Published:
22 April 2004
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2004.0296 -- US-CERT Technical Cyber Security Alert TA04-111B Cisco IOS SNMP Message Handling Vulnerability 22 April 2004 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco routers and switches running IOS trains 12.0S, 12.1E, 12.2, 12.2S, 12.3, 12.3B and 12.3T Publisher: US-CERT Impact: Denial of Service Access Required: Remote - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco IOS SNMP Message Handling Vulnerability Original release date: April 20, 2004 Last revised: -- Source: US-CERT Systems Affected * Cisco routers and switches running vulnerable versions of IOS. Vulnerable IOS versions known to be affected include: * 12.0(23)S4, 12.0(23)S5 * 12.0(24)S4, 12.0(24)S5 * 12.0(26)S1 * 12.0(27)S * 12.0(27)SV, 12.0(27)SV1 * 12.1(20)E, 12.1(20)E1, 12.1(20)E2 * 12.1(20)EA1 * 12.1(20)EW, 12.1(20)EW1 * 12.1(20)EC, 12.1(20)EC1 * 12.2(12g), 12.2(12h) * 12.2(20)S, 12.2(20)S1 * 12.2(21), 12.2(21a) * 12.2(23) * 12.3(2)XC1, 12.3(2)XC2 * 12.3(5), 12.3(5a), 12.3(5b) * 12.3(6) * 12.3(4)T, 12.3(4)T1, 12.3(4)T2, 12.3(4)T3 * 12.3(5a)B * 12.3(4)XD, 12.3(4)XD1 Overview There is a vulnerability in Cisco's Internetwork Operating System (IOS) SNMP service. When vulnerable Cisco routers or switches process specific SNMP requests, the system may reboot. If repeatedly exploited, this vulnerability could result in a sustained denial of service (DoS). This vulnerability is distinct from the vulnerability described in US-CERT Technical Alert TA04-111A issued earlier today. Cisco has published an advisory about this distinct SNMP issue at the following location: <http://www.cisco.com/warp/public/707/cisco-sa-20040420-snmp.shtml> I. Description The Simple Network Management Protocol (SNMP) is a widely deployed protocol that is commonly used to monitor and manage network devices. There are several types of SNMP messages that are used to request information or configuration changes, respond to requests, enumerate SNMP objects, and send both solicited and unsolicited alerts. These messages use UDP to communicate network information between SNMP agents and managers. There is a vulnerability in Cisco's IOS SNMP service in which attempts to process specific SNMP messages are handled incorrectly. This may potentially cause the device to reload. Typically, ports 161/udp and 162/udp are used during SNMP operations to communicate. In addition to these well-known ports, Cisco IOS uses a randomly selected UDP port in the range from 49152/udp to 59152/udp (and potentially up to 65535) to listen for other types of SNMP messages. While SNMPv1 and SNMPv2c formatted messages can trigger this vulnerability, the greatest risk is exposed when any SNMPv3 solicited operation is sent to a vulnerable port. Cisco notes in their advisory: "SNMPv1 and SNMPv2c solicited operations to the vulnerable ports will perform an authentication check against the SNMP community string, which may be used to mitigate attacks. Through best practices of hard to guess community strings and community string ACLs, this vulnerability may be mitigated for both SNMPv1 and SNMPv2c. However, any SNMPv3 solicited operation to the vulnerable ports will reset the device. If configured for SNMP, all affected versions will process SNMP version 1, 2c and 3 operations." Cisco is tracking this issue as CSCed68575. US-CERT is tracking this issue as VU#162451. II. Impact A remote, unauthenticated attacker could cause the vulnerable device to reload. Repeated exploitation of this vulnerability could lead to a sustained denial of service condition. III. Solution Upgrade to fixed versions of IOS Cisco has published detailed information about upgrading affected Cisco IOS software to correct this vulnerability. System managers are encouraged to upgrade to one of the non-vulnerable releases. For additional information regarding availability of repaired releases, please refer to the "Software Versions and Fixes" section of the Cisco Security Advisory. <http://www.cisco.com/warp/public/707/cisco-sa-20040420-snmp.shtml> Workarounds Cisco recommends a number of workarounds, including disabling SNMP processing on affected devices. For a complete list of workarounds, see the Cisco Security Advisory. Appendix A. Vendor Information This appendix contains information provided by vendors for this advisory. As vendors report new information to US-CERT, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Cisco Systems Please refer to Cisco Security Advisory: "Vulnerabilities in SNMP Message Processing". Cisco has published their advisory at the following location: <http://www.cisco.com/warp/public/707/cisco-sa-20040420-snmp.shtml> _________________________________________________________________ US-CERT thanks Cisco Systems for notifying us about this problem. _________________________________________________________________ Feedback can be directed to the authors: Jeff Havrilla, Shawn Hernan, Damon Morda The latest version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA04-111B.html> _________________________________________________________________ Copyright 2004 Carnegie Mellon University. Terms of use: <http://www.us-cert.gov/legal.html> Revision History April 20, 2004: Initial release - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFAhdSYXlvNRxAkFWARAqPXAJ98/hPua542rVKLAgmOVFRJEbLgHACgsBYS vP+68misX1RV+A2fWyU2NQA= =jID6 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBQIddtyh9+71yA2DNAQL9oQP/aqJ2KA+DKlqJ9dwQ+L8FdGB41LNFOx69 0/50wxj2TK7O8LbWurWylufOIwUgHHb4F10zrirbo7YvheHgRnZMsWyyiFvgKp5o I61Z4uQVJLzR7hA9QG4bW6AiYzU2HOqy+ZrC68ttICMvEQ38QlMftUi8cDOvy5zG D9uBcYyQk/c= =Lui5 -----END PGP SIGNATURE-----