Hello there, Since I am mentioned here it deserves a reply. At 18:18 15/02/2000 -0500, John Comeau wrote: >Cisco 1924s for sure have "public" as rw string and "private" for ro, >and I'm about 80% sure the 2924 does too. > >Many Cisco routers have an snmp "feature" with security ramifications >which Damir Rajnovic has agreed to post to Bugtraq (as of Jan. 1), but I >guess Cisco's lawyers have to hash it out for a few more weeks before >he'll be allowed to. If he doesn't, I will - jc I still own a reply to John and wider audience and I am aware of that. It is true that John found a 'feature' that is cause of some concern and the only reason why I did not disclose it is that is not fixed jet. I am assuring you that lawyers do not have anything with that. A fix is a documentation fix. I was assured by people who are writing that part of code (SNMP) that this particular behavior is according to the specification (SNMPv3). Mind you, I am not downplaying significance of that issue but merely stating the facts. Cheers, Gaus ============== Damir Rajnovic <psirtat_private>, PSIRT Incident Manager, Cisco Systems <http://www.cisco.com/warp/public/707/sec_incident_response.shtml> Phone: +44 7715 546 033 4 The Square, Stockley Park, Uxbridge, MIDDLESEX UB11 1BN, GB ============== There is no insolvable problems. Question remains: can you accept the solution?
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:35:49 PDT