Full Disclosure: Re: Should nmap cause a DoS on cisco routers?

Re: Should nmap cause a DoS on cisco routers?

From: "Dario Ciccarone (dciccaro)" <dciccaro () cisco com>
Date: Fri, 9 Jul 2010 10:49:15 -0500

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi there:

        Once again, this is Dario Ciccarone with the Cisco PSIRT. This
email's purpose is to provide our conclusions on the investigation we
performed on this issue. 

        First, we would like to thank Mr. Shang Tsung for his help and
cooperation during our investigation - Mr. Tsung did indeed provide
the Cisco PSIRT with all the information required to investigate and
reproduce the issue.

        Second, this *is* indeed a vulnerability on Cisco IOS that *can
be
triggered* by an nmap scan. But before everyone run to the nearest
Linux box to run an nmap scan against their neighbor's network and
attempts to trigger it: this is a *known* and *previously publicly
disclosed* vulnerability, for which the Cisco PSIRT published an
advisory back in 2004:

        "Cisco Security Advisory: Vulnerabilities in SNMP Message
Processing" - which can be found at
http://www.cisco.com/warp/public/707/cisco-sa-20040420-snmp.shtml .
The bug ID on our bug database being CSCed68575.

        The original advisory did make clear that the effect of the
vulnerability would be a crash and reload of the device, provided
workarounds and as usual on Cisco Security Advisories, a list of
fixed software releases.

        At this time, we consider the case closed. And again, we would
like
to thank Mr Tsung for his help and cooperation on driving this issue
to a satisfactory outcome.

        <bit of advertising follows>

        Cisco provides access to our Security Vulnerability Policy at
http://www.cisco.com/en/US/products/products_security_vulnerability_po
licy.html - which includes not only information on how to contact the
Cisco PSIRT, but details on the process we follow with any reported
vulnerability.

        Cisco PSIRT greatly appreciates the opportunity to work with
researchers on security vulnerabilities and welcomes the opportunity
to review and assist in product reports. Any researcher or customer,
with or without a support contract, is encouraged to contact us at
psirt () cisco com so we can work together on the investigation of any
purported security vulnerability on any Cisco product.

        </bit of advertising ends>

        Thanks,
        Dario

Dario Ciccarone <dciccaro () cisco com>
Incident Manager - CCIE #10395 
Product Security Incident Response Team (PSIRT)
Cisco Systems, Inc.
+1 212 714 4218
PGP Key ID: 0xBA1AE0F0
http://www.cisco.com/go/psirt

-----Original Message-----
From: listbounce () securityfocus com 
[mailto:listbounce () securityfocus com] On Behalf Of Shang Tsung
Sent: Wednesday, June 30, 2010 7:04 AM
To: pen-test () securityfocus com
Subject: Should nmap cause a DoS on cisco routers?

Hello,

Some days ago, I had the task to discover the SNMP version that our
 servers and networking devices use. So I run nmap using the
following  command:

nmap -sU -sV -p 161-162 -iL target_file.txt

This command was supposed to use UDP to probe ports 161 and 
162, which 
are used for SNMP and SNMP Trap respectively, and return the SNMP 
version.

This "innocent" command caused most networking devices to crash and
 reboot, causing a Denial of Service attack and bringing down the 
network.

Now my question is.. Should this had happened? Can nmap bring 
the whole 
network down from one single machine?

Is this a configuration error of the networking devices?

This is scary...

Shang Tsung

--------------------------------------------------------------
----------
This list is sponsored by: Information Assurance 
Certification Review Board

Prove to peers and potential employers without a doubt that 
you can actually do a proper penetration test. IACRB CPT and 
CEPT certs require a full practical examination in order to 
become certified. 

http://www.iacertification.org
--------------------------------------------------------------
----------


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBTDdE+4yVGB+6GuDwEQJBbgCgxILU27FqQ3mlH49cYL+txC3WCC4An0Zd
rGZ0NHYdaCYN4tGKCCeKLx/s
=nauF
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

By Date By Thread

Current thread:

Re: Should nmap cause a DoS on cisco routers?, (continued)
- Re: Should nmap cause a DoS on cisco routers? Cor Rosielle (Jul 01)
  - Re: Should nmap cause a DoS on cisco routers? Dan Kaminsky (Jul 01)
    - Re: Should nmap cause a DoS on cisco routers? Benji (Jul 01)
- Re: Should nmap cause a DoS on cisco routers? Dario Ciccarone (dciccaro) (Jul 01)
  - WiFi sniffing need to be connected? Vinicius Menezes (Jul 02)
    - Re: WiFi sniffing need to be connected? Tyler Borland (Jul 02)
- Re: Should nmap cause a DoS on cisco routers? Cor Rosielle (Jul 01)
- Re: Should nmap cause a DoS on cisco routers? Dario Ciccarone (dciccaro) (Jul 09)
  - Re: Should nmap cause a DoS on cisco routers? bk (Jul 10)
  - Re: Should nmap cause a DoS on cisco routers? Dobbins, Roland (Jul 10)
    - Re: Should nmap cause a DoS on cisco routers? Curt Purdy (Jul 16)