S-298: Cisco IOS Secure Shell Denial of Service Vulnerabilities
The Secure Shell server (SSH) implementation in Cisco IOS contains multiple vulnerabilities that allow unauthenticated users the ability to generate a spurious memory access error or, in certain cases, reload the device. The risk is LOW. Successful exploitation of these vulnerabilities may result in a spurious memory access or, in certain cases, reload the device potentially resulting in a DoS condition.
I'm trying to write a login script to ssh into a cisco switch that will run some command remotely. Similar to this expect script located here:
SSH login expect shell script to supply username and password
However, that script does not work with cisco ios. Anyway know what the best way to... (1 Reply)
Smokeping_probes_CiscoRTTMonDNS(3) SmokePing Smokeping_probes_CiscoRTTMonDNS(3)NAME
Smokeping::probes::CiscoRTTMonDNS.pm - Probe for SmokePing
SYNOPSIS
*** Probes ***
+CiscoRTTMonDNS
forks = 5
offset = 50%
step = 300
timeout = 15
# The following variables can be overridden in each target section
ioshost = RTTcommunity@Myrouter.foobar.com.au # mandatory
iosint = 10.33.22.11
name = www.foobar.com.au # mandatory
pings = 5
timeout = 15
# [...]
*** Targets ***
probe = CiscoRTTMonDNS # if this should be the default probe
# [...]
+ mytarget
# probe = CiscoRTTMonDNS # if the default probe is something else
host = my.host
ioshost = RTTcommunity@Myrouter.foobar.com.au # mandatory
iosint = 10.33.22.11
name = www.foobar.com.au # mandatory
pings = 5
timeout = 15
DESCRIPTION
A probe for smokeping, which uses the ciscoRttMon MIB functionality ("Service Assurance Agent", "SAA") of Cisco IOS to time ( recursive,
type A) DNS queries to a DNS server.
VARIABLES
Supported probe-specific variables:
forks
Run this many concurrent processes at maximum
Example value: 5
Default value: 5
offset
If you run many probes concurrently you may want to prevent them from hitting your network all at the same time. Using the probe-
specific offset parameter you can change the point in time when each probe will be run. Offset is specified in % of total interval, or
alternatively as 'random', and the offset from the 'General' section is used if nothing is specified here. Note that this does NOT
influence the rrds itself, it is just a matter of when data acqusition is initiated. (This variable is only applicable if the variable
'concurrentprobes' is set in the 'General' section.)
Example value: 50%
step
Duration of the base interval that this probe should use, if different from the one specified in the 'Database' section. Note that the
step in the RRD files is fixed when they are originally generated, and if you change the step parameter afterwards, you'll have to
delete the old RRD files or somehow convert them. (This variable is only applicable if the variable 'concurrentprobes' is set in the
'General' section.)
Example value: 300
timeout
How long a single 'ping' takes at maximum
Example value: 15
Default value: 5
Supported target-specific variables:
ioshost
The (mandatory) ioshost parameter specifies the Cisco router, which will send the DNS requests, as well as the SNMP community string on
the router.
Example value: RTTcommunity@Myrouter.foobar.com.au
This setting is mandatory.
iosint
The (optional) iosint parameter is the source address for the DNS packets. This should be one of the active (!) IP addresses of the
router to get results. IOS looks up the target host address in the forwarding table and then uses the interface(s) listed there to send
the DNS packets. By default IOS uses the (primary) IP address on the sending interface as source address for packets originated by the
router.
Example value: 10.33.22.11
name
The (mandatory) name parameter is the DNS name to resolve.
Example value: www.foobar.com.au
This setting is mandatory.
pings
How many pings should be sent to each target, if different from the global value specified in the Database section. Note that the
number of pings in the RRD files is fixed when they are originally generated, and if you change this parameter afterwards, you'll have
to delete the old RRD files or somehow convert them.
Example value: 5
timeout
How long a single RTTMonDNS 'ping' take at maximum plus 10 seconds to spare. Since we control our own timeout the only purpose of this
is to not have us killed by the ping method from basefork.
Example value: 15
Default value: 15
AUTHORS
Joerg.Kummer at Roche.com
NOTES
host parameter
The host parameter specifies the DNS server, which the router will use.
IOS VERSIONS
This probe only works with IOS 12.0(3)T or higher. It is recommended to test it on less critical routers first.
INSTALLATION
To install this probe copy ciscoRttMonMIB.pm to ($SMOKEPINGINSTALLDIR)/lib/Smokeping and CiscoRTTMonDNS.pm to
($SMOKEPINGINSTALLDIR)/lib/Smokeping/probes.
The router(s) must be configured to allow read/write SNMP access. Sufficient is:
snmp-server community RTTCommunity RW
If you want to be a bit more restrictive with SNMP write access to the router, then consider configuring something like this
access-list 2 permit 10.37.3.5
snmp-server view RttMon ciscoRttMonMIB included
snmp-server community RTTCommunity view RttMon RW 2
The above configuration grants SNMP read-write only to 10.37.3.5 (the smokeping host) and only to the ciscoRttMon MIB tree. The probe does
not need access to SNMP variables outside the RttMon tree.
BUGS
The probe does unnecessary DNS queries, i.e. more than configured in the "pings" variable, because the RTTMon MIB only allows to set a
total time for all queries in one measurement run (one "life"). Currently the probe sets the life duration to "pings"*5+3 seconds (5 secs
is the timeout value hardcoded into this probe).
SEE ALSO
<http://oss.oetiker.ch/smokeping/>
<http://www.switch.ch/misc/leinen/snmp/perl/>
The best source for background info on SAA is Cisco's documentation on <http://www.cisco.com> and the CISCO-RTTMON-MIB documentation, which
is available at:
ftp://ftp.cisco.com/pub/mibs/v2/CISCO-RTTMON-MIB.my <ftp://ftp.cisco.com/pub/mibs/v2/CISCO-RTTMON-MIB.my>
2.6.8 2013-03-17 Smokeping_probes_CiscoRTTMonDNS(3)