Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

snmp sig

Last "Patch Tuesday" there was a serious vulnerability reported for Microsoft that could be exploited via an SNMP buffer overflow. But there does not seem to be a Cisco signature yet. Is there any status on this?

6 REPLIES
Cisco Employee

Re: snmp sig

Due to the nature of the vulnerability we are unable to create a signature with sufficient fidelity. These types of vulnerabilities are best suited to end point security systems such as CSA and are unsuitable for network detection.

New Member

Re: snmp sig

I am confused. One post shows that you do have a signature, 5274. But you say that this kind of attack is not suited to network detection? This does not make sense to me. It is my understanding that it is a buffer overflow. SNMP is often poorly compliant with RFC's but this is definately a network based issue and as a customer that owns IPS and not CSA it sounds like you are leaving us out on a limb. This is exactly why we have Cisco IPS, that is to identify when someone uses a network based exploit to attack us. If Cisco will not be emphasizing this kind of issue on IPS then perhaps we should be investigating a better solution. This is a very disappointing and scary response.

New Member

Re: snmp sig

Ok, I see the 5274 is not a signature. But I need Cisco to figure this out. If I need CSA, I really do need a different IPS. CSA is not an option for me.

New Member

Re: snmp sig

Ok, here is what your competition has to say, below. They do have a signature. If it is a single udp packet, why can't it be detected? This could be slammer all over again.

In addition Security focus claims to have an exploit.

http://www.securityfocus.com/bid/21537/exploit

"This bulletin covers an integer underflow vulnerability in Windows SNMP. This underflow enables attackers to gain complete control of a remote machine with a single malformed UDP packet that is easily spoofed."

Obviously you've pushed some buttons telling me to go buy something else.

New Member

Re: snmp sig

Just to add to the information, the signature status of the vulnerability can also be viewed on MySDN:

http://tools.cisco.com/MySDN/Intelligence/searchThreats.x?currentPage=3&st=td&so=d

New Member

Re: snmp sig

Thanks, but this link just describes the vulnerability, at least right now. There does not seem to be any signature information.

155
Views
0
Helpful
6
Replies