We have implemented MVM on the network. And were conducting scans on the net devices. When the core switches were scanned, the network disrupted immediately.
Apparently it was due to the scans conducted on the switches (both primary and secondary), as the whole trafiic in the network uses these switches.
My query is does MVM have such disruptive vulnerabilities and plugins to crash the switches.
If yes, what are the vulnerabilities (plugins or exploits) for switches, routers and firewalls we can use to avoid such disruption again.
It is important to remember that MVM Vulnerability Manager is discovering an issue and not causing the issue on the target (s). Unless of course you’re unwittingly running ‘Intrusive’ scripts. We’re using standard RFC compliant packages. Any attacker could have used the same pattern maliciously to cause the issue. As that’s the case it is important to fix this, but it’s the vendors that need to review the devices. Normally resolution is either an upgrade to the target, firmware update or a vendor patch. It is not a change to our code or scripts. We can gather information, but that would be to assist the vendor. You would need to speak to the vendor first to figure out what they need.
Message was edited by: dfirstbr on 18/01/13 05:44:27 CST
It also rather depends on which vulneraiblities you have selected (shell, web, etc.) and what Operating System the switch is being detected as. I have seen problems on older versions of Oracle, Lexmark Printers, UPS Devices, IOS Devices running very old firmware. We also found that a lot of Webserver interfaces on routers and switches being scanned can cause the devices to die (a config change fixes that),
The other thing to remember is that if your vulnerability scanner can DOS your switches so can any internal attacker (or in some cases legitimate business traffic).
If you can post the the make and firmware version others might know of issues.
Message was edited by: ritch on 18/01/13 07:29:56 CST
Can you disclose the Vendor of your Core Switches. We had an issue where the scanner was generating a DHCP flood across the network, which was resolved with an upgrade of NX-OS
Ritch / Feeds,
We were scanning HP 8206 zl switches using MVM 7.5. Also, let know what vulnerabilities (plugins) support the net devices (firewalls, switches, IPS, Routers) and if there is any documentation on it. Appreciate the help.