Hello there,
Since I am mentioned here it deserves a reply.
At 18:18 15/02/2000 -0500, John Comeau wrote:
>Cisco 1924s for sure have "public" as rw string and "private" for ro,
>and I'm about 80% sure the 2924 does too.
>
>Many Cisco routers have an snmp "feature" with security ramifications
>which Damir Rajnovic has agreed to post to Bugtraq (as of Jan. 1), but I
>guess Cisco's lawyers have to hash it out for a few more weeks before
>he'll be allowed to. If he doesn't, I will - jc
I still own a reply to John and wider audience and I am aware of that.
It is true that John found a 'feature' that is cause of some concern
and the only reason why I did not disclose it is that is not fixed jet.
I am assuring you that lawyers do not have anything with that. A fix
is a documentation fix. I was assured by people who are writing that
part of code (SNMP) that this particular behavior is according to the
specification (SNMPv3).
Mind you, I am not downplaying significance of that issue but merely
stating the facts.
Cheers,
Gaus
==============
Damir Rajnovic <[EMAIL PROTECTED]>, PSIRT Incident Manager, Cisco Systems
<http://www.cisco.com/warp/public/707/sec_incident_response.shtml>
Phone: +44 7715 546 033
4 The Square, Stockley Park, Uxbridge, MIDDLESEX UB11 1BN, GB
==============
There is no insolvable problems. Question remains: can you
accept the solution?
