North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Patching for Cisco vulnerability
--On Friday, July 18, 2003 21:57:57 +0200 Daniel Roesen <[email protected]> wrote:
On Fri, Jul 18, 2003 at 03:31:25PM -0400, Jared Mauch wrote:> 12.0(21)S* (at least S5 and above) have broken SNMP interface counters > and Cisco refuses to fix the bug in 12.0(21)S*, so people who don't Do you have a DDTS I can reference?Not handy, but from cisco-nsp Archives I've found CSCea35259 and CSCdy30984, and a reference to CSCea63754 which I can't take a look at in BugToolkit. Symptom: SNMP output octet counter stops counting traffic (except some control plane traffic it seems), with every few days jumping by weird amounts producing such funny things like 150mbps spikes on a FE interface. I've seen a box with a nicely loaded FE (30-70mbps) which took (reproducably) just about 48 hours to have this interface stop counting. If this would have been a customer interface, it would have meant "reload router every two nights or lose money". This bug is supposed to be (finally) fixed in 12.0(25)S1. Given that you a) don't want to lose money and b) don't want to do two whole-network upgrades within a short time, going to 12.0(21)S7 to fix the vulnerabilty is no real option, so people are more or less forced to put their networks on bigger risk by going from 12.0(21)S* to (25)S1.
I'm running 12.0(25.2)S, and it has the bug REALLY squashed. LER -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 972-414-9812 E-Mail: [email protected] US Mail: 1905 Steamboat Springs Drive, Garland, TX 75044-6749