[c-nsp] many 2960-X rebooting today

Bryan Holloway bryan at shout.net
Fri Mar 16 17:44:10 EDT 2018


We ran into this on 3750Xs back in July.

Sometimes we saw this:

%PLATFORM-1-CRASHED: Debug Exception (Could be NULL pointer dereference) 
Exception (0x2000)!

c.f.: https://lists.gt.net/cisco/nsp/197344

There are links to Cisco's "response" on the matter ...


On 3/16/18 2:27 PM, Nick Cutting wrote:
> I'm reasonably certain it was exploited - the last MSG is related to the bug.
> 
> "Stack for process SMI IBC server process running low"
> 
> 
> -----Original Message-----
> From: Brandon Applegate [mailto:brandon at burn.net]
> Sent: Friday, March 16, 2018 2:28 PM
> To: Nick Cutting <ncutting at edgetg.com>
> Cc: cisco-nsp mailing list <cisco-nsp at puck.nether.net>
> Subject: Re: [c-nsp] many 2960-X rebooting today
> 
> This message originated from outside your organization.
> 
> 
>> On Mar 16, 2018, at 2:08 PM, Nick Cutting <ncutting at edgetg.com> wrote:
>>
>> Thanks we have disabled this now - It is in our new build script, these were rolled out a few months ago.
>>
>> I guess there is no way of seeing if this exploit was executed, perhaps in the crashdump somewhere?
> 
> I’m struggling to remember.  I want to say you will see a %SYS-5-CONFIG - Configured from XXX by YYY message.
> 
> The questions become:
> 
> -	Are you syslogging out to a server that would have caught this ?
> -	Is there any IP in there of where it was originated from ?
> 	- If so - other than an abuse report to the respective ISP and blocking the IP - what can be done ?
> 
> I guess the other thing I’d add - is if there’s any weak crypto (type 7, or even a weak type 5 etc.) passwords or keys in your config, you might want to change these.  In other words, assume they have a copy of your config and act accordingly.
> 
> PS: This is all assuming it was an exploit like this in the first place.
> 
> --
> Brandon Applegate - CCIE 10273
> PGP Key fingerprint:
> 0641 D285 A36F 533A 73E5  2541 4920 533C C616 703A "For thousands of years men dreamed of pacts with demons.
> Only now are such things possible."
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 


More information about the cisco-nsp mailing list