SMS AND CISCO SWITCHES
SUBJECT TO DENIAL OF SERVICE ATTACKS

Reported August 24, 1998 by David LeBlanc and Alfred Jahn

VERSIONS AFFECTED

  • Systems Management Server 1.2
  • Cisco EtherSwitch 1211 and 1221

DESCRIPTION

System"s Management Server 1.2 (SMS) listens on UDP ports 1761 and 1762, as well as TCP port 7161. When a security scanning tool such as Security Administrator Tool for Analyzing Networks (SATAN) is used against such ports, SMS begins using memory rapidly, until memory saturation occurs. At this point, no other processes on the system may allocate memory, which leads to a general denial of service on the system.

The same condition occurs on Cisco 1200 series Etherswitches models 1211(10BaseF) and 1221(10BaseT) using software version 4.26 and hardware version 4.0 and 3.3. This apparently does not affect Cisco 5000 and 1900 Etherswitches or AGS+ routers.

SOLUTION

Microsoft"s Knowledge Base article (Q178748) states that there is a fix available, but we have yet to locate such a fix on their FTP site. A workaround for internally scanning your networks with tools such as SATAN is obviously not to scan the affected ports (UDP 1761 and 1762; and TCP 7161), and to disallow untrusted (Internet) inbound traffic on those ports at your border gateways as well.

Cisco has been informed of the condition -- no response known at this time.

To learn more about NT Security concerns, subscribe to NTSD

Credits
- Originally reported by Microsoft
- Posted on The NT Shop on August 24, 1998