SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#472412

Cisco Catalyst Systems with a NAM may allow system access via spoofing the SNMP communication

Overview

A vulnerabilty in Cisco Catalyst Systems that have a Network Analysis Module (NAM) installed may allow a remote, unauthenticated attacker to gain complete control of this device.

I. Description

Cisco Catalyst 6000, 6500, and Cisco 7600 series switches may utilize Cisco's NAM to monitor and analyze network traffic using Management Information Bases (MIBs). Cisco Catalyst 6000, 6500 and Cisco 7600 series switches that have a NAM installed contain a vulnerability in the way SNMP packets are handled. According to Cisco Security Advisory: cisco-sa-20070228-nam:

    NAMs communicate with the Catalyst system by using the Simple Network Management Protocol (SNMP). By spoofing the SNMP communication between the Catalyst system and the NAM an attacker may obtain complete control of the Catalyst system.


Note that only Cisco Catalyst 6000, 6500 and Cisco 7600 series systems with a NAM on them are affected by this issue. According to Cisco, none of their other products, including the Network Analysis Modules for Cisco Branch Routers (NM-NAM), are affected by this issue .

II. Impact

By successfully exploiting this vulnerability, an attacker may gain complete control of the device.

III. Solution

Upgrade

See the Software Version and Fixes section of Cisco Security Advisory: cisco-sa-20070228-nam for information on available upgrades.


Filter SNMP traffic

This vulnerability can be mitigated by filtering SNMP traffic from the IP address of the NAM to an affected device. Filters cannot be applied to the affected device itself; to be effective, they must be applied to systems that are deployed in front of it.

Apply an access control list

Users that are unable to upgrade should apply an access control list (ACL) on the vulnerable device to restrict access to trusted management systems. Details on creating and uploading an ACL can be found in Cisco's Protecting Your Core document.


More details on these and additional workarounds can be found in the Cisco Applied Intelligence companion document for this advisory.

Systems Affected

VendorStatusDate NotifiedDate Updated
Cisco Systems, Inc.Vulnerable2-Mar-2007

References


http://www.cisco.com/warp/public/707/cisco-sa-20070228-nam.shtml
http://www.cisco.com/en/US/products/hw/switches/ps708/products_module_configuration_guide_chapter09186a0080394e09.html
http://www.cisco.com/warp/public/707/cisco-air-20070228-nam.shtml
http://secunia.com/advisories/24344/
http://securitytracker.com/alerts/2007/Feb/1017710.html

Credit

This vulnerabilty was reported in Cisco Security Advisory: cisco-sa-20070228-nam.

This document was written by Chris Taschner.

Other Information

Date Public:2007-02-28
Date First Published:2007-03-02
Date Last Updated:2007-03-22
CERT Advisory: 
CVE-ID(s): 
NVD-ID(s): 
US-CERT Technical Alerts: 
Metric:9.37
Document Revision:20

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Produced 2007 by US-CERT, a government organization
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader