[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <515703B08A3A064C9CC8C09ACCC710DC01A04F45@XMB-RCD-103.cisco.com>
Date: Fri, 9 Jul 2010 10:49:15 -0500
From: "Dario Ciccarone (dciccaro)" <dciccaro@...co.com>
To: "Shang Tsung" <stsung@...l.com>, <pen-test@...urityfocus.com>,
<full-disclosure@...ts.grok.org.uk>
Subject: Re: Should nmap cause a DoS on cisco routers?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi there:
Once again, this is Dario Ciccarone with the Cisco PSIRT. This
email's purpose is to provide our conclusions on the investigation we
performed on this issue.
First, we would like to thank Mr. Shang Tsung for his help and
cooperation during our investigation - Mr. Tsung did indeed provide
the Cisco PSIRT with all the information required to investigate and
reproduce the issue.
Second, this *is* indeed a vulnerability on Cisco IOS that *can
be
triggered* by an nmap scan. But before everyone run to the nearest
Linux box to run an nmap scan against their neighbor's network and
attempts to trigger it: this is a *known* and *previously publicly
disclosed* vulnerability, for which the Cisco PSIRT published an
advisory back in 2004:
"Cisco Security Advisory: Vulnerabilities in SNMP Message
Processing" - which can be found at
http://www.cisco.com/warp/public/707/cisco-sa-20040420-snmp.shtml .
The bug ID on our bug database being CSCed68575.
The original advisory did make clear that the effect of the
vulnerability would be a crash and reload of the device, provided
workarounds and as usual on Cisco Security Advisories, a list of
fixed software releases.
At this time, we consider the case closed. And again, we would
like
to thank Mr Tsung for his help and cooperation on driving this issue
to a satisfactory outcome.
<bit of advertising follows>
Cisco provides access to our Security Vulnerability Policy at
http://www.cisco.com/en/US/products/products_security_vulnerability_po
licy.html - which includes not only information on how to contact the
Cisco PSIRT, but details on the process we follow with any reported
vulnerability.
Cisco PSIRT greatly appreciates the opportunity to work with
researchers on security vulnerabilities and welcomes the opportunity
to review and assist in product reports. Any researcher or customer,
with or without a support contract, is encouraged to contact us at
psirt@...co.com so we can work together on the investigation of any
purported security vulnerability on any Cisco product.
</bit of advertising ends>
Thanks,
Dario
Dario Ciccarone <dciccaro@...co.com>
Incident Manager - CCIE #10395
Product Security Incident Response Team (PSIRT)
Cisco Systems, Inc.
+1 212 714 4218
PGP Key ID: 0xBA1AE0F0
http://www.cisco.com/go/psirt
> -----Original Message-----
> From: listbounce@...urityfocus.com
> [mailto:listbounce@...urityfocus.com] On Behalf Of Shang Tsung
> Sent: Wednesday, June 30, 2010 7:04 AM
> To: pen-test@...urityfocus.com
> Subject: Should nmap cause a DoS on cisco routers?
>
> Hello,
>
> Some days ago, I had the task to discover the SNMP version that our
> servers and networking devices use. So I run nmap using the
> following command:
>
> nmap -sU -sV -p 161-162 -iL target_file.txt
>
> This command was supposed to use UDP to probe ports 161 and
> 162, which
> are used for SNMP and SNMP Trap respectively, and return the SNMP
> version.
>
> This "innocent" command caused most networking devices to crash and
> reboot, causing a Denial of Service attack and bringing down the
> network.
>
> Now my question is.. Should this had happened? Can nmap bring
> the whole
> network down from one single machine?
>
> Is this a configuration error of the networking devices?
>
> This is scary...
>
> Shang Tsung
>
>
>
>
>
>
>
>
> --------------------------------------------------------------
> ----------
> This list is sponsored by: Information Assurance
> Certification Review Board
>
> Prove to peers and potential employers without a doubt that
> you can actually do a proper penetration test. IACRB CPT and
> CEPT certs require a full practical examination in order to
> become certified.
>
> http://www.iacertification.org
> --------------------------------------------------------------
> ----------
>
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
iQA/AwUBTDdE+4yVGB+6GuDwEQJBbgCgxILU27FqQ3mlH49cYL+txC3WCC4An0Zd
rGZ0NHYdaCYN4tGKCCeKLx/s
=nauF
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists