-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi there:
Once again, this is Dario Ciccarone with the Cisco PSIRT. This email's purpose is to provide our conclusions on the investigation we performed on this issue. First, we would like to thank Mr. Shang Tsung for his help and cooperation during our investigation - Mr. Tsung did indeed provide the Cisco PSIRT with all the information required to investigate and reproduce the issue. Second, this *is* indeed a vulnerability on Cisco IOS that *can be triggered* by an nmap scan. But before everyone run to the nearest Linux box to run an nmap scan against their neighbor's network and attempts to trigger it: this is a *known* and *previously publicly disclosed* vulnerability, for which the Cisco PSIRT published an advisory back in 2004: "Cisco Security Advisory: Vulnerabilities in SNMP Message Processing" - which can be found at http://www.cisco.com/warp/public/707/cisco-sa-20040420-snmp.shtml . The bug ID on our bug database being CSCed68575. The original advisory did make clear that the effect of the vulnerability would be a crash and reload of the device, provided workarounds and as usual on Cisco Security Advisories, a list of fixed software releases. At this time, we consider the case closed. And again, we would like to thank Mr Tsung for his help and cooperation on driving this issue to a satisfactory outcome. <bit of advertising follows> Cisco provides access to our Security Vulnerability Policy at http://www.cisco.com/en/US/products/products_security_vulnerability_po licy.html - which includes not only information on how to contact the Cisco PSIRT, but details on the process we follow with any reported vulnerability. Cisco PSIRT greatly appreciates the opportunity to work with researchers on security vulnerabilities and welcomes the opportunity to review and assist in product reports. Any researcher or customer, with or without a support contract, is encouraged to contact us at ps...@cisco.com so we can work together on the investigation of any purported security vulnerability on any Cisco product. </bit of advertising ends> Thanks, Dario Dario Ciccarone <dcicc...@cisco.com> Incident Manager - CCIE #10395 Product Security Incident Response Team (PSIRT) Cisco Systems, Inc. +1 212 714 4218 PGP Key ID: 0xBA1AE0F0 http://www.cisco.com/go/psirt > -----Original Message----- > From: listbou...@securityfocus.com > [mailto:listbou...@securityfocus.com] On Behalf Of Shang Tsung > Sent: Wednesday, June 30, 2010 7:04 AM > To: pen-t...@securityfocus.com > Subject: Should nmap cause a DoS on cisco routers? > > Hello, > > Some days ago, I had the task to discover the SNMP version that our > servers and networking devices use. So I run nmap using the > following command: > > nmap -sU -sV -p 161-162 -iL target_file.txt > > This command was supposed to use UDP to probe ports 161 and > 162, which > are used for SNMP and SNMP Trap respectively, and return the SNMP > version. > > This "innocent" command caused most networking devices to crash and > reboot, causing a Denial of Service attack and bringing down the > network. > > Now my question is.. Should this had happened? Can nmap bring > the whole > network down from one single machine? > > Is this a configuration error of the networking devices? > > This is scary... > > Shang Tsung > > > > > > > > > -------------------------------------------------------------- > ---------- > This list is sponsored by: Information Assurance > Certification Review Board > > Prove to peers and potential employers without a doubt that > you can actually do a proper penetration test. IACRB CPT and > CEPT certs require a full practical examination in order to > become certified. > > http://www.iacertification.org > -------------------------------------------------------------- > ---------- > -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQA/AwUBTDdE+4yVGB+6GuDwEQJBbgCgxILU27FqQ3mlH49cYL+txC3WCC4An0Zd rGZ0NHYdaCYN4tGKCCeKLx/s =nauF -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/