CERT-In Advisory CIAD-2007-12
Cisco Catalyst 6000, 6500 Series, and Cisco 7600 Series NAM (Network Analysis Module) Vulnerability

Original issue date: March 05, 2007

Severity Rating: Medium

Systems Affected

• Catalyst 6000,6500 series
• Cisco 7600 series

Overview

Spoofed SNMP packets from the IP address of the NAM (Network Analysis Module) may be used to gain complete control of the system, by an attacker.

Description

NAMs are installed in Catalyst 6000, 6500 series and Cisco 7600 series to monitor and analyze network traffic by using Remote Monitoring (RMON), RMON2, and other MIBs. NAMs communicate with the Catalyst system by using the Simple Network Management Protocol (SNMP). It has been reported that by spoofing the SNMP communication between the Catalyst system and the NAM , complete control of the Catalyst system may be obtained by an attacker. Devices running both Cisco IOS and Cisco CatOS are affected by this vulnerability. This vulnerability is reported in CatOS at 7.6(15) and 8.5(1). Older CatOS images are not vulnerable.

Workarounds

Filtering SNMP traffic to an affected device can be used as a mitigation. Anti-spoofing measures and infrastructure access-lists can also be deployed at your network edge as a potential mitigation technique.

Mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Intelligence companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-air-20070228-
nam.shtml

Vendor Information

Cisco
http://www.cisco.com/warp/public/707/cisco-air-20070228-
nam.shtml

References

CIAC
http://www.ciac.org/ciac/bulletins/r-166.shtml

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003