Re: [apops] Cisco SNMP Vulnerability

  • To: Sharif Torpis <faust at grift dot com>
  • Subject: Re: [apops] Cisco SNMP Vulnerability
  • From: Jake <jakechin at pacific dot net dot sg>
  • Date: Wed, 28 Feb 2001 11:05:31 +0800
  • Cc: apops at lists dot apnic dot net
  • References: <200102280125.RAA15811@shell16.ba.best.com>
  • Reply-to: jakechin@pacific.net.sg
  • Sender: owner-apops@lists.apnic.net
  • User-agent: Mozilla/5.0 (Windows; U; Win98; en-US; m18) Gecko/20001108 Netscape6/6.0
    • Hi Sharif,
      
      I hope by replying to this mail too, I will help to get some momentum 
      going in the mailing list. With regards to the vulnerabilities, here's 
      what I got from a Cisco guy:
      
      1. Versions 11.x and 12.0 contain a defect that allows a limited number
      of
      SNMP objects to be viewed and modified without authorization using a
      undocumented ILMI community string. An affected device might be
      vulnerable
      to a denial-of-service attack if it is not protected against
      unauthorized
      use of the ILMI community string. The vulnerability is present in every
      IOS
      release that contains the supporting software for ATM and ILMI.
      
      Software upgrade to fix the problem will be available soon (see attached
      doc). Meanwhile workaround can be applied to certain IOS releases by
      disabling the ILMI community and applying an access list to prevent
      unauthorized access to SNMP. Any affected system, regardless of software
      release, may be protected by filtering SNMP traffic at a network
      perimeter
      or on individual devices.
      
      2. Cisco IOS software releases contain a vulnerability that allows TCP
      Sequence Numbers to be guessed.
      The vulnerability is present in all Cisco IOS releases on Cisco routers
      and
      switches, as well as several other Cisco products not based on IOS. It
      only
      affects the security of TCP connections that originate or terminate on
      the
      affected Cisco device itself; it does not apply to TCP traffic that is
      forwarded through the affected device.
      
      To remove this vulnerability, Cisco is offering free software upgrades
      for
      all affected platforms. In lieu of a software upgrade, a workaround can
      be
      applied by filtering traffic with forged IP source addresses at a
      network
      perimeter or on individual devices.
      
      Cheers
      Jake.
      
      
      Sharif Torpis wrote:
      
      > As an example of the information sharing that was discussed at the APOPS
      > BoF at Apricot yesterday:
      > 
      > http://www.cisco.com/warp/public/707/ios-snmp-ilmi-vuln-pub.shtml
      > 
      > Regards,
      > Sharif
      > 
      > *             APOPS: Asia Pacific Operations Forum              *
      > * To unsubscribe: send "unsubscribe" to apops-request at apnic dot net *
      
      *             APOPS: Asia Pacific Operations Forum              *
      * To unsubscribe: send "unsubscribe" to apops-request at apnic dot net *