[nsp] recent SNMP vulnerability vs 12.1(13)E14

Clayton Kossmeyer ckossmey at cisco.com
Fri Apr 23 16:35:23 EDT 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Sorry, some of that wasn't as clear as it should be.

To summarize:

- - The presence of the high port does NOT imply you're vulnerable.  The
absence of the high port DOES mean you're NOT vulnerable.

- - The high port was added to support SNMP inform capability, and is
not present in older IOS, but is present in many releases that are not
affected by the vulnerability being discussed here.

- - I'll see about adding text to make the above more obvious.

HTH,

Clay


On Fri, Apr 23, 2004 at 04:21:02PM -0400, Clayton Kossmeyer wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> Just because that high port is there doesn't mean the box is
> vulnerable.
> 
> The high port was added to support SNMP inform capability, and is not
> present throughout all of IOS.
> 
> The advisory does not state that the presence of the high port
> indicates that a release is vulnerable, only that if vulnerable you
> can see the high port with "sh ip sockets".
> 
> I'll see about making that part more clear.
> 
> Believe what you will, but the Affected Products section is
> correct. ;)
> 
> Regards,
> 
> Clay
> 
> On Fri, Apr 23, 2004 at 03:19:32PM -0400, lee.e.rian at census.gov wrote:
> > 
> > I wouldn't go solely on the 'all affected versions' either.  A 'sh ip sock'
> > on a vulnerable router did have
> >  17   --listen--          10.1.3.145        162   0   0   11   0
> >  17   --listen--          10.1.3.145      58398   0   0   11   0
> > like the advisory said it would.  I didn't see anything like that on
> > routers running other IOS versions.
> > 
> > Regards,
> > Lee
> > 
> > 
> > 
> > 
> > |---------+--------------------------------->
> > |         |           Kinczli Zolt?n        |
> > |         |           <Zoltan.Kinczli at Synerg|
> > |         |           on.hu>                |
> > |         |           Sent by:              |
> > |         |           cisco-nsp-bounces at puck|
> > |         |           .nether.net           |
> > |         |                                 |
> > |         |                                 |
> > |         |           04/23/2004 02:48 PM   |
> > |         |                                 |
> > |---------+--------------------------------->
> >   >---------------------------------------------------------------------------------------------------------------------------------------------|
> >   |                                                                                                                                             |
> >   |       To:       "Pete Kruckenberg" <pete at kruckenberg.com>, "Jay Young" <jay at net.ohio-state.edu>                                             |
> >   |       cc:       cisco-nsp at puck.nether.net                                                                                                   |
> >   |       Subject:  RE: [nsp] recent SNMP vulnerability  vs 12.1(13)E14                                                                         |
> >   >---------------------------------------------------------------------------------------------------------------------------------------------|
> > 
> > 
> > 
> > 
> > hello,
> > 
> >   I'd not trust the 'all afected version' solely.
> > Sometimes it contains obviously contradicting data.
> > 
> >   I'd not leave my border router alone out there in the dark,
> > just based on the 'all afffected vesrion' info...
> > 
> > rgds
> >  --zoltan
> > 
> > -----Original Message-----
> > From: Pete Kruckenberg [mailto:pete at kruckenberg.com]
> > Sent: Friday, April 23, 2004 8:15 PM
> > To: Jay Young
> > Cc: cisco-nsp at puck.nether.net
> > Subject: Re: [nsp] recent SNMP vulnerability vs 12.1(13)E14
> > 
> > 
> > It's well worth your while to look up Cisco Bug IDs
> > CSCed27956 and CSCed38527 (registered customers only). Look
> > at the "First Found in Version" section and click on the
> > "All Affected Versions".
> > 
> > The list is long, about 1600 versions or so, but it might
> > save you the trouble of upgrading if your specific IOS
> > version isn't vulnerable.
> > 
> > Pete.
> > 
> > On Fri, 23 Apr 2004, Jay Young wrote:
> > 
> > > Date: Fri, 23 Apr 2004 09:45:42 -0400
> > > From: Jay Young <jay at net.ohio-state.edu>
> > > To: cisco-nsp at puck.nether.net
> > > Subject: Re: [nsp] recent SNMP vulnerability  vs 12.1(13)E14
> > >
> > > Along a similar line what about 12.2.18S3 the advisory says that 12.2S
> > > is vulnerable and the fix is 12.2.20S2 or 12.2.22S. Neither of which is
> > > available for a 7200.
> > >
> > > Thanks,
> > > Jay
> > >
> > >
> > > Kinczli Zolt?n wrote:
> > > > hello,
> > > >
> > > >   Is 12.1(13)E14 affected by the latest SNMP vulnerability?
> > >
> > >
> > >
> > 
> > 
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > 
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > 
> > 
> > 
> > 
> > 
> > 
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.3 (SunOS)
> 
> iD8DBQFAiXqsEHa/Ybuq8nARAuoGAKCPS48kma2YUsci6mvHyIzPMcJOZACfZ9ad
> UJCbPrpKbAh6buxlJ67Y5N8=
> =YMlD
> -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (SunOS)

iD8DBQFAiX4HEHa/Ybuq8nARAuR2AJ408G/CHG9I718NxgYCcdnkeec3lgCfVJul
a9VQJBOuejkLJ7cpqICkHGI=
=mtiZ
-----END PGP SIGNATURE-----

More information about the cisco-nsp mailing list