12-20-2006 09:16 AM - edited 03-10-2019 03:23 AM
Last "Patch Tuesday" there was a serious vulnerability reported for Microsoft that could be exploited via an SNMP buffer overflow. But there does not seem to be a Cisco signature yet. Is there any status on this?
12-20-2006 02:52 PM
Due to the nature of the vulnerability we are unable to create a signature with sufficient fidelity. These types of vulnerabilities are best suited to end point security systems such as CSA and are unsuitable for network detection.
12-21-2006 06:55 AM
I am confused. One post shows that you do have a signature, 5274. But you say that this kind of attack is not suited to network detection? This does not make sense to me. It is my understanding that it is a buffer overflow. SNMP is often poorly compliant with RFC's but this is definately a network based issue and as a customer that owns IPS and not CSA it sounds like you are leaving us out on a limb. This is exactly why we have Cisco IPS, that is to identify when someone uses a network based exploit to attack us. If Cisco will not be emphasizing this kind of issue on IPS then perhaps we should be investigating a better solution. This is a very disappointing and scary response.
12-21-2006 07:24 AM
Ok, I see the 5274 is not a signature. But I need Cisco to figure this out. If I need CSA, I really do need a different IPS. CSA is not an option for me.
12-21-2006 07:36 AM
Ok, here is what your competition has to say, below. They do have a signature. If it is a single udp packet, why can't it be detected? This could be slammer all over again.
In addition Security focus claims to have an exploit.
http://www.securityfocus.com/bid/21537/exploit
"This bulletin covers an integer underflow vulnerability in Windows SNMP. This underflow enables attackers to gain complete control of a remote machine with a single malformed UDP packet that is easily spoofed."
Obviously you've pushed some buttons telling me to go buy something else.
12-20-2006 06:05 PM
Just to add to the information, the signature status of the vulnerability can also be viewed on MySDN:
http://tools.cisco.com/MySDN/Intelligence/searchThreats.x?currentPage=3&st=td&so=d
12-21-2006 07:12 AM
Thanks, but this link just describes the vulnerability, at least right now. There does not seem to be any signature information.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide