Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 69
  • Last Modified:

Cisco buffer overflow vulnerability

Got an IPS alert that says " Telnet: Cisco Buffer Overflow Vulnerability (High)
Network Security Platform has detected a  "High (9)" attack.  
Attack type: Signature: telnet-cmd-too-long"

Can I correctly say:
a) if we don't have telnet service enabled on all our Cisco devices, then we're not
    vulnerable (even if telnet is enabled on some other legacy systems) ?
b) this only affects Cisco 676/677 devices, so if we don't have these devices in
     our environment, then we're not vulnerable

If I'm mistaken to make above 2 statements, do elaborate & explain
0
sunhux
Asked:
sunhux
  • 2
1 Solution
 
sunhuxAuthor Commented:
If we have PCs that do telnet to our AS400 servers, would this activity
trigger such alerts?
0
 
sunhuxAuthor Commented:
Correction:
> Cisco 676/677
   should be
Cisco 678/677

The other question is we don't always get this alert, so is it likely that this is triggered
by telnet  from a PC to the AS400 host?  Or someone issued a different telnet access
this time round?
0
 
Gary PattersonVP Technology / Senior Consultant Commented:
Your IPS observed some telnet traffic that matched the signature for "Telnet: Cisco Buffer Overflow Vulnerability".  IPS thinks there is a high probability that the traffic it saw was an attempt at a buffer overflow attack against whatever the target system was.

Is it possible it was a false alarm?  Yes.  But you shopuld assume it is a real attack until you can prove otherwise.  We'd need to know more, like see the specific packets involved to determine if it was a real attack or a false alarm.

What host was destination of this attack?  Was it your AS/400?  What was the source address of the problem packets?  Was it a host within your network, or an unknown outside host?

If you don't use Telnet anywhere in your network, then you don't have to worry about this attack or any other Telnet-related attacks.  But attackers don't tend to stop with just Telnet attacks - they tend to attack every open port or service they find - hoping to discover a vulnerable service.
0

Featured Post

Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now