Vulnerability

    Foundry

Affected

    Foundry networks gear

Description

    Jan  B.  Koum  found  following.   Running  tcp  nmap scan against
    Foundry network gear make it go  boom.  What makes it more  sad is
    that Foundry is in the networking business -- they route  packets.
    They don't make toasters which get it's tcp/ip stack written by  a
    recent CS grad.   Anyway, the version  which reboots after  simple
    "nmap <host>" is:

        telnet@XXX.mail#sh ver
         SW: Version 05.0.94T13 Copyright (c) 1996-1999 Foundry Networks, Inc.
             Compiled on Jun  8 1999 at 15:46:09 labeled as N8R05094
         HW: NetIron Gigabit Switching Router, serial number 01a5a4
     200 MHz Power PC processor 603 (revision 7) with 32756K bytes of DRAM
          16 100BaseT interfaces with Level 1 Transceiver LXT975
           2 GIGA uplink interfaces, SX
        [.. snip ..]

        Octal System, Maximum Code Image Size Supported: 1965568 (0x001dfe00)
        The system uptime is 1 minutes 47 seconds

    This is NetIron series -- not sure about other hardware...

    Valentin Beck made test too and it was able to reproduced it:

        telnet@something>sh ver
         SW: Version 05.0.03T12 Copyright (c) 1996-1999 Foundry Networks, Inc.
             Compiled on Jun 29 1999 at 10:56:44 labeled as SLB05003
         HW: ServerIron Switch, serial number 02bb34
         240 MHz Power PC processor 603 (revision 7) with 32756K bytes of DRAM
          16 100BaseT interfaces with Level 1 Transceiver LXT975
           2 GIGA uplink interfaces, SX
        [bla bla bla]
        Octal System, Maximum Code Image Size Supported: 1965568 (0x001dfe00)
        The system uptime is 1 days 8 hours 41 minutes 6 seconds

    System  was  running  normally  while  nmapping, and crashed a few
    minutes later...

Solution

    Jan notified Foundry, but they do not seem to be able to reproduce
    the problem themself  (he also wasn't  able to crash  a foundry on
    LAN running  05.0.02T13  version of their software).