The Simple Network Management Protocol (SNMP) defines a standard
mechanism for remote management and monitoring of devices in an Internet
Protocol (IP) network. A device or host that supports SNMP is an SNMP entity.
There are two classes of SNMP entities: SNMP managers that request information
and receive unsolicited messages and SNMP agents that respond to requests and
send unsolicited messages. SNMP entities that support SNMP proxy functions
combine the functions of both SNMP manager and SNMP agent.
There are two classes of SNMP operations: solicited operations such as
'get' or 'set', with which the SNMP manager requests or changes the value of a
managed object on an SNMP agent; and unsolicited operations such as 'trap' or
'inform' messages with which the SNMP agent provides an unsolicited
notification or alarm message to the SNMP manager. The 'inform' operation is
essentially an acknowledged 'trap'.
All SNMP operations are transported over the User Datagram Protocol
(UDP). Solicited operations are sent by the SNMP manager to the UDP destination
port 161 on the agent. Unsolicited operations are sent by the SNMP agent to the
UDP destination port 162. In IOS, The acknowledgement sent by the SNMP manager
to an SNMP agent in reply to an 'inform' operation is sent to a randomly chosen
high port that is chosen when the SNMP process is started.
As IOS implements both an SNMP agent and SNMP proxy functionality, the
SNMP process in IOS starts listening for SNMP operations on UDP ports 161, 162
and the random UDP port at the time it is initialized. The SNMP process is
started either at the time the device boots, or when SNMP is configured.
The high port is chosen via the following series of steps:
A random number between 49152 and 59152 is
IOS checks to see if that UDP port is already being used. If not,
that UDP port is selected to receive SNMP 'inform' acknowledge
If the port is already in use, IOS increments the port number by 1,
and checks again, incrementing until an open port is
Therefore, the port chosen may be higher than 59152 although this is
In this vulnerability, the IOS SNMP process is incorrectly attempting
to process SNMP solicited operations on UDP port 162 and the random UDP port.
Upon attempting to process a solicited SNMP operation on one of those ports,
the device can experience memory corruption and may reload.
SNMPv1 and SNMPv2c solicited operations to the vulnerable ports will
perform an authentication check against the SNMP community string, which may be
used to mitigate attacks. Through best practices of hard to guess community
strings and community string ACLs, this vulnerability may be mitigated for both
SNMPv1 and SNMPv2c. However, any SNMPv3 solicited operation to the vulnerable
ports will reset the device. If configured for SNMP, all affected versions will
process SNMP version 1, 2c and 3 operations.
This vulnerability was introduced by DDTS CSCeb22276 and has been
corrected with DDTS CSCed68575.