Computerworld - The Department of Homeland Security and US-CERT are warning of a serious vulnerability affecting several Cisco Systems Inc. switches and routers that could result in sustained denial-of-service conditions.
The flaw exists in Cisco's Internetwork Operating System (IOS) SNMP service and could allow remote attackers to cause vulnerable systems to repeatedly reboot when processing specific SNMP requests. If carried out long enough, such attacks could lead to sustained DoS conditions, the US-CERT said in an advisory posted earlier today.
The latest SNMP vulnerability is different from a previous flaw also affecting IOS that was announced by Cisco yesterday. That vulnerability had to do with a flaw in the TCP specification and is not specific to Cisco products (see story).
According to a statement on Cisco's site, the latest SNMP vulnerability affects only certain releases of IOS software. Affected versions include 12.0S, 12.1E, 12.2, 12.2S, 12.3, 12.3B and 12.3T, according to Cisco.
Several factors make the SNMP vulnerability particularly dangerous, said Amit Yoran, director of the National Cyber Security Division of the DHS, in a news conference announcing the flaw this morning.
Among them are the breadth of Cisco products affected by the flaw, the widespread deployment of such products and the fact that it is relatively easy for attackers to take advantage of the vulnerability, Yoran said. The fact that few preconditions need to exist for it to be exploited is another major reason for concern, Yoran said.
"A freshman programmer can attack this vulnerability and crash a router," Yoran said.
"There's very little by way of resources that is needed to mount an attack," said Shawn Hernan, a member of CERT's technical staff. "An ordinary desktop is more than sufficient" to take advantage of the flaw, Hernan said. Even companies that follow security best practices are unlikely to be safe from attacks.
As a result, the best approach is to apply patches Cisco has made available as soon as possible, Hernan said.
Cisco also announced several work-arounds; Recommended fixes include disabling SNMP processing on devices running affected versions of IOS, using access-control lists to block traffic to affected ports and blocking individual ports.
Such work-arounds, though, are complex to implement and may require local expertise, Hernan said.
In many cases they may also require crucial services to be disabled as a result, Yoran said. The work-arounds depend "very much on local considerations. This is not something where standard best practices are going to be affective," he said.
Given the serious nature of the flaw, the US-CERT has been in touch
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
