| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 28 Aug 2010 15:36:06 +1000 From: "David Klein" <David.Klein@...ocus.com.au> To: <full-disclosure@...ts.grok.org.uk> Subject: TANDBERG <F9.0 SNMP DOS ============================================================================ Vendor: TANDBERG part of Cisco. Author: David Klein, IP Focus. ------- Timeline: 29032010 - Vendor notified of verbose snmp resp regardless of community. 31032010 - Research at IP Focus turned this into a Denial of Service. 06042010 - IP Focus requested confirmation of DoS. 08042010 - Vendor confirmed. 24062010 - Vendor advised of beta FW to test. 02072010 - Confirmed initial DoS condition has been eliminated. 23082010 - Firmware 9.0 released. ------- Details: Sending 1xSNMP packet with a spoofed source IP of the target to Tandberg MXP series causes a reboot. Payload in data field is '30 26'h Community name does not need to be valid. The reason for the crash is that any sent SNMP packet the Tandberg will respond, faking the source IP and sending the response back to itself, this response then loops until memory runs out. Takes <1 minute. ------- Systems: Only MXP Systems are vulnerable to this condition. ------- Workaround: Upgrade to Firmware version 9.0 ftp://ftp.tandberg.com/pub/software/endpoints/mxp/f90/ ============================================================================ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists