Guest

Cisco IDS Host Sensors

Field Notice: *Expired* FN - 15269 - Cisco Secure Intrusion Detection System Sensor Hard Disk Corruption


Revised October 20, 2006

September 26, 2001

NOTICE:

THIS FIELD NOTICE HAS BEEN ARCHIVED AND IS NO LONGER MAINTAINED OR UPDATED BY CISCO.

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE, WARRANTY OR SUPPORT. USE OF THE INFORMATION ON THIS FIELD NOTICE OR MATERIALS LINKED FROM THIS FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.


Products Affected

Product

Comments

Cisco Secure Intrusion Detection System Sensor Software

Version 3.0, including all signature and service pack levels

Problem Description

Cisco Secure Intrusion Detection Systems Sensors running software version 3.0 are prone to hard disk corruption when the shutdown command is executed. All version 3.0 signature and service pack levels (for example 3.0(1)S8) are affected.

Background

When the shutdown command is executed, it makes a call to the RPC service. The RPC service is disabled in sensor software release version 3.0 to enhance the security of the sensor. When the shutdown call to the RPC service fails, it generates an error message and halts. This causes the sensor to improperly prepare for powering down, and may lead to disk corruption when the sensor is powered off.

Problem Symptoms

If a user executes the shutdown command via a telnet or a standard terminal session, the session terminates when the sensor enters single user mode.

#shutdown
Shutdown started.    Tue Sep 18 17:14:08 CDT 2001Broadcast Message from root (term/a) on PERF-YS01 Tue Sep 18 17:14:09...
The system PERF-YS01 will be shut down in 1 minute  

showmount: PERF-YS01: RPC: Rpcbind failure - RPC: Unable to receive
Broadcast Message from root (term/a) on PERF-YS01 Tue Sep 18 17:14:39...
The system PERF-YS01 will be shut down in 30 seconds 

showmount: PERF-YS01: RPC: Rpcbind failure - RPC: Unable to receive
Do you want to continue? (y or n):   y
Broadcast Message from root (term/a) on PERF-YS01 Tue Sep 18 17:15:43...
THE SYSTEM PERF-YS01 IS BEING SHUT DOWN NOW ! ! !
Log off now or risk your files being damaged 

showmount: PERF-YS01: RPC: Rpcbind failure - RPC: Unable to receive
Changing to init state s - please wait
# 
INIT: New run level: S 

# 
INIT: SINGLE USER MODE

At this point it is no longer possible to telnet or open a standard terminal session into the console. A terminal session with console redirect enabled or a console session via a direct keyboard and monitor hooked up to the sensor must be used to log back into the sensor.

If a user executes the shutdown command via a terminal session with console redirect enabled or a console session via a direct keyboard and monitor hooked up to the sensor, the user will be logged out when the sensor enters single user mode:

#shutdown
Shutdown started.    Tue Sep 18 17:31:11 CDT 2001 

Broadcast Message from root (term/a) on PERF-YS01 Tue Sep 18 17:31:12...
The system PERF-YS01 will be shut down in 1 minute  

showmount: PERF-YS01: RPC: Rpcbind failure - RPC: Unable to receive
Broadcast Message from root (term/a) on PERF-YS01 Tue Sep 18 17:31:42...
The system PERF-YS01 will be shut down in 30 seconds 

showmount: PERF-YS01: RPC: Rpcbind failure - RPC: Unable to receive
Do you want to continue? (y or n):   y
Broadcast Message from root (term/a) on PERF-YS01 Tue Sep 18 17:32:08...
THE SYSTEM PERF-YS01 IS BEING SHUT DOWN NOW ! ! !
Log off now or risk your files being damaged 

showmount: PERF-YS01: RPC: Rpcbind failure - RPC: Unable to receive
Changing to init state s - please wait 

****    SYSCON CHANGED TO /dev/term/a   ****
# 
# INIT: New run level: S
The system is coming down for administration.  Please wait.
Unmounting remote filesystems: done.
Killing user processes: done. 

INIT: SINGLE USER MODE 

Type control-d to proceed with normal startup,
(or give root password for system maintenance):

At this point it is possible to log back into the console by entering Control-d.

If the sensor is powered down at this point, the system is not fully prepared, and the hard disk may become corrupted. Follow the instructions in the Workaround/Solution section to prevent corruption before a manual power down, or to recover from corruption if a manual power down has already occurred.

Workaround/Solution

Prevention of Corruption

Upgrading to software release 3.1 or higher corrects this issue.

The following two commands may be executed in order to prevent the shutdown command from failing:

#chmod 444 /usr/sbin/rwall
#chmod 444 /usr/sbin/showmount

Both rwall and showmount require RPC to run, and therefore will not function correctly under the CSIDS 3.0(x)Sx appliance software. The shutdown command checks to make sure these files are executable before attempting to run them. Changing the permissions on the files will prevent shutdown from running them, and therefore prevent the error messages and failure. These commands need only be executed once per affected sensor.

If Corruption Has Already Taken Place

If the sensor has been powered off without the use of init 0, then the hard disk will likely be corrupted in the process. The fsck system utility will automatically run at next boot time in order to attempt to repair the hard disk. Its activity will only be visible from a terminal session with console redirect or a console session via a direct keyboard and monitor hooked up to the sensor.

In case of light corruption, fsck may be able to automatically repair the disk and return the sensor to normal operation. In case of severe corruption, the automatic execution of fsck may fail to repair the disk. fsck may be run manually again from the root account, but if this fails to repair the disk then a sensor recovery is required. Follow the instructions located in the Upgrading or Recovering Sensors section of the IDS 3.0 documentation to recover your sensor.

DDTS

To follow the bug ID link below and see detailed bug information, you must be a registered user and you must be logged in.

DDTS

Description

CSCdv25149

Upgrade to version 3.0(1)S4 failed

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

Product Alert Tool - Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.