topic snmp sig in Network Security

snmp sig

rwebster — Sun, 10 Mar 2019 10:23:11 GMT

Last "Patch Tuesday" there was a serious vulnerability reported for Microsoft that could be exploited via an SNMP buffer overflow. But there does not seem to be a Cisco signature yet. Is there any status on this?

Re: snmp sig

rupadras — Wed, 20 Dec 2006 22:52:21 GMT

Due to the nature of the vulnerability we are unable to create a signature with sufficient fidelity. These types of vulnerabilities are best suited to end point security systems such as CSA and are unsuitable for network detection.

Re: snmp sig

jlimbo — Thu, 21 Dec 2006 02:05:26 GMT

Just to add to the information, the signature status of the vulnerability can also be viewed on MySDN:

http://tools.cisco.com/MySDN/Intelligence/searchThreats.x?currentPage=3&st=td&so=d

Re: snmp sig

rwebster — Thu, 21 Dec 2006 14:55:50 GMT

I am confused. One post shows that you do have a signature, 5274. But you say that this kind of attack is not suited to network detection? This does not make sense to me. It is my understanding that it is a buffer overflow. SNMP is often poorly compliant with RFC's but this is definately a network based issue and as a customer that owns IPS and not CSA it sounds like you are leaving us out on a limb. This is exactly why we have Cisco IPS, that is to identify when someone uses a network based exploit to attack us. If Cisco will not be emphasizing this kind of issue on IPS then perhaps we should be investigating a better solution. This is a very disappointing and scary response.

Re: snmp sig

rwebster — Thu, 21 Dec 2006 15:12:11 GMT

Thanks, but this link just describes the vulnerability, at least right now. There does not seem to be any signature information.

Re: snmp sig

rwebster — Thu, 21 Dec 2006 15:24:13 GMT

Ok, I see the 5274 is not a signature. But I need Cisco to figure this out. If I need CSA, I really do need a different IPS. CSA is not an option for me.

Re: snmp sig

rwebster — Thu, 21 Dec 2006 15:36:39 GMT

Ok, here is what your competition has to say, below. They do have a signature. If it is a single udp packet, why can't it be detected? This could be slammer all over again.

In addition Security focus claims to have an exploit.

http://www.securityfocus.com/bid/21537/exploit

"This bulletin covers an integer underflow vulnerability in Windows SNMP. This underflow enables attackers to gain complete control of a remote machine with a single malformed UDP packet that is easily spoofed."

Obviously you've pushed some buttons telling me to go buy something else.