Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
688
Views
0
Helpful
6
Replies

snmp sig

rwebster
Level 1
Level 1

‎12-20-2006 09:16 AM - edited ‎03-10-2019 03:23 AM

Last "Patch Tuesday" there was a serious vulnerability reported for Microsoft that could be exploited via an SNMP buffer overflow. But there does not seem to be a Cisco signature yet. Is there any status on this?

Labels:
0 Helpful
6 Replies 6

rupadras
Cisco Employee
Cisco Employee

‎12-20-2006 02:52 PM

Due to the nature of the vulnerability we are unable to create a signature with sufficient fidelity. These types of vulnerabilities are best suited to end point security systems such as CSA and are unsuitable for network detection.

0 Helpful

rwebster
Level 1
Level 1
In response to rupadras

‎12-21-2006 06:55 AM

I am confused. One post shows that you do have a signature, 5274. But you say that this kind of attack is not suited to network detection? This does not make sense to me. It is my understanding that it is a buffer overflow. SNMP is often poorly compliant with RFC's but this is definately a network based issue and as a customer that owns IPS and not CSA it sounds like you are leaving us out on a limb. This is exactly why we have Cisco IPS, that is to identify when someone uses a network based exploit to attack us. If Cisco will not be emphasizing this kind of issue on IPS then perhaps we should be investigating a better solution. This is a very disappointing and scary response.

0 Helpful

rwebster
Level 1
Level 1
In response to rwebster

‎12-21-2006 07:24 AM

Ok, I see the 5274 is not a signature. But I need Cisco to figure this out. If I need CSA, I really do need a different IPS. CSA is not an option for me.

0 Helpful

rwebster
Level 1
Level 1
In response to rwebster

‎12-21-2006 07:36 AM

Ok, here is what your competition has to say, below. They do have a signature. If it is a single udp packet, why can't it be detected? This could be slammer all over again.

In addition Security focus claims to have an exploit.

http://www.securityfocus.com/bid/21537/exploit

"This bulletin covers an integer underflow vulnerability in Windows SNMP. This underflow enables attackers to gain complete control of a remote machine with a single malformed UDP packet that is easily spoofed."

Obviously you've pushed some buttons telling me to go buy something else.

0 Helpful

jlimbo
Level 1
Level 1

‎12-20-2006 06:05 PM

Just to add to the information, the signature status of the vulnerability can also be viewed on MySDN:

http://tools.cisco.com/MySDN/Intelligence/searchThreats.x?currentPage=3&st=td&so=d

0 Helpful

rwebster
Level 1
Level 1
In response to jlimbo

‎12-21-2006 07:12 AM

Thanks, but this link just describes the vulnerability, at least right now. There does not seem to be any signature information.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card