?
Solved

Cisco buffer overflow vulnerability

Posted on 2016-07-17
3
Medium Priority
?
47 Views
Last Modified: 2016-07-18
Got an IPS alert that says " Telnet: Cisco Buffer Overflow Vulnerability (High)
Network Security Platform has detected a  "High (9)" attack.  
Attack type: Signature: telnet-cmd-too-long"

Can I correctly say:
a) if we don't have telnet service enabled on all our Cisco devices, then we're not
    vulnerable (even if telnet is enabled on some other legacy systems) ?
b) this only affects Cisco 676/677 devices, so if we don't have these devices in
     our environment, then we're not vulnerable

If I'm mistaken to make above 2 statements, do elaborate & explain
0
Comment
Question by:sunhux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 

Author Comment

by:sunhux
ID: 41715039
If we have PCs that do telnet to our AS400 servers, would this activity
trigger such alerts?
0
 

Author Comment

by:sunhux
ID: 41715040
Correction:
> Cisco 676/677
   should be
Cisco 678/677

The other question is we don't always get this alert, so is it likely that this is triggered
by telnet  from a PC to the AS400 host?  Or someone issued a different telnet access
this time round?
0
 
LVL 35

Accepted Solution

by:
Gary Patterson earned 2000 total points
ID: 41716192
Your IPS observed some telnet traffic that matched the signature for "Telnet: Cisco Buffer Overflow Vulnerability".  IPS thinks there is a high probability that the traffic it saw was an attempt at a buffer overflow attack against whatever the target system was.

Is it possible it was a false alarm?  Yes.  But you shopuld assume it is a real attack until you can prove otherwise.  We'd need to know more, like see the specific packets involved to determine if it was a real attack or a false alarm.

What host was destination of this attack?  Was it your AS/400?  What was the source address of the problem packets?  Was it a host within your network, or an unknown outside host?

If you don't use Telnet anywhere in your network, then you don't have to worry about this attack or any other Telnet-related attacks.  But attackers don't tend to stop with just Telnet attacks - they tend to attack every open port or service they find - hoping to discover a vulnerable service.
0

Featured Post

Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
What's worse than having your data encrypted by ransomware? Getting attacked by a so-called "wiper," which simply destroys the data and offers you no hope of ever seeing it again.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question