>>>>> "jw" == Joshua Wright <Joshua.Wrightat_private> writes: jw> I have been experimenting with the PROTOS SNMP test cases for req-app test jw> material against my Cisco 2621 running 12.0(7)T. I have been able to jw> reliably force the router to crash/dump and reload when I have "snmp-server jw> community public RO" or "snmp-server host 1.1.1.1 public" configured on the jw> router, but am unable to DoS the router when configured with a community jw> string that does not match the one used in the PROTOS test cases. jw> The CERT advisory indicates that simply changing the community to a jw> hard-to-guess value is "not sufficient to mitigate the impact of these jw> vulnerabilities". Cisco also recommends applying ACL's to stop unspecified jw> hosts from contacting UDP/161 on the router. jw> Has anyone confirmed that Cisco and other vendors are subject to a DoS jw> through the PROTOS test suite without prior knowledge of the SNMP community jw> string? Cisco in particular has a hefty problem on their hands. They have such a broad product range, and so many versions of software, that no one person has their head around the entire thing. Add in other vendors, and you've got a real party. Be very specific when asking these questions, or you'll get conflicting answers. Some versions of Cisco IOS on some platforms are vulnerable, regardless of community string and ACL. Some are only vulnerable if you have a valid string and know what IP to source your packets from. The same is true of other vendors products. Many are safe unless you know the string, but there are enough for which the string does not matter at all. Just due to the nature, rec-enc is more likely to cause problems when you don't know the string. ericb -- Eric Brandwine | UNIX is the answer, but only if you phrase the question UUNetwork Security | very carefully. ericbat_private | +1 703 886 6038 | - Usenet Key fingerprint = 3A39 2C2F D5A0 FC7C 5F60 4118 A84A BD5D 59D7 4E3E
This archive was generated by hypermail 2b30 : Fri Feb 15 2002 - 09:57:49 PST