Please scan softly - your router could crash
An nmap scan with certain parameters is apparently sufficient to temporarily cripple a whole corporate network. On the Full Disclosure mailing list, a network admin reported that he used the following command to establish the SNMP versions of his routers and servers:
nmap -sU -sV -p 161-162 -iL target_file.txt
where target_file.txt contained his systems' IP addresses. However, the scan caused most of his network devices to crash and reboot, including several Cisco routers. There were very varied responses to his question on the list whether this problem was caused by a DoS vulnerability within the devices or by a flawed configuration.
Roland Dobbins of anti-DDoS specialist Arbor Networks considers crashes caused by scans quite normal and thinks that the real issue is more likely to be the insufficient isolation of the management network. This apparently allows attackers, and not just admins, to access the routers. Florian Weimar of the Debian project at least agrees in terms of what caused the problem: Fingerprinting is a known method for remotely compromising devices, he said. In his opinion, however, the flaw should be reported and fixed regardless.
Opinions differ about what caused the crashes. While Dobbins thought that the reason was a flooded port which caused the CPU to reach 100% capacity, security specialist Thierry Zoller disagreed and said this wasn't the case. Apparently, only a few packets are sufficient to provoke a reboot. In any case, said Zoller, it is a vulnerability whether the management network is isolated or not. Dan Kaminsky added that such behaviour could perhaps be expected in a cheap Linksys router, but not in such expensive devices as those used in the current case.
Cor Rosielle of security specialist Outpost24 went only slightly off topic with his suggestion to use the Unicorn scanner instead of nmap. The nmap option -sV for retrieving the version of a service is a dangerous switch and has been known to crash devices, he said.
Whether any of the discussion partners found the time to inform Cisco remains unclear. We can conclude that admins should be careful when scanning their (management) networks and that they should keep these networks away from the remaining staff members.