Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Should nmap cause a DoS on cisco routers?
From: "Dario Ciccarone (dciccaro)" <dciccaro () cisco com>
Date: Fri, 9 Jul 2010 10:49:15 -0500

Hash: SHA1

Hi there:

        Once again, this is Dario Ciccarone with the Cisco PSIRT. This
email's purpose is to provide our conclusions on the investigation we
performed on this issue. 

        First, we would like to thank Mr. Shang Tsung for his help and
cooperation during our investigation - Mr. Tsung did indeed provide
the Cisco PSIRT with all the information required to investigate and
reproduce the issue.

        Second, this *is* indeed a vulnerability on Cisco IOS that *can
triggered* by an nmap scan. But before everyone run to the nearest
Linux box to run an nmap scan against their neighbor's network and
attempts to trigger it: this is a *known* and *previously publicly
disclosed* vulnerability, for which the Cisco PSIRT published an
advisory back in 2004:

        "Cisco Security Advisory: Vulnerabilities in SNMP Message
Processing" - which can be found at
http://www.cisco.com/warp/public/707/cisco-sa-20040420-snmp.shtml .
The bug ID on our bug database being CSCed68575.

        The original advisory did make clear that the effect of the
vulnerability would be a crash and reload of the device, provided
workarounds and as usual on Cisco Security Advisories, a list of
fixed software releases.

        At this time, we consider the case closed. And again, we would
to thank Mr Tsung for his help and cooperation on driving this issue
to a satisfactory outcome.

        <bit of advertising follows>

        Cisco provides access to our Security Vulnerability Policy at
licy.html - which includes not only information on how to contact the
Cisco PSIRT, but details on the process we follow with any reported

        Cisco PSIRT greatly appreciates the opportunity to work with
researchers on security vulnerabilities and welcomes the opportunity
to review and assist in product reports. Any researcher or customer,
with or without a support contract, is encouraged to contact us at
psirt () cisco com so we can work together on the investigation of any
purported security vulnerability on any Cisco product.

        </bit of advertising ends>


Dario Ciccarone <dciccaro () cisco com>
Incident Manager - CCIE #10395 
Product Security Incident Response Team (PSIRT)
Cisco Systems, Inc.
+1 212 714 4218
PGP Key ID: 0xBA1AE0F0



-----Original Message-----
From: listbounce () securityfocus com 
[mailto:listbounce () securityfocus com] On Behalf Of Shang Tsung
Sent: Wednesday, June 30, 2010 7:04 AM
To: pen-test () securityfocus com
Subject: Should nmap cause a DoS on cisco routers?


Some days ago, I had the task to discover the SNMP version that our
 servers and networking devices use. So I run nmap using the
following  command:

nmap -sU -sV -p 161-162 -iL target_file.txt

This command was supposed to use UDP to probe ports 161 and 
162, which 
are used for SNMP and SNMP Trap respectively, and return the SNMP 

This "innocent" command caused most networking devices to crash and
 reboot, causing a Denial of Service attack and bringing down the 

Now my question is.. Should this had happened? Can nmap bring 
the whole 
network down from one single machine?

Is this a configuration error of the networking devices?

This is scary...

Shang Tsung


This list is sponsored by: Information Assurance 
Certification Review Board

Prove to peers and potential employers without a doubt that 
you can actually do a proper penetration test. IACRB CPT and 
CEPT certs require a full practical examination in order to 
become certified. 


Version: PGP 8.1


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]