Field Notice: *Expired* FN - 15269 - Cisco Secure Intrusion Detection System Sensor Hard Disk Corruption
Available Languages
Revised October 20, 2006
September 26, 2001
NOTICE:
THIS FIELD NOTICE HAS BEEN ARCHIVED AND IS NO LONGER MAINTAINED OR UPDATED BY CISCO.
THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE, WARRANTY OR SUPPORT. USE OF THE INFORMATION ON THIS FIELD NOTICE OR MATERIALS LINKED FROM THIS FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.
Products Affected
| Product |
Comments |
|---|---|
| Cisco Secure Intrusion Detection System Sensor Software |
Version 3.0, including all signature and service pack levels |
Problem Description
Cisco Secure Intrusion Detection Systems Sensors running software version 3.0 are prone to hard disk corruption when the shutdown command is executed. All version 3.0 signature and service pack levels (for example 3.0(1)S8) are affected.
Background
When the shutdown command is executed, it makes a call to the RPC service. The RPC service is disabled in sensor software release version 3.0 to enhance the security of the sensor. When the shutdown call to the RPC service fails, it generates an error message and halts. This causes the sensor to improperly prepare for powering down, and may lead to disk corruption when the sensor is powered off.
Problem Symptoms
If a user executes the shutdown command via a telnet or a standard terminal session, the session terminates when the sensor enters single user mode.
#shutdown Shutdown started. Tue Sep 18 17:14:08 CDT 2001Broadcast Message from root (term/a) on PERF-YS01 Tue Sep 18 17:14:09... The system PERF-YS01 will be shut down in 1 minute showmount: PERF-YS01: RPC: Rpcbind failure - RPC: Unable to receive Broadcast Message from root (term/a) on PERF-YS01 Tue Sep 18 17:14:39... The system PERF-YS01 will be shut down in 30 seconds showmount: PERF-YS01: RPC: Rpcbind failure - RPC: Unable to receive Do you want to continue? (y or n): y Broadcast Message from root (term/a) on PERF-YS01 Tue Sep 18 17:15:43... THE SYSTEM PERF-YS01 IS BEING SHUT DOWN NOW ! ! ! Log off now or risk your files being damaged showmount: PERF-YS01: RPC: Rpcbind failure - RPC: Unable to receive Changing to init state s - please wait # INIT: New run level: S # INIT: SINGLE USER MODE
At this point it is no longer possible to telnet or open a standard terminal session into the console. A terminal session with console redirect enabled or a console session via a direct keyboard and monitor hooked up to the sensor must be used to log back into the sensor.
If a user executes the shutdown command via a terminal session with console redirect enabled or a console session via a direct keyboard and monitor hooked up to the sensor, the user will be logged out when the sensor enters single user mode:
#shutdown Shutdown started. Tue Sep 18 17:31:11 CDT 2001 Broadcast Message from root (term/a) on PERF-YS01 Tue Sep 18 17:31:12... The system PERF-YS01 will be shut down in 1 minute showmount: PERF-YS01: RPC: Rpcbind failure - RPC: Unable to receive Broadcast Message from root (term/a) on PERF-YS01 Tue Sep 18 17:31:42... The system PERF-YS01 will be shut down in 30 seconds showmount: PERF-YS01: RPC: Rpcbind failure - RPC: Unable to receive Do you want to continue? (y or n): y Broadcast Message from root (term/a) on PERF-YS01 Tue Sep 18 17:32:08... THE SYSTEM PERF-YS01 IS BEING SHUT DOWN NOW ! ! ! Log off now or risk your files being damaged showmount: PERF-YS01: RPC: Rpcbind failure - RPC: Unable to receive Changing to init state s - please wait **** SYSCON CHANGED TO /dev/term/a **** # # INIT: New run level: S The system is coming down for administration. Please wait. Unmounting remote filesystems: done. Killing user processes: done. INIT: SINGLE USER MODE Type control-d to proceed with normal startup, (or give root password for system maintenance):
At this point it is possible to log back into the console by entering Control-d.
If the sensor is powered down at this point, the system is not fully prepared, and the hard disk may become corrupted. Follow the instructions in the Workaround/Solution section to prevent corruption before a manual power down, or to recover from corruption if a manual power down has already occurred.
Workaround/Solution
Prevention of Corruption
Upgrading to software release 3.1 or higher corrects this issue.
The following two commands may be executed in order to prevent the shutdown command from failing:
#chmod 444 /usr/sbin/rwall #chmod 444 /usr/sbin/showmount
Both rwall and showmount require RPC to run, and therefore will not function correctly under the CSIDS 3.0(x)Sx appliance software. The shutdown command checks to make sure these files are executable before attempting to run them. Changing the permissions on the files will prevent shutdown from running them, and therefore prevent the error messages and failure. These commands need only be executed once per affected sensor.
If Corruption Has Already Taken Place
If the sensor has been powered off without the use of init 0, then the hard disk will likely be corrupted in the process. The fsck system utility will automatically run at next boot time in order to attempt to repair the hard disk. Its activity will only be visible from a terminal session with console redirect or a console session via a direct keyboard and monitor hooked up to the sensor.
In case of light corruption, fsck may be able to automatically repair the disk and return the sensor to normal operation. In case of severe corruption, the automatic execution of fsck may fail to repair the disk. fsck may be run manually again from the root account, but if this fails to repair the disk then a sensor recovery is required. Follow the instructions located in the Upgrading or Recovering Sensors section of the IDS 3.0 documentation to recover your sensor.
DDTS
To follow the bug ID link below and see detailed bug information, you must be a registered user and you must be logged in.
| DDTS |
Description |
|---|---|
| Upgrade to version 3.0(1)S4 failed |
For More Information
If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:
Receive Email Notification For New Field Notices
Product Alert Tool - Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.
Feedback