lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <515703B08A3A064C9CC8C09ACCC710DC01A04F45@XMB-RCD-103.cisco.com>
Date: Fri, 9 Jul 2010 10:49:15 -0500
From: "Dario Ciccarone (dciccaro)" <dciccaro@...co.com>
To: "Shang Tsung" <stsung@...l.com>, <pen-test@...urityfocus.com>,
	<full-disclosure@...ts.grok.org.uk>
Subject: Re: Should nmap cause a DoS on cisco routers?

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi there:

	Once again, this is Dario Ciccarone with the Cisco PSIRT. This
email's purpose is to provide our conclusions on the investigation we
performed on this issue. 

	First, we would like to thank Mr. Shang Tsung for his help and
cooperation during our investigation - Mr. Tsung did indeed provide
the Cisco PSIRT with all the information required to investigate and
reproduce the issue.

	Second, this *is* indeed a vulnerability on Cisco IOS that *can
be
triggered* by an nmap scan. But before everyone run to the nearest
Linux box to run an nmap scan against their neighbor's network and
attempts to trigger it: this is a *known* and *previously publicly
disclosed* vulnerability, for which the Cisco PSIRT published an
advisory back in 2004:

	"Cisco Security Advisory: Vulnerabilities in SNMP Message
Processing" - which can be found at
http://www.cisco.com/warp/public/707/cisco-sa-20040420-snmp.shtml .
The bug ID on our bug database being CSCed68575.

	The original advisory did make clear that the effect of the
vulnerability would be a crash and reload of the device, provided
workarounds and as usual on Cisco Security Advisories, a list of
fixed software releases.

	At this time, we consider the case closed. And again, we would
like
to thank Mr Tsung for his help and cooperation on driving this issue
to a satisfactory outcome.

	<bit of advertising follows>

	Cisco provides access to our Security Vulnerability Policy at
http://www.cisco.com/en/US/products/products_security_vulnerability_po
licy.html - which includes not only information on how to contact the
Cisco PSIRT, but details on the process we follow with any reported
vulnerability.

	Cisco PSIRT greatly appreciates the opportunity to work with
researchers on security vulnerabilities and welcomes the opportunity
to review and assist in product reports. Any researcher or customer,
with or without a support contract, is encouraged to contact us at
psirt@...co.com so we can work together on the investigation of any
purported security vulnerability on any Cisco product.

	</bit of advertising ends>

	Thanks,
	Dario

Dario Ciccarone <dciccaro@...co.com>
Incident Manager - CCIE #10395 
Product Security Incident Response Team (PSIRT)
Cisco Systems, Inc.
+1 212 714 4218
PGP Key ID: 0xBA1AE0F0
http://www.cisco.com/go/psirt

 

	

> -----Original Message-----
> From: listbounce@...urityfocus.com 
> [mailto:listbounce@...urityfocus.com] On Behalf Of Shang Tsung
> Sent: Wednesday, June 30, 2010 7:04 AM
> To: pen-test@...urityfocus.com
> Subject: Should nmap cause a DoS on cisco routers?
> 
> Hello,
> 
> Some days ago, I had the task to discover the SNMP version that our
>  servers and networking devices use. So I run nmap using the
> following  command:
> 
> nmap -sU -sV -p 161-162 -iL target_file.txt
> 
> This command was supposed to use UDP to probe ports 161 and 
> 162, which 
> are used for SNMP and SNMP Trap respectively, and return the SNMP 
> version.
> 
> This "innocent" command caused most networking devices to crash and
>  reboot, causing a Denial of Service attack and bringing down the 
> network.
> 
> Now my question is.. Should this had happened? Can nmap bring 
> the whole 
> network down from one single machine?
> 
> Is this a configuration error of the networking devices?
> 
> This is scary...
> 
> Shang Tsung
> 
> 
> 
> 
> 
> 
>   
> 
> --------------------------------------------------------------
> ----------
> This list is sponsored by: Information Assurance 
> Certification Review Board
> 
> Prove to peers and potential employers without a doubt that 
> you can actually do a proper penetration test. IACRB CPT and 
> CEPT certs require a full practical examination in order to 
> become certified. 
> 
> http://www.iacertification.org
> --------------------------------------------------------------
> ----------
> 

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBTDdE+4yVGB+6GuDwEQJBbgCgxILU27FqQ3mlH49cYL+txC3WCC4An0Zd
rGZ0NHYdaCYN4tGKCCeKLx/s
=nauF
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ