(Cisco ONS is Affected) Cisco SNMP Bug Lets Remote Users Send SNMP Solicited Operations to Cause the Device to Reload
SecurityTracker Alert ID: 1009915|
SecurityTracker URL: http://securitytracker.com/id/1009915
(Links to External Site)
Date: Apr 22 2004
Denial of service via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): ONS 15454 and 15454E running 4.60, when configured with ML line card|
A vulnerability was reported a vulnerability in certain releases of the Cisco Internetwork Operating System (IOS) software in the processing of SNMP requests. A remote user can cause the device to reload. Cisco ONS 15454 and 15454E devices configured with an ML-series line card and running release 4.60 are vulnerable, because the release bundles a vulnerable version of IOS.|
Cisco reported that a remote user can send certain SNMP requests to the target system to cause the device to reload. Only certain IOS releases on Cisco routers and switches are affected, including versions of the software release trains 12.0S, 12.1E, 12.2, 12.2S, 12.3, 12.3B, and 12.3T.
The flaw was reportedly introduced by code that was to correct Bug ID CSCeb22276 and subsequent releases.
Cisco says that the following releases are affected [but this may not be a comprehensive list, they warned]:
* 12.0(23)S4, 12.0(23)S5
* 12.0(24)S4, 12.0(24)S5
* 12.0(27)SV, 12.0(27)SV1
* 12.1(20)E, 12.1(20)E1, 12.1(20)E2
* 12.1(20)EW, 12.1(20)EW1
* 12.1(20)EC, 12.1(20)EC1
* 12.2(12g), 12.2(12h)
* 12.2(20)S, 12.2(20)S1
* 12.2(21), 12.2(21a)
* 12.3(2)XC1, 12.3(2)XC2
* 12.3(5), 12.3(5a), 12.3(5b)
* 12.3(4)T, 12.3(4)T1, 12.3(4)T2, 12.3(4)T3
* 12.3(4)XD, 12.3(4)XD1
UDP ports 161 and 162 are affected. Also, a randomly assigned port between 49152 and 59152 is affected.
The report indicates that IOS incorrectly attempts to process SNMP solicited operations on UDP port 162 and the random UDP port, causing memory corruption.
The remote user must authenticate (using SNMP community strings) to exploit via SNMPv1 and SNMPv2c but does not need to authenticate to exploit via SNMPv3 solicited operations. If the device is configured for SNMP, the device will support SNMP version 1, 2c, and 3 operations. As a result, no authentication is required to exploit this flaw.
Cisco has assigned Bug ID CSCed68575 to this vulnerability.
A remote user can cause the target device to reset.|
For Cisco ONS 15454 and 15454E with an ML-series Line Card, a fixed version (4.62) will be available on April 27, 2004.|
Vendor URL: www.cisco.com/warp/public/707/cisco-sa-20040420-snmp.shtml (Links to External Site)
This archive entry is a follow-up to the message listed below.|
Source Message Contents
> Cisco Security Advisory: Vulnerabilities in SNMP Message Processing
> Document ID: 50980
> Revision 1.1
> Last Updated 2004 April 22 0900 UTC (GMT)
Cisco updated their SNMP advisory to indicate the Cisco ONS is also affected. The ONS
15454 and 15454E devices configured with an ML-series line card and running release 4.60
are vulnerable, the advisory warned. This is because release 4.60 bundles IOS version
12.1(20)EO, which is vulnerable.
For Cisco ONS 15454 and 15454E with an ML-series Line Card, a fixed version (4.62) will be
available on April 27, 2004.
Go to the Top of This SecurityTracker Archive Page