Cisco Bug: CSCtd35382 - memory error when TCP vulnerability scan is happening
Last Modified
May 15, 2020
Products (103)
- Cisco Catalyst 3750 Series Switches
- Cisco Catalyst 3560G-48PS Switch
- Cisco Catalyst 3560E-24TD-S Switch
- Cisco Catalyst 3560E-48PD-E Switch
- Cisco Catalyst 2960-24-S Switch
- Cisco Catalyst 3560-12PC-S Compact Switch
- Cisco ME 3400-24TS-A Switch
- Cisco Catalyst 3750G-12S Switch
- Cisco Catalyst 2960-48TT-S Switch
- Cisco Catalyst 3750V2-24PS Switch
Known Affected Releases
12.2(53)SE
Description (partial)
Symptom: Smart Install is a plug-and-play configuration and image-management feature that provides zero-touch deployment for new switches. This means that a customer can ship a switch to a location, place it in the network and power it on with no configuration required on the switch. When a vulnerability scanner such as NMAP, Nessus, Retina or other is run against the Smart Install port (TCP port 4786) the switch may display some memory error messages such as the following: 14w1d: %SYS-2-MALLOCFAIL: Memory allocation of 1633771873 bytes failed from 0x1BB2EE8, alignment 0 Pool: Processor Free: 5159776 Cause: Not enough free memory Alternate Pool: None Free: 0 Cause: No Alternate pool -Process= "SMI IBC server process", ipl= 0, pid= 185 -Traceback= 29AF8E4 29B1E04 29B2068 2C3D198 1BB2EEC 1BB3144 1BB32D4 1BB35E8 1BB1EF0 1B2EDA8 1B25878 14w1d: VSTACK_ERR: !! smi_socket_recv_read_data : Malloc Failed for msg_data 14w1d: VSTACK_ERR: !! smi_socket_recv_read_data : Malloc Failed for msg_data 14w1d: VSTACK_ERR: these messages do not cause operational impact to the affected device (switch). Conditions: Switch configured with the Smart Install feature (client or director). Workaround In Smart Install implementations the client switches are served by a common director. The switch selected as the director provides a single management point for images and configuration of client switches. hen a client switch is first installed into the network, the director automatically detects the new switch, and identifies the correct Cisco IOS image and the configuration file for downloading. Switches that are clients have the Smart Install feature enabled by default and it cannot be disabled. The only way to workaround this issue is to apply an access control list (ACL) blocking TCP port 4786, if smart install is not needed. Further Problem Description: None PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Status
- Severity
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases