Re: snmp vulns, symptoms, S-train

From: Jared Mauch (jared@puck.nether.net)
Date: Mon Feb 25 2002 - 10:08:56 EST


        12.0(19.6)S has a memory leak in snmp.

        I can dig up the bugid if it's overly important for you to know
the exact details.

        You are not seeing the snmp vuln.

        - jared

On Sun, Feb 24, 2002 at 11:09:41PM -0500, Charles Sprickman wrote:
> Hi,
>
> I'd read the advisory, and I *thought* I had the workaround correct, but
> now I'm thinking it's not... One of our routers stopped speaking ospf and
> could not be telnet'd or ssh'd to. I hit the console from our term server
> and just got the message:
>
> %% Low on memory; try again later
>
> Ugh. Looking over at the loghost I found this repeated over and over:
>
> Feb 23 23:58:42 edge-1-loopback-var 936: -Process= "IP SNMP", ipl= 0, pid=
> 60
> Feb 23 23:58:42 edge-1-loopback-var 937: -Traceback= 60253188 60254E40
> 605EC934 605F1388 605F3410 60611B4C 605EDF20 605EDEA0 60601E78 60323B70
> 6024C67C 6024C668
> Feb 23 23:59:12 edge-1-loopback-var 938:
> Feb 24 04:59:11.806 UTC: %SYS-2-MALLOCFAIL: Memory allocation of 16 bytes
> failed from 0x605EC92C, alignment 0
> Feb 23 23:59:12 edge-1-loopback-var 939: Pool: Processor Free: 7748 Cause: Mem ory fragmentation
> Feb 23 23:59:12 edge-1-loopback-var 940: Alternate Pool: None Free: 0
> Cause: No Alternate pool
>
> This repeats, and eventually a similar message about the OSPF process
> starts appearing, and that's when I started getting pages. I killed all
> the links back to this router from the other side, and after about five
> minutes the console came back and I was able to disable snmp completely
> and reload it. Been fine so far...
>
> So is this the "expected" result of the snmp bug being fondled remotely?
>
> This router is on: 12.0(19.6)S, others are running: 12.0(20.3)S1.
>
> Any issues in going up to the latest "S"?
>
> Hope some of this info helps; it seems like if you can isolate the router
> from the net while under attack, you may be able to save a trip in to flip
> the power switch...
>
> Thanks,
>
> Charles
>
> | Charles Sprickman | Internet Channel
> | INCH System Administration Team | (212)243-5200
> | spork@inch.com | access@inch.com
>
>
>

-- 
Jared Mauch  | pgp key available via finger from jared@puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:06 EDT