Patching for Cisco vulnerability

Daniel Roesen dr at cluenet.de
Fri Jul 18 19:57:57 UTC 2003


On Fri, Jul 18, 2003 at 03:31:25PM -0400, Jared Mauch wrote:
> > 12.0(21)S* (at least S5 and above) have broken SNMP interface counters
> > and Cisco refuses to fix the bug in 12.0(21)S*, so people who don't
> 
> 	Do you have a DDTS I can reference?

Not handy, but from cisco-nsp Archives I've found CSCea35259 and
CSCdy30984, and a reference to CSCea63754 which I can't take a look
at in BugToolkit.

Symptom: SNMP output octet counter stops counting traffic (except
some control plane traffic it seems), with every few days jumping
by weird amounts producing such funny things like 150mbps spikes on
a FE interface.

I've seen a box with a nicely loaded FE (30-70mbps) which took
(reproducably) just about 48 hours to have this interface stop counting.
If this would have been a customer interface, it would have meant
"reload router every two nights or lose money".

This bug is supposed to be (finally) fixed in 12.0(25)S1.

Given that you a) don't want to lose money and b) don't want to
do two whole-network upgrades within a short time, going to 12.0(21)S7
to fix the vulnerabilty is no real option, so people are more or less
forced to put their networks on bigger risk by going from 12.0(21)S*
to (25)S1.


Regards,
Daniel



More information about the NANOG mailing list