SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   SNMP Daemon Vendors:   Cisco
(Cisco Issues Advisory) Re: Many Simple Network Management Protocol (SNMP) Implementations Allow Remote Users to Deny Service or Obtain Access to the System
SecurityTracker Alert ID:  1003531
SecurityTracker URL:  http://securitytracker.com/id/1003531
CVE Reference:   CAN-2002-0012, CAN-2002-0013   (Links to External Site)
Date:  Feb 13 2002
Impact:   Denial of service via network, Execution of arbitrary code via network, Root access via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   CERT reported that the University of Oulu (Finland) has discovered vulnerabilities in many vendor implementations of the Simple Network Management Protocol (SNMP) version 1.

The Oulu University Secure Programming Group (OUSPG, http://www.ee.oulu.fi/research/ouspg/) reports that there are numerous vulnerabilities in SNMPv1 implementations from many different vendors. A remote user can reportedly cause denial of service attacks.

Cisco confirms that there are multiple Cisco products that contain vulnerabilities in the processing of SNMP messages and that the vulnerabilities can be repeatedly exploited to produce a denial of service.

A long list of products is affected, including IOS and non-IOS based software versions. To see if your Cisco product and sofware version is affected, see the Cisco advisories:

http://www.cisco.com/warp/public/707/cisco-malformed-snmp-msgs-pub.shtml.
http://www.cisco.com/warp/public/707/cisco-malformed-snmp-msgs-non-ios-pub.shtml

Impact:   A remote user may be able to cause denial of service conditions. Cisco reports that the vulnerability can be exploited to cause an affected Cisco product to crash and reload.
Solution:   Cisco has released fixes for some releases and is planning to release fixes for additional releases. To see if a fix is available or to see when a fix will be available for your product and software version, refer to the Cisco advisory at:

http://www.cisco.com/warp/public/707/cisco-malformed-snmp-msgs-pub.shtml

Vendor URL:  www.cisco.com/warp/public/707/cisco-malformed-snmp-msgs-pub.shtml (Links to External Site)
Cause:   Access control error, Boundary error, Input validation error
Underlying OS:  

Message History:   This archive entry is a follow-up to the message listed below.
Feb 12 2002 Many Simple Network Management Protocol (SNMP) Implementations Allow Remote Users to Deny Service or Obtain Access to the System



 Source Message Contents

Date:  Tue, 12 Feb 2002 20:13:51 -0500
Subject:  Cisco Security Advisory: Malformed SNMP Message-Handling Vulnerabilities


[Editor's Note:  The following is a Cisco Advisory in text format.  The advisory 

has not been modified, per Cisco's requirements.  To view the text tables, we 

recommend viewing the original advisory, available at:  

http://www.cisco.com/warp/public/707/cisco-malformed-snmp-msgs-pub.shtml]


Cisco Security Advisory: Malformed SNMP Message-Handling Vulnerabilities

Revision 1.0
For Public Release 2002 February 12 20:00 GMT 



Please provide your feedback on this document.



Summary

Multiple Cisco products contain vulnerabilities in the processing of Simple 
Network Management Protocol (SNMP) messages. The vulnerabilities can be 
repeatedly exploited to produce a denial of service. In most cases, workarounds 
are available that may mitigate the impact. These vulnerabilities are identified 
by various groups as VU#617947, VU#107186, OUSPG #0100, CAN-2002-0012, and 
CAN-2002-0013. 

This advisory is available at 
http://www.cisco.com/warp/public/707/cisco-malformed-snmp-msgs-pub.shtml. 

Affected Products

This security advisory applies to a broad range of Cisco products. To determine 
if a product is vulnerable, review the list below. If software versions or 
configuration information is included, then only those combinations are affected 
(or unaffected). If the product or series is listed without any qualifying 
software version information, then consult the Software Versions and Fixes 
section to determine if the product is running an affected version of software. 

Additional information per product is provided in the Details and Workarounds 
sections below. 

The following Cisco products are vulnerable if they are running an affected 
version of software: 
  800, 1000, 1005, 1400, 1600, 1700, 2500, 2600, 3600, MC3810, 4000, 4500, 4700, 
  6200, 6400 NRP, 6400 NSP series Cisco routers 
  ubr900 and ubr920 universal broadband routers 
  Catalyst 1500, 290x, 292x, 2900XL, 2948g, 2948g-l3, 2950, 3000, 3200, 3500XL, 
  3550, 4000, 4232, 4232-l3, 4840g, 4908g-l3, 4912g, 5000, 6000 RSFC series 
  switches 
  AS5200, AS5300, AS5800 series access servers 
  Catalyst 6000 MSM, 6000 Hybrid Mode, 6000 Native Mode, 6000 Supervisor Module, 
  Catalyst ATM Blade, Catalyst 6000 Network Analysis Module (NAM) 
  RSM, 7000, 7010, 7100, 7200, ubr7200, 7500, 7600 OSR, 10000 ESR, and 12000 GSR 
  series Cisco routers 
  Lightstream 1010 ATM switches 
  DistributedDirector 
  Catalyst 8510CSR, 8510MSR, 8540CSR, 8540MSR series switches. 
  BPX, IGX, MGX WAN switches, and the Service Expansion Shelf 
  WAN Manager 
  Cisco Secure PIX firewall 
  Cisco Secure Intrusion Detection System (NetRanger) appliance and IDS Module 
  BR340, WGB340, AP340, AP350, BR350 Cisco/Aironet wireless products 
  CSS11000 (Arrowpoint) Content Services Switch 
  Cache Engine 505 and 570 running 2.3 or 2.5 
  Content Engine 507, 560 and 590 running 2.3 or 2.5 
  Content Engine 507, 560, 590, and 7320 running 3.1, 4.0, or 4.1 
  LocalDirector 
  Internet CDN 
  VPN3000 (Altiga) VPN Concentrator 
  VPN5000 VPN Concentrator 
  Access Registrar running on Solaris 8 
  Cisco ws-x6608 and ws-x6624 IP Telephony Modules 
  Traffic Director 
  Cisco Info Center 
  Switch Probe 
  CiscoWorks Windows 
  Hosting Solution Engine 
  User Registration Tool VLAN Policy Server 
  Cisco Element Management Framework 

Products Not Affected 

The following Cisco products are not affected by this vulnerability in the 
specified configuration, either because they do not contain the associated 
defect or because they do not support SNMP. If software version information is 
provided, then only that specific combination of product and software version is 
not vulnerable. 
  Catalyst 1900s switch running any version of CatOS 
  FastHub 300 Ethernet repeater 
  Cache Engine 505 and 570 running version 2.3 or 2.5.x 
  Cache Engine and Content Delivery Manager running CDM Enterprise 3.0.x 
  CR-4430B running CDM Enterprise 3.0.x 
  IP/TV 
  Device Fault Manager 
  ME1100 series 
  Voice Manager 
  RTM 
  IP Phone (all models) 
  SN5400 series storage routers 
  CallManager 
  Unity Server 
  Access Registrar running on Solaris 7.5.1 

No other Cisco product is known to be affected by this vulnerability.

Details

Simple Network Management Protocol (SNMP) defines a standard mechanism for 
remote management and monitoring of devices in an Internet Protocol (IP) 
network. 

There are three types of SNMP messages: "get" requests to request information, 
"set" requests which modify the configuration of the remote device, and "trap" 
messages which provide a monitoring function. 

An Object Identifier (OID) is the label employed by SNMP to uniquely specify an 
item to be managed. OIDs in human-readable format are displayed as long strings 
of decimal integers separated by periods, but they are packed into a more 
efficient binary form for use within SNMP. 

The largest group of vulnerabilities described in this advisory result from 
insufficient checking of SNMP messages as they are received and processed by an 
affected system. Malformed SNMP messages received by affected systems can cause 
various parsing and processing functions to fail, resulting in a system crash 
and a reload in most circumstances. Under some conditions, the affected device 
can not reload. In a specific combination with an unrelated software defect, the 
device reloads continuously and requires manual intervention to resume normal 
operation. 

These vulnerabilities can be easily and repeatedly demonstrated with the use of 
the University of Oulu Secure Programming Group (OUSPG) "PROTOS" Test Suite for 
SNMP. The test suite is generally used to analyze a protocol and produce 
messages that probe various design limits within an implementation of a 
protocol. Examples such as overly-long OIDs, malformed OIDs, and other 
combinations of values appropriate to SNMP can be programmatically generated and 
then transmitted to a network device under test. The test suite for SNMP, as 
distributed, contains approximately 53,000 individual test cases. The authors 
intend to make the SNMP test suite available to the public at the same time that 
this advisory is published. 

Impact

The vulnerability can be exploited to produce a Denial of Service (DoS) attack. 
When the vulnerability is exploited, it can cause an affected Cisco product to 
crash and reload. 

SNMP messages are transported using User Datagram Protocol (UDP) and are subject 
to IP source address spoofing. In any circumstance where ingress and egress 
source IP address filtering is lacking, it is more likely that an attacker could 
spoof the source IP address and circumvent access control mechanisms to cause a 
vulnerable system to fail. 

If an attacker is able to guess or otherwise obtain a read-only community string 
for an affected device, then he or she could bypass SNMP access control relying 
on the community string. 

Software Versions and Fixes

Cisco IOS Software

Each row of the Cisco IOS software table (below) describes a release train and 
the platforms or products for which it is intended. If a given release train is 
vulnerable, then the earliest possible releases that contain the fix (the "First 
Fixed Release") and the anticipated date of availability for each are listed in 
the "Rebuild," "Interim," and "Maintenance" columns. A device running a release 
in the given train that is earlier than the release in a specific column (less 
than the First Fixed Release) is known to be vulnerable. The release should be 
upgraded at least to the indicated release or a later version (greater than or 
equal to the First Fixed Release label). When selecting a release, keep in mind 
the following definitions:
    Maintenance 
    Most heavily tested, stable, and highly recommended release of a release 
    train in any given row of the table.
    Rebuild 
    Constructed from the previous maintenance or major release in the same 
    train, it contains the fix for a specific defect. Although it receives less 
    testing, it contains only the minimal changes necessary to repair the 
    vulnerability.
    Interim 
    Built at regular intervals between maintenance releases and receives less 
    testing. Interims should be selected only if there is no other suitable 
    release that addresses the vulnerability. Interim images should be upgraded 
    to the next available maintenance release as soon as possible. Interim 
    releases are not available through manufacturing, and usually they are not 
    available for customer download from CCO without prior arrangement with the 
    Cisco TAC. 
In all cases, customers should exercise caution to confirm that the devices to 
be upgraded contain sufficient memory and that current hardware and software 
configurations will continue to be supported properly by the new software 
release. If the information is not clear, contact the Cisco TAC for assistance 
as shown in the "Obtaining Fixed Software" section.
More information on Cisco IOS software release names and abbreviations is 
available at http://www.cisco.com/warp/public/620/1.html.
      TrainImage Description or PlatformAvailability of Fixed Releases*
      11.x ReleasesRebuildInterim**Maintenance
      11.0 11.0(22b)  
      2002/02/11
      11.1 11.1(24b)  
      TBD
      11.1AA 11.1(20)AA4  
      2002/02/11
      11.1CA 11.1(36)CA2  
      2002/02/11
      11.1CC 11.1(36)CC4  
      2002/02/11
      11.1CT 11.1(28a)CT  
      TBD
      11.1IA 11.1(28a)IA  
      TBD
      11.2 11.2(26b)  
      2002/02/12
      11.2BC 11.2(23a)BC1  
      TBD
      11.2GS 11.2(19a)GS6  
      TBD
      11.2P 11.2(26)P1  
      2002/02/15
      11.2SA 11.2(8.9)SA6  
      2002/02/12
      11.3 11.3(11c)  
      2002/02/11
      11.3DB 11.3(7)DB1  
      TBD
      11.3DB 11.3(8)DB2  
      TBD
      11.3T 11.3(11b)T2  
      2002/02/11
      12.0 12.0(21a)   
      2002/02/12
      12.0 12.0(8a)   
      2002/02/11
      12.0 12.0(9a)  
      2002/02/12
      12.0 12.0(10a)  
      2002/02/12
      12.0 12.0(11a)  
      2002/02/12
      12.0 12.0(12a)  
      2002/02/12
      12.0 12.0(13a)  
      2002/02/12
      12.0 12.0(14a)  
      2002/02/12
      12.0 12.0(15a)  
      2002/02/12
      12.0 12.0(16a)  
      2002/02/11
      12.0 12.0(17a)  
      2002/02/11
      12.0 12.0(2b)  
      2002/02/11
      12.0 12.0(3d)  
      2002/02/12
      12.0 12.0(5a)  
      2002/02/12
      12.0 12.0(6a)  
      2002/02/11
      12.0 12.0(19a)  
      2002/02/11
      12.0 12.0(20a)  
      2002/02/11
      12.0 12.0(18b)  
      TBD
      12.0WT 12.0(13)WT6(1)  
      TBD
      12.0(2)XE 12.0(2)XE?  
      TBD
      12.0(2)XF 12.0(2)XF?  
      TBD
      12.0(20)SX 12.0(21)SX  
      TBD
      12.0(4)XE 12.0(4)XE1  
      2002/02/11
      12.0(4)XM 12.0(4)XM1  
      2002/02/12
      12.0(5)WC 2900XL-LRE 12.0(5)WC2b  
      2002/02/11
      12.0(5)XE 12.0(5)XE3  
      2002/02/11
      12.0(5)XK 12.0(5)XK2  
      2002/02/12
      12.0(5)XN 12.0(5)XN1  
      TBD
      12.0(5)XP, 2900XL, 3500XL platform 12.0(5)WC3  
      2002/02/12
      12.0(5)XS 12.0(5)XS2  
      TBD
      12.0(5)XU 2900XL, 3500XL platform 12.0(5)WC3  
      2002/02/12
      12.0(7)XE 12.0(7)XE1  
      2002/02/11
      12.0(7)XF 12.0(7)XF1  
      TBD
      12.0(7)XK 12.0(7)XK3  
      2002/02/11
      12.0(7)XV 12.0(7)XV  
      TBD
      12.0DB 12.0(7)DB2  
      TBD
      12.0DC 12.0(7)DC1  
      TBD
      12.0S 12.0(16)S8  
      2002/02/12
      12.0S 12.0(21)S1  
      2002/02/15
      12.0S 12.0(13)S6  
      2002/02/15
      12.0S 12.0(9)S8  
      2002/02/15
      12.0S 12.0(17)S4  
      2002/02/15
      12.0S 12.0(15)S6  
      2002/02/15
      12.0S 12.0(18)S5  
      2002/02/15
      12.0S 12.0(19)S2  
      2002/02/15
      12.0S 12.0(12)S3  
      2002/02/12
      12.0S 12.0(14)S7  
      2002/02/12
      12.0S 12.0(10)S7  
      2002/02/12
      12.0S 12.0(11)S6  
      2002/02/15
      12.0S 12.0(8)S1  
      2002/02/15
      12.0SC 12.0(16)SC3  
      2002/02/11
      12.0SL 12.0(17)SL6  
      2002/02/15
      12.0SL 12.0(19)SL4  
      2002/02/12
      12.0SP 12.0(20)SP1  
      2002/02/12
      12.0ST 12.0(17)ST5  
      2002/02/15
      12.0ST 12.0(19)ST2  
      2002/02/12
      12.0ST 12.0(11)ST4  
      2002/02/12
      12.0ST 12.0(14)ST3  
      2002/02/15
      12.0ST 12.0(16)ST1  
      2002/02/12
      12.0ST 12.0(18)ST1  
      2002/02/12
      12.0ST 12.0(20)ST2  
      2002/02/12
      12.0ST 12.0(21)ST  
      TBD
      12.0T 12.0(7)T2  
      2002/02/12
      12.0W5cat2948g-L3, cat423212.0(18)W5(22b)
        
      2002/02/11
      12.0W5c5atm,cat8510[c,m]
      cat8540[c,m], ls101012.0(20)W5(24a)
        
      2002/02/11
      12.1 12.1(3b)  
      2002/02/12
      12.1 12.1(4a)  
      2002/02/12
      12.1 12.1(13)  
      2002/02/15
      12.1 12.1(8c)  
      2002/02/11
      12.1 12.1(1c)  
      2002/02/12
      12.1 12.1(2b)  
      2002/02/12
      12.1 12.1(5e)  
      2002/02/12
      12.1 12.1(6a)  
      2002/02/11
      12.1 12.1(7b)  
      2002/02/12
      12.1 12.1(9a)  
      2002/02/12
      12.1 12.1(12b)  
      2002/02/12
      12.1 12.1(11b)  
      2002/02/12
      12.1 12.1(10a)  
      2002/02/12
      12.1(10)EX 12.1(10)EX  
      TBD
      12.1(10)EY 12.1(10)EY  
      TBD
      12.1(2)XF 12.1(2)XF5  
      2002/02/11
      12.1(3)XG 12.1(3)XG6  
      2002/02/11
      12.1(3)XI 12.1(3a)XI8  
      2002/02/15
      12.1(3)XP 12.1(3)XP  
      TBD
      12.1(3)XQ 12.1(3)XQ  
      TBD
      12.1(3)XT 12.1(3)XT3  
      TBD
      12.1(4)XY 12.1(4)XY8  
      2002/02/12
      12.1(4)XZ 12.1(4)XZ7  
      2002/02/11
      12.1(5)XM 12.1(5)XM7  
      2002/02/15
      12.1(5)XV 12.1(5)XV5  
      2002/02/15
      12.1(5)XV 12.1(5)XV4  
      2002/02/15
      12.1(5)XV 12.1(5)XV5  
      2002/02/11
      12.1(5)YA 12.1(5)YA2  
      2002/02/11
      12.1(5)YB 12.1(5)YB5  
      2002/02/11
      12.1(5)YC 12.1(5)YC2  
      2002/02/11
      12.1(5)YD 12.1(5)YD6  
      2002/02/11
      12.1(5)YF 12.1(5)YF4  
      2002/02/11
      12.1(5)YH 12.1(5)YH3  
      2002/02/11
      12.1(5)YI & 12.1(5)EY 12.1(5)YI1  
      2002/02/11
      12.1(6)EZ 12.1(6)EZ6  
      2002/02/12
      12.1(7a)EY 12.1(7a)EY3  
      2002/02/11
      12.1(8a)EW 12.1(8a)EW1  
      2002/02/11
      12.1(8a)EX 12.1(8b)EX4  
      2002/02/12
      12.1(9)EX 12.1(9)EX3  
      2002/02/12
      12.1AA 12.1(8)AA1  
      2002/02/15
      12.1AA 12.1(10)AA  
      TBD
      12.1DA 12.1(7)DA3  
      TBD
      12.1DB 12.1(5)DB1  
      2002/02/15
      12.1DB 12.1(1)DB2  
      TBD
      12.1DB 12.1(3)DB1  
      TBD
      12.1DB 12.1(4)DB2  
      TBD
      12.1DC 12.1(5)DC2  
      2002/02/15
      12.1DC 12.1(1)DC2  
      TBD
      12.1DC 12.1(3)DC2  
      TBD
      12.1DC 12.1(4)DC2  
      TBD
      12.1E 12.1(9)E2  
      2002/02/12
      12.1E 12.1(9)E3  
      2002/02/15
      12.1E 12.1(10)E4  
      2002/02/15
      12.1E 12.1(1)E5  
      2002/02/12
      12.1E 12.1(5c)E12  
      2002/02/11
      12.1E 12.1(5c)E12  
      2002/02/11
      12.1E 12.1(8b)E11  
      2002/02/11
      12.1E 12.1(11)E   
      2002/02/25
      12.1E 12.1(8b)E9  
      2002/02/11
      12.1E 12.1(6)E8  
      TBD
      12.1E 12.1(3a)E7  
      TBD
      12.1E 12.1(3a)E8  
      TBD
      12.1E 12.1(7a)E6  
      TBD
      12.1E 12.1(4)E3  
      2002/02/12
      12.1EC 12.1(10)EC1  
      2002/02/15
      12.1EC 12.1(11)EC  
      TBD
      12.1T 12.1(5)T12  
      2002/02/12
      12.2 12.2(1d)  
      2002/02/12
      12.2 12.2(5d)  
      2002/02/12
      12.2 12.2(6c)  
      2002/02/12
      12.2 12.2(3d)  
      2002/02/12
      12.2 12.2(7a)  
      2002/02/15
      12.2(1)XA 12.2(2)XA5  
      2002/02/12
      12.2(1)XD 12.2(1)XD3  
      2002/02/11
      12.2(1)XE 12.2(1)XE2  
      2002/02/11
      12.2(1)XS 12.2(1)XS1  
      TBD
      12.2(2)BY 12.2(2)BY2  
      2002/02/11
      12.2(2)XB 12.2(2)XB3  
      2002/02/15
      12.2(2)XB 12.2(2)XB4  
      2002/02/11
      12.2(2)XG 12.2(2)XG1  
      TBD
      12.2(2)XH 12.2(2)XH2  
      2002/02/11
      12.2(2)XI 12.2(2)XI1  
      2002/02/11
      12.2(2)XJ 12.2(2)XJ1  
      TBD
      12.2(2)XK 12.2(2)XK2  
      2002/02/11
      12.2(2)XN 12.2(2)XN  
      TBD
      12.2(2)XT 12.2(2)XT3  
      2002/02/11
      12.2(2)XU 12.2(2)XU2  
      2002/02/15
      12.2(2)XU 12.2(2)XU1  
      2002/02/12
      12.2(2)XU 12.2(2)XU2  
      2002/02/11
      12.2(2)YC 12.2(2)YC  
      TBD
      12.2(4)XL 12.2(4)XL4  
      2002/02/11
      12.2(4)XM 12.2(4)XM2  
      2002/02/11
      12.2(4)XV 12.2(4)XV5  
      2002/02/15
      12.2(4)XW 12.2(4)XW1  
      TBD
      12.2(4)YA 12.2(4)YA1  
      2002/02/11
      12.2(4)YB 12.2(4)YB  
      TBD
      12.2B 12.2(4)BX  
      TBD
      12.2B 12.2(4)B2  
      2002/02/15
      12.2B 12.2(4)B4  
      2002/02/15
      12.2BC 12.2(4)BC1a
        
      2002/02/15
      12.2BX 12.2(2)BX  
      2002/02/15
      12.2BX 12.2(4)BX  
      TBD
      12.2DA 12.2(7)DA  
      2002/02/15
      12.2DA 12.2(1b)DA1  
      TBD
      12.2DA 12.2(5)CA1  
      TBD
      12.2DD 12.2(2)DD3  
      2002/02/12
      12.2MB 12.2(4)MB3  
      2002/02/15
      12.2S 12.2(9)S  
      TBD
      12.2T 12.2(2)T4  
      2002/02/12
      12.2T 12.2(4)T3  
      2002/02/19
      12.2T 12.2(6.8)T0a  
      2002/02/15
      12.2T 12.2(8)T  
      2002/02/11
      12.2T 12.2(6.8)T1a  
      2002/02/11
      2900XL/3500XL 12.0(5.1)XP 12.0(5)XU 12.0(5.2)XU 12.0(5.3)WC1 12.0(5)WC2 
      12.0(5)WC3  
      2002/02/12
      2900XL-LRE: 12.0(5)WC2, 12.0(5.4)WC1 12.0(5)WC2b  
      2002/02/11
      2950 12.0(5.3)WC1 12.0(5.4)WC1 12.0(5)WC2 12.1(6)EA2 12.1(6)EA2a 
      12.1(6)EA2b  
      2002/02/11
      3550 12.1(4)EA1e 12.1(6)EA1 12.1(6)EA1a 12.1(8)EA1b  
      2002/02/12

Please review the information in the following link for details on Cisco non-IOS 
products:

http://www.cisco.com/warp/public/707/cisco-malformed-snmp-msgs-non-ios-pub.shtml 

Obtaining Fixed Software 

Cisco is offering free software upgrades to remedy this vulnerability for all 
affected customers. Customers with service contracts may upgrade to any software 
release containing the feature sets they have purchased. Customers without 
contracts may upgrade only within a single row of the table above, except that 
any available fixed software release will be provided to any customer who can 
use it and for whom the standard fixed software release is not yet available. 
Customers may only install and expect support for the feature sets they have 
purchased.

Customers with contracts should obtain upgraded software through their regular 
update channels. For most customers, this means that upgrades should be obtained 
through the Software Center on Cisco's Worldwide Web site at 
http://www.cisco.com/.

Customers whose Cisco products are provided or maintained through prior or 
existing agreement with third-party support organizations such as Cisco 
Partners, authorized resellers, or service providers should contact that support 
organization for assistance with the upgrade, which should be free of charge.
Customers who purchased directly from Cisco but who do not hold a Cisco service 
contract, and customers who purchase through third party vendors but are 
unsuccessful at obtaining fixed software through their point of sale, should 
obtain fixed software by contacting the Cisco Technical Assistance Center (TAC). 

TAC contacts are as follows:
  +1 800 553 2447 (toll free from within North America) 
  +1 408 526 7209 (toll call from anywhere in the world) 
  e-mail: tac@cisco.com 

See http://www.cisco.com/warp/public/687/Directory.shtml for additional TAC 
contact information, including instructions and e-mail addresses for use in 
various languages.

Please have your product serial number available and give the URL of this notice 
as evidence of your entitlement to a free upgrade. Free upgrades for 
non-contract customers must be requested through the TAC.

Please do not contact either "psirt@cisco.com" or "security-alert@cisco.com" for 
software upgrades.

Workarounds

The usefulness of any workaround is dependent on specific customer situations 
such as products, software versions, network topology, traffic behavior, and 
organizational mission. Due to the great variety of affected products and 
releases, customers should carefully evaluate each workaround to ensure it is 
appropriate for use in the intended network before it is deployed.

General Measures

  Turn SNMP off in the device. This is an effective workaround, but removes 
  management capability to the device. This can be done using the following 
  configure command: 

    no snmp-server 

  Removing the community string public with the configure command: 

    no snmp-server community public ro 

  is not sufficient as the SNMP server will still be running and the device will 
  be vulnerable. The command no snmp server must be used instead. Verify SNMP 
  server status by using the enable command show snmp. You should see a response 
  of "%SNMP agent not enabled".

  Apply an extended access list (ACL) to deny protocol UDP, port 161 and 162, at 
  the interface level such that SNMP access to the device is allowed only from 
  the network management workstations. This can be done using the following 
  configure commands: 

    access-list 100 permit ip host 1.1.1.1 any 
    access-list 100 deny udp any any eq snmp 
    access-list 100 deny udp any any eq snmptrap 
    access-list 100 permit any any 

  where 1.1.1.1 is the trusted network management station. This access list must 
  be applied to all interfaces using the following configure commands: 

    interface serial 0 
    ip access-group 100 in 

  This will not prevent spoofed IP packets with the source IP address set to 
  that of the network management station from reaching the switch's management 
  interface. 

  The access-list statement containing "snmptrap" will prevent notification 
  messages from entering the network when it is applied at the network edge. 

  The Cisco SAFE white papers cover techniques that can be used to control IP 
  address spoofing. These papers can be found at: 

  Cisco SAFE Solution 

  Two white papers cover securing your network in general and controlling IP 
  address spoofing specifically: 

  SAFE: A Security Blueprint for Enterprise Networks 
  SAFE: Extending the Security Blueprint to Small, Midsize, and Remote-User 
  Networks 

Workarounds with Caveats

  Apply an SNMP community-based ACL to allow SNMP access to the device only from 
  the network management workstations using the following configure commands: 

    access-list 1 permit 1.1.1.1 
    snmp-server community string1 ro 1 

  In this case the trusted management station is at address 1.1.1.1.

  If community strings are also configured for notifications, they must be 
  different than the community strings used for requests in order for this 
  workaround to be effective. Use the following configure commands to change 
  community strings for notifications that are the same as community strings 
  used for requests. 

    no snmp-server host 1.1.1.1 string1 
    snmp-server community string1 ro 1 

  The second command above reapplies the access list to the community and must 
  be reentered after the snmp-server host command is entered to ensure the 
  access list is applied correctly in some Cisco IOS software releases.

  Use the following configure command to tell the device to send notifications 
  using the new community string: 

    snmp-server host 1.1.1.1 anythingbutstring1 

  All community strings used for notifications, like the "anythingbutstring1" 
  community string above, need to be set to deny all SNMP requests. Use the 
  following configure commands to do this: 

    access-list 2 deny any 
    snmp-server community anythingbutstring1 ro 2 

  This is required because Cisco IOS software configures community strings used 
  for notifications with no read or write view. You cannot see or change any 
  information on the device using this string. However, requests using a 
  community string with no view will still be processed by the device and the 
  PROTOS tool could exploit this processing and crash the device.

  Please note that in order for this to take effect, the commands must be issued 
  in the following order: 

    snmp-server host 1.1.1.1 anythingbutstring1 
    snmp-server community anythingbutstring1 ro 2 

  This configuration will not survive a reload. 

  In certain releases, entering the snmp-server community command will delete 
  the notify view required to send traps. This can be determined by running the 
  enable command: 

    show snmp group 

  Look for two or more groups with the same name as the community string used 
  for notifications. The output should look like this: 

    groupname: anythingbutstring1           security model:v1 
    readview :v1default                     writeview:  
    notifyview: *tv.FFFFFFFF.FFFFFFFF    
    row status: active      access-list: 1

    groupname: anythingbutstring1           security model:v2c 
    readview :v1default                     writeview:  
    notifyview: 
    row status: active      access-list: 1

  Ensure that the notifyview is set for the version of notifications you want 
  the device to send and that the access-list is set correctly for all security 
  models. 

  If either fields are not correct, first reapply the configure command: 

    snmp-server host 1.1.1.1 anythingbutstring1 

  Then look at the output of show snmp group again. Take the view listed as the 
  notifyview, the correct access-list number, and the security model version and 
  enter the following configure command:

    snmp-server group anythingbutstring1 v1 notify *tv.FFFFFFFF.FFFFFFFF access 
    1 

  Modify the above command to match your configuration. Verify this worked using 
  the show snmp group enable command. 

  Note: The snmp-server group command will show up in the configuration before 
  the snmp-server host command, so this part of the workaround will not survive 
  a reboot. After a reboot, the device will continue to send traps but the 
  snmp-server group command will need to be reentered to protect the device from 
  exploits using this community string. 

  Do not use the string "public" as a community string at all. The PROTOS test 
  suite uses "public" in its tests as configured by OULU. 

  Note: Even though the current version of the PROTOS tests will not crash the 
  Cisco IOS software device if the device community string is not public, it is 
  very easy to modify the PROTOS code so that other community string values are 
  used. Therefore, it is important to use a community ACL to further reduce your 
  risk. 

Caveats

The following workaround is effective in the following Cisco IOS software 
releases:
  11.0, 11.1, 11.2 and derivatives 
  12.0(3)T and later 12.0()T 
  12.0(6)S and later 12.0S 
  12.0(8.6)ST through 12.0(19.1)ST, 12.0(19.6)ST and later 
  12.1 
  12.1(1)T up to 12.1(4.4)T 
  12.1(1)E up to 12.1(9.4)E 
  12.1(1)EC up to 12.1(9.4)EC 
to the best of our knowledge at this time based on testing and code inspection.

These workarounds are NOT effective in:
  11.3, 11.3T 
  12.0 
  12.0(1)S through 12.0(5.x)S 
  12.0(19.3)ST, 12.0(19.3)ST1, 12.0(19.3)ST2 
  12.1(4.4)T2 and later 12.1()T 
  12.1(9.5)E and later 12.1()E 
  12.1(9.5)EC and later 12.1()EC 
  12.2, 12.2T

Troubleshooting Tips for Cisco IOS Software

  Configure the startup-config with no SNMP and the running-config with the 
  SNMP. In the event of a successful exploit due to this vulnerability, the 
  affected device will reload with a new configuration in which SNMP is 
  disabled. This will prevent additional, repeated exploit of the vulnerability. 

  Configure the SNMP Community ACLs with the "log" keyword. Monitor syslog for 
  failed attempts. 

  Periodically check SNMP for errors. 

  Configuration Notes

  show snmp 

  Command output: 

router#show snmp
Chassis: 21350479
17005 SNMP packets input
    37 Bad SNMP version errors  ** 
    15420 Unknown community name  ** 
    0 Illegal operation for community name supplied
    1548 Encoding errors   ** 
    0 Number of requested variables
    0 Number of altered variables
    0 Get-request PDUs
    0 Get-next PDUs
    0 Set-request PDUs
0 SNMP packets output
    0 Too big errors (Maximum packet size 1500)
    0 No such name errors
    0 Bad values errors
    0 General errors
    0 Response PDUs
    0 Trap PDUs
  Watch the counters marked ** 

Exploitation and Public Announcements

Cisco is not aware of any malicious exploitation of this vulnerability. 

The largest set of these vulnerabilities were reported by the OUSPG at the 
University of Oulu, Finland, in concert with the CERT Coordination Center. A 
small number were reported by Cisco customers and some were internally 
discovered. 

These vulnerabilities are present in other products not provided by Cisco, and 
this security advisory is being published simultaneously with announcements from 
the other affected organizations. 

Status of This Notice: Interim

This is an interim Security Advisory notice. Cisco anticipates issuing updated 
versions of this notice at irregular intervals as there are material changes in 
the facts, and will continue to update this notice as necessary.

The reader is warned that this notice may contain inaccurate or incomplete 
information. Although Cisco cannot guarantee the accuracy of all statements in 
this notice, all of the facts have been checked to the best of our ability. 
Cisco anticipates weekly updates of this notice until it reaches final status.

A standalone copy or paraphrase of the text of this Security Advisory that omits 
the distribution URL in the following section is an uncontrolled copy, and may 
lack important information or contain factual errors.

Distribution

This notice will be posted on Cisco's Worldwide Web site at 
http://www.cisco.com/warp/public/707/cisco-malformed-snmp-msgs-pub.shtml. In 
addition to Worldwide Web posting, a text version of this notice is clear-signed 
with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet 
news recipients: 
  cust-security-announce@cisco.com 
  bugtraq@securityfocus.com 
  first-teams@first.org (includes CERT/CC) 
  cisco@spot.colorado.edu 
  comp.dcom.sys.cisco 
  firewalls@lists.gnac.com 
  Various internal Cisco mailing lists 

Future updates of this notice, if any, will be placed on Cisco's Worldwide Web 
server, but may or may not be actively announced on mailing lists or newsgroups. 
Users concerned about this problem are encouraged to check the URL given above 
for any updates. 

Revision History

      Revision Number 1.02002-Feb-12 20:00 GMTInitial public release


Cisco Security Procedures

Complete information on reporting security vulnerabilities in Cisco products, 
obtaining assistance with security incidents, and registering to receive 
security information from Cisco, is available on Cisco's Worldwide Web site at 
http://www.cisco.com/warp/public/707/sec_incident_response.shtml. This includes 
instructions for press inquiries regarding Cisco security notices. All Cisco 
Security Advisories are available at http://www.cisco.com/go/psirt. 



This notice is Copyright 2002 by Cisco Systems, Inc. This notice may be 
redistributed freely after the release date given at the top of the text, 
provided that redistributed copies are complete and unmodified, and include all 
date and version information.


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC