, cat423212.0(18)W5(22b)
2002/02/11
12.0W5c5atm,cat8510[c,m]
cat8540[c,m], ls101012.0(20)W5(24a)
2002/02/11
12.1 12.1(3b)
2002/02/12
12.1 12.1(4a)
2002/02/12
12.1 12.1(13)
2002/02/15
12.1 12.1(8c)
2002/02/11
12.1 12.1(1c)
2002/02/12
12.1 12.1(2b)
2002/02/12
12.1 12.1(5e)
2002/02/12
12.1 12.1(6a)
2002/02/11
12.1 12.1(7b)
2002/02/12
12.1 12.1(9a)
2002/02/12
12.1 12.1(12b)
2002/02/12
12.1 12.1(11b)
2002/02/12
12.1 12.1(10a)
2002/02/12
12.1(10)EX 12.1(10)EX
TBD
12.1(10)EY 12.1(10)EY
TBD
12.1(2)XF 12.1(2)XF5
2002/02/11
12.1(3)XG 12.1(3)XG6
2002/02/11
12.1(3)XI 12.1(3a)XI8
2002/02/15
12.1(3)XP 12.1(3)XP
TBD
12.1(3)XQ 12.1(3)XQ
TBD
12.1(3)XT 12.1(3)XT3
TBD
12.1(4)XY 12.1(4)XY8
2002/02/12
12.1(4)XZ 12.1(4)XZ7
2002/02/11
12.1(5)XM 12.1(5)XM7
2002/02/15
12.1(5)XV 12.1(5)XV5
2002/02/15
12.1(5)XV 12.1(5)XV4
2002/02/15
12.1(5)XV 12.1(5)XV5
2002/02/11
12.1(5)YA 12.1(5)YA2
2002/02/11
12.1(5)YB 12.1(5)YB5
2002/02/11
12.1(5)YC 12.1(5)YC2
2002/02/11
12.1(5)YD 12.1(5)YD6
2002/02/11
12.1(5)YF 12.1(5)YF4
2002/02/11
12.1(5)YH 12.1(5)YH3
2002/02/11
12.1(5)YI & 12.1(5)EY 12.1(5)YI1
2002/02/11
12.1(6)EZ 12.1(6)EZ6
2002/02/12
12.1(7a)EY 12.1(7a)EY3
2002/02/11
12.1(8a)EW 12.1(8a)EW1
2002/02/11
12.1(8a)EX 12.1(8b)EX4
2002/02/12
12.1(9)EX 12.1(9)EX3
2002/02/12
12.1AA 12.1(8)AA1
2002/02/15
12.1AA 12.1(10)AA
TBD
12.1DA 12.1(7)DA3
TBD
12.1DB 12.1(5)DB1
2002/02/15
12.1DB 12.1(1)DB2
TBD
12.1DB 12.1(3)DB1
TBD
12.1DB 12.1(4)DB2
TBD
12.1DC 12.1(5)DC2
2002/02/15
12.1DC 12.1(1)DC2
TBD
12.1DC 12.1(3)DC2
TBD
12.1DC 12.1(4)DC2
TBD
12.1E 12.1(9)E2
2002/02/12
12.1E 12.1(9)E3
2002/02/15
12.1E 12.1(10)E4
2002/02/15
12.1E 12.1(1)E5
2002/02/12
12.1E 12.1(5c)E12
2002/02/11
12.1E 12.1(5c)E12
2002/02/11
12.1E 12.1(8b)E11
2002/02/11
12.1E 12.1(11)E
2002/02/25
12.1E 12.1(8b)E9
2002/02/11
12.1E 12.1(6)E8
TBD
12.1E 12.1(3a)E7
TBD
12.1E 12.1(3a)E8
TBD
12.1E 12.1(7a)E6
TBD
12.1E 12.1(4)E3
2002/02/12
12.1EC 12.1(10)EC1
2002/02/15
12.1EC 12.1(11)EC
TBD
12.1T 12.1(5)T12
2002/02/12
12.2 12.2(1d)
2002/02/12
12.2 12.2(5d)
2002/02/12
12.2 12.2(6c)
2002/02/12
12.2 12.2(3d)
2002/02/12
12.2 12.2(7a)
2002/02/15
12.2(1)XA 12.2(2)XA5
2002/02/12
12.2(1)XD 12.2(1)XD3
2002/02/11
12.2(1)XE 12.2(1)XE2
2002/02/11
12.2(1)XS 12.2(1)XS1
TBD
12.2(2)BY 12.2(2)BY2
2002/02/11
12.2(2)XB 12.2(2)XB3
2002/02/15
12.2(2)XB 12.2(2)XB4
2002/02/11
12.2(2)XG 12.2(2)XG1
TBD
12.2(2)XH 12.2(2)XH2
2002/02/11
12.2(2)XI 12.2(2)XI1
2002/02/11
12.2(2)XJ 12.2(2)XJ1
TBD
12.2(2)XK 12.2(2)XK2
2002/02/11
12.2(2)XN 12.2(2)XN
TBD
12.2(2)XT 12.2(2)XT3
2002/02/11
12.2(2)XU 12.2(2)XU2
2002/02/15
12.2(2)XU 12.2(2)XU1
2002/02/12
12.2(2)XU 12.2(2)XU2
2002/02/11
12.2(2)YC 12.2(2)YC
TBD
12.2(4)XL 12.2(4)XL4
2002/02/11
12.2(4)XM 12.2(4)XM2
2002/02/11
12.2(4)XV 12.2(4)XV5
2002/02/15
12.2(4)XW 12.2(4)XW1
TBD
12.2(4)YA 12.2(4)YA1
2002/02/11
12.2(4)YB 12.2(4)YB
TBD
12.2B 12.2(4)BX
TBD
12.2B 12.2(4)B2
2002/02/15
12.2B 12.2(4)B4
2002/02/15
12.2BC 12.2(4)BC1a
2002/02/15
12.2BX 12.2(2)BX
2002/02/15
12.2BX 12.2(4)BX
TBD
12.2DA 12.2(7)DA
2002/02/15
12.2DA 12.2(1b)DA1
TBD
12.2DA 12.2(5)CA1
TBD
12.2DD 12.2(2)DD3
2002/02/12
12.2MB 12.2(4)MB3
2002/02/15
12.2S 12.2(9)S
TBD
12.2T 12.2(2)T4
2002/02/12
12.2T 12.2(4)T3
2002/02/19
12.2T 12.2(6.8)T0a
2002/02/15
12.2T 12.2(8)T
2002/02/11
12.2T 12.2(6.8)T1a
2002/02/11
2900XL/3500XL 12.0(5.1)XP 12.0(5)XU 12.0(5.2)XU 12.0(5.3)WC1 12.0(5)WC2
12.0(5)WC3
2002/02/12
2900XL-LRE: 12.0(5)WC2, 12.0(5.4)WC1 12.0(5)WC2b
2002/02/11
2950 12.0(5.3)WC1 12.0(5.4)WC1 12.0(5)WC2 12.1(6)EA2 12.1(6)EA2a
12.1(6)EA2b
2002/02/11
3550 12.1(4)EA1e 12.1(6)EA1 12.1(6)EA1a 12.1(8)EA1b
2002/02/12
Please review the information in the following link for details on Cisco non-IOS
products:
http://www.cisco.com/warp/public/707/cisco-malformed-snmp-msgs-non-ios-pub.shtml
Obtaining Fixed Software
Cisco is offering free software upgrades to remedy this vulnerability for all
affected customers. Customers with service contracts may upgrade to any software
release containing the feature sets they have purchased. Customers without
contracts may upgrade only within a single row of the table above, except that
any available fixed software release will be provided to any customer who can
use it and for whom the standard fixed software release is not yet available.
Customers may only install and expect support for the feature sets they have
purchased.
Customers with contracts should obtain upgraded software through their regular
update channels. For most customers, this means that upgrades should be obtained
through the Software Center on Cisco's Worldwide Web site at
http://www.cisco.com/.
Customers whose Cisco products are provided or maintained through prior or
existing agreement with third-party support organizations such as Cisco
Partners, authorized resellers, or service providers should contact that support
organization for assistance with the upgrade, which should be free of charge.
Customers who purchased directly from Cisco but who do not hold a Cisco service
contract, and customers who purchase through third party vendors but are
unsuccessful at obtaining fixed software through their point of sale, should
obtain fixed software by contacting the Cisco Technical Assistance Center (TAC).
TAC contacts are as follows:
+1 800 553 2447 (toll free from within North America)
+1 408 526 7209 (toll call from anywhere in the world)
e-mail: tac@cisco.com
See http://www.cisco.com/warp/public/687/Directory.shtml for additional TAC
contact information, including instructions and e-mail addresses for use in
various languages.
Please have your product serial number available and give the URL of this notice
as evidence of your entitlement to a free upgrade. Free upgrades for
non-contract customers must be requested through the TAC.
Please do not contact either "psirt@cisco.com" or "security-alert@cisco.com" for
software upgrades.
Workarounds
The usefulness of any workaround is dependent on specific customer situations
such as products, software versions, network topology, traffic behavior, and
organizational mission. Due to the great variety of affected products and
releases, customers should carefully evaluate each workaround to ensure it is
appropriate for use in the intended network before it is deployed.
General Measures
Turn SNMP off in the device. This is an effective workaround, but removes
management capability to the device. This can be done using the following
configure command:
no snmp-server
Removing the community string public with the configure command:
no snmp-server community public ro
is not sufficient as the SNMP server will still be running and the device will
be vulnerable. The command no snmp server must be used instead. Verify SNMP
server status by using the enable command show snmp. You should see a response
of "%SNMP agent not enabled".
Apply an extended access list (ACL) to deny protocol UDP, port 161 and 162, at
the interface level such that SNMP access to the device is allowed only from
the network management workstations. This can be done using the following
configure commands:
access-list 100 permit ip host 1.1.1.1 any
access-list 100 deny udp any any eq snmp
access-list 100 deny udp any any eq snmptrap
access-list 100 permit any any
where 1.1.1.1 is the trusted network management station. This access list must
be applied to all interfaces using the following configure commands:
interface serial 0
ip access-group 100 in
This will not prevent spoofed IP packets with the source IP address set to
that of the network management station from reaching the switch's management
interface.
The access-list statement containing "snmptrap" will prevent notification
messages from entering the network when it is applied at the network edge.
The Cisco SAFE white papers cover techniques that can be used to control IP
address spoofing. These papers can be found at:
Cisco SAFE Solution
Two white papers cover securing your network in general and controlling IP
address spoofing specifically:
SAFE: A Security Blueprint for Enterprise Networks
SAFE: Extending the Security Blueprint to Small, Midsize, and Remote-User
Networks
Workarounds with Caveats
Apply an SNMP community-based ACL to allow SNMP access to the device only from
the network management workstations using the following configure commands:
access-list 1 permit 1.1.1.1
snmp-server community string1 ro 1
In this case the trusted management station is at address 1.1.1.1.
If community strings are also configured for notifications, they must be
different than the community strings used for requests in order for this
workaround to be effective. Use the following configure commands to change
community strings for notifications that are the same as community strings
used for requests.
no snmp-server host 1.1.1.1 string1
snmp-server community string1 ro 1
The second command above reapplies the access list to the community and must
be reentered after the snmp-server host command is entered to ensure the
access list is applied correctly in some Cisco IOS software releases.
Use the following configure command to tell the device to send notifications
using the new community string:
snmp-server host 1.1.1.1 anythingbutstring1
All community strings used for notifications, like the "anythingbutstring1"
community string above, need to be set to deny all SNMP requests. Use the
following configure commands to do this:
access-list 2 deny any
snmp-server community anythingbutstring1 ro 2
This is required because Cisco IOS software configures community strings used
for notifications with no read or write view. You cannot see or change any
information on the device using this string. However, requests using a
community string with no view will still be processed by the device and the
PROTOS tool could exploit this processing and crash the device.
Please note that in order for this to take effect, the commands must be issued
in the following order:
snmp-server host 1.1.1.1 anythingbutstring1
snmp-server community anythingbutstring1 ro 2
This configuration will not survive a reload.
In certain releases, entering the snmp-server community command will delete
the notify view required to send traps. This can be determined by running the
enable command:
show snmp group
Look for two or more groups with the same name as the community string used
for notifications. The output should look like this:
groupname: anythingbutstring1 security model:v1
readview :v1default writeview:
notifyview: *tv.FFFFFFFF.FFFFFFFF
row status: active access-list: 1
groupname: anythingbutstring1 security model:v2c
readview :v1default writeview:
notifyview:
row status: active access-list: 1
Ensure that the notifyview is set for the version of notifications you want
the device to send and that the access-list is set correctly for all security
models.
If either fields are not correct, first reapply the configure command:
snmp-server host 1.1.1.1 anythingbutstring1
Then look at the output of show snmp group again. Take the view listed as the
notifyview, the correct access-list number, and the security model version and
enter the following configure command:
snmp-server group anythingbutstring1 v1 notify *tv.FFFFFFFF.FFFFFFFF access
1
Modify the above command to match your configuration. Verify this worked using
the show snmp group enable command.
Note: The snmp-server group command will show up in the configuration before
the snmp-server host command, so this part of the workaround will not survive
a reboot. After a reboot, the device will continue to send traps but the
snmp-server group command will need to be reentered to protect the device from
exploits using this community string.
Do not use the string "public" as a community string at all. The PROTOS test
suite uses "public" in its tests as configured by OULU.
Note: Even though the current version of the PROTOS tests will not crash the
Cisco IOS software device if the device community string is not public, it is
very easy to modify the PROTOS code so that other community string values are
used. Therefore, it is important to use a community ACL to further reduce your
risk.
Caveats
The following workaround is effective in the following Cisco IOS software
releases:
11.0, 11.1, 11.2 and derivatives
12.0(3)T and later 12.0()T
12.0(6)S and later 12.0S
12.0(8.6)ST through 12.0(19.1)ST, 12.0(19.6)ST and later
12.1
12.1(1)T up to 12.1(4.4)T
12.1(1)E up to 12.1(9.4)E
12.1(1)EC up to 12.1(9.4)EC
to the best of our knowledge at this time based on testing and code inspection.
These workarounds are NOT effective in:
11.3, 11.3T
12.0
12.0(1)S through 12.0(5.x)S
12.0(19.3)ST, 12.0(19.3)ST1, 12.0(19.3)ST2
12.1(4.4)T2 and later 12.1()T
12.1(9.5)E and later 12.1()E
12.1(9.5)EC and later 12.1()EC
12.2, 12.2T
Troubleshooting Tips for Cisco IOS Software
Configure the startup-config with no SNMP and the running-config with the
SNMP. In the event of a successful exploit due to this vulnerability, the
affected device will reload with a new configuration in which SNMP is
disabled. This will prevent additional, repeated exploit of the vulnerability.
Configure the SNMP Community ACLs with the "log" keyword. Monitor syslog for
failed attempts.
Periodically check SNMP for errors.
Configuration Notes
show snmp
Command output:
router#show snmp
Chassis: 21350479
17005 SNMP packets input
37 Bad SNMP version errors **
15420 Unknown community name **
0 Illegal operation for community name supplied
1548 Encoding errors **
0 Number of requested variables
0 Number of altered variables
0 Get-request PDUs
0 Get-next PDUs
0 Set-request PDUs
0 SNMP packets output
0 Too big errors (Maximum packet size 1500)
0 No such name errors
0 Bad values errors
0 General errors
0 Response PDUs
0 Trap PDUs
Watch the counters marked **
Exploitation and Public Announcements
Cisco is not aware of any malicious exploitation of this vulnerability.
The largest set of these vulnerabilities were reported by the OUSPG at the
University of Oulu, Finland, in concert with the CERT Coordination Center. A
small number were reported by Cisco customers and some were internally
discovered.
These vulnerabilities are present in other products not provided by Cisco, and
this security advisory is being published simultaneously with announcements from
the other affected organizations.
Status of This Notice: Interim
This is an interim Security Advisory notice. Cisco anticipates issuing updated
versions of this notice at irregular intervals as there are material changes in
the facts, and will continue to update this notice as necessary.
The reader is warned that this notice may contain inaccurate or incomplete
information. Although Cisco cannot guarantee the accuracy of all statements in
this notice, all of the facts have been checked to the best of our ability.
Cisco anticipates weekly updates of this notice until it reaches final status.
A standalone copy or paraphrase of the text of this Security Advisory that omits
the distribution URL in the following section is an uncontrolled copy, and may
lack important information or contain factual errors.
Distribution
This notice will be posted on Cisco's Worldwide Web site at
http://www.cisco.com/warp/public/707/cisco-malformed-snmp-msgs-pub.shtml. In
addition to Worldwide Web posting, a text version of this notice is clear-signed
with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet
news recipients:
cust-security-announce@cisco.com
bugtraq@securityfocus.com
first-teams@first.org (includes CERT/CC)
cisco@spot.colorado.edu
comp.dcom.sys.cisco
firewalls@lists.gnac.com
Various internal Cisco mailing lists
Future updates of this notice, if any, will be placed on Cisco's Worldwide Web
server, but may or may not be actively announced on mailing lists or newsgroups.
Users concerned about this problem are encouraged to check the URL given above
for any updates.
Revision History
Revision Number 1.02002-Feb-12 20:00 GMTInitial public release
Cisco Security Procedures
Complete information on reporting security vulnerabilities in Cisco products,
obtaining assistance with security incidents, and registering to receive
security information from Cisco, is available on Cisco's Worldwide Web site at
http://www.cisco.com/warp/public/707/sec_incident_response.shtml. This includes
instructions for press inquiries regarding Cisco security notices. All Cisco
Security Advisories are available at http://www.cisco.com/go/psirt.
This notice is Copyright 2002 by Cisco Systems, Inc. This notice may be
redistributed freely after the release date given at the top of the text,
provided that redistributed copies are complete and unmodified, and include all
date and version information.
|
|
Go to the Top of This SecurityTracker Archive Page
|
