Cisco SNMP flaw allows for DoS attacks

A coding flaw in Cisco's Internetwork Operating System (IOS) software for certain routers and switches could leave networks vulnerable to denial-of-service attacks.

Though the company reports no known exploits at this time, it admits that the vulnerability in its SNMP messaging processing could remotely trigger a reload of the device that, if done repeatedly, could create a sustained DoS.

SNMP, or Simple Network Management Protocol, is commonly used to monitor and manage network devices, US-CERT reported in its advisory issued Tuesday.

The flaw was introduced through a code change for CSDeb22276, according to a Cisco advisory. Numerous release trains are vulnerable, including 12.0S, 12.1E, 12.2, 12.2S, 12.3, 12.3B and 12.3. To determine an affected system, log on to the device and issue the show version command and compare to impacted releases in the official advisory.

Normally, all solicited SNMP operations use the well known 161 and 162 User Datagram Protocol (UDP) ports to communicate. Cisco IOS also uses randomly selected UDP ports within a certain range to listen to unsolicited messages. But the flawed IOS SNMP tries to process solicited operations on both UDP port 162 and a random UDP port, which can cause memory corruption and lead the system to reboot.

Cisco encourages admins to upgrade to a non-vulnerable version of IOS and, in the interim, to disable SNMP on affected devices. To help mitigate remote attacks, SNMPv1 and SNMPv2c checks SNMP community strings against solicited operations for authentication, but SNMPv3 will not, according to the Cisco advisory.

The SNMP flaw comes on top of several other Cisco vulnerabilities announced Tuesday. One in particular warns that some versions of Cisco Wireless LAN Solution Engine and Cisco Hosting Solution Engine contain hard coded usernames and passwords. That means a user aware of the default account information can access a vulnerable device and gain administrative control to add or delete users and change configurations.

More on just released Cisco vulnerabilities can be found on theCisco site.