Re: [c-nsp] many 2960-X rebooting today

Fri, 16 Mar 2018 14:45:07 -0700 

We ran into this on 3750Xs back in July.

Sometimes we saw this:
%PLATFORM-1-CRASHED: Debug Exception (Could be NULL pointer dereference) Exception (0x2000)! 

c.f.: https://lists.gt.net/cisco/nsp/197344

There are links to Cisco's "response" on the matter ...


On 3/16/18 2:27 PM, Nick Cutting wrote:

I'm reasonably certain it was exploited - the last MSG is related to the bug.

"Stack for process SMI IBC server process running low"


-----Original Message-----
From: Brandon Applegate [mailto:[email protected]]
Sent: Friday, March 16, 2018 2:28 PM
To: Nick Cutting <[email protected]>
Cc: cisco-nsp mailing list <[email protected]>
Subject: Re: [c-nsp] many 2960-X rebooting today

This message originated from outside your organization.



On Mar 16, 2018, at 2:08 PM, Nick Cutting <[email protected]> wrote:

Thanks we have disabled this now - It is in our new build script, these were 
rolled out a few months ago.

I guess there is no way of seeing if this exploit was executed, perhaps in the 
crashdump somewhere?


I’m struggling to remember.  I want to say you will see a %SYS-5-CONFIG - 
Configured from XXX by YYY message.

The questions become:

-       Are you syslogging out to a server that would have caught this ?
-       Is there any IP in there of where it was originated from ?
        - If so - other than an abuse report to the respective ISP and blocking 
the IP - what can be done ?

I guess the other thing I’d add - is if there’s any weak crypto (type 7, or 
even a weak type 5 etc.) passwords or keys in your config, you might want to 
change these.  In other words, assume they have a copy of your config and act 
accordingly.

PS: This is all assuming it was an exploit like this in the first place.

--
Brandon Applegate - CCIE 10273
PGP Key fingerprint:
0641 D285 A36F 533A 73E5  2541 4920 533C C616 703A "For thousands of years men 
dreamed of pacts with demons.
Only now are such things possible."

_______________________________________________
cisco-nsp mailing list  [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


_______________________________________________
cisco-nsp mailing list  [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Reply via email to