CERT® Advisory CA-2002-03 Multiple Vulnerabilities in Many
Implementations of the Simple Network Management Protocol (SNMP)
Original release date: February 12, 2002
Last revised: Wed Feb 20 13:10:51 EST 2002
Source: CERT/CC
A complete revision history can be found at the end of this file.
Systems Affected
Products from a very wide variety of vendors may be affected. See Vendor Information for
details from vendors who have provided feedback for this advisory.
In addition to the vendors who provided feedback for this advisory, a list of vendors whom
CERT/CC contacted regarding these problems is available from
http://www.kb.cert.org/vuls/id/854306
http://www.kb.cert.org/vuls/id/107186
Many other systems making use of SNMP may also be vulnerable but were not specifically
tested.
Overview
Numerous vulnerabilities have been reported in multiple vendors' SNMP implementations. These
vulnerabilities may allow unauthorized privileged access, denial-of-service attacks, or
cause unstable behavior. If your site uses SNMP in any capacity, the CERT/CC encourages you
to read this advisory and follow the advice provided in the Solution section below.
In addition to this advisory, we also have a FAQ available at
http://www.cert.org/tech_tips/snmp_faq.html
I. Description
The Simple Network Management Protocol (SNMP) is a widely deployed protocol that is commonly
used to monitor and manage network devices. Version 1 of the protocol (SNMPv1) defines
several types of SNMP messages that are used to request information or configuration
changes, respond to requests, enumerate SNMP objects, and send unsolicited
alerts. The Oulu University Secure Programming Group
(OUSPG, http://www.ee.oulu.fi/research/ouspg/) has reported numerous vulnerabilities in SNMPv1
implementations from many different vendors. More information about SNMP and OUSPG
can be found in Appendix C
OUSPG's research focused on the manner in which SNMPv1 agents and managers handle request
and trap messages. By applying the PROTOS c06-snmpv1 test suite
(http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/0100.html)
to a variety of popular SNMPv1-enabled products, the OUSPG revealed the following
vulnerabilities:
VU#107186 - Multiple vulnerabilities in SNMPv1 trap handling
SNMP trap messages are sent from agents to managers. A trap message may indicate a
warning or error condition or otherwise notify the manager about the agent's state. SNMP
managers must properly decode trap messages and process the resulting data. In testing,
OUSPG found multiple vulnerabilities in the way many SNMP managers decode and process SNMP
trap messages.
VU#854306 - Multiple vulnerabilities in SNMPv1 request handling
SNMP request messages are sent from managers to agents. Request messages might be
issued to obtain information from an agent or to instruct the agent to configure the host
device. SNMP agents must properly decode request messages and process the resulting data. In
testing, OUSPG found multiple vulnerabilities in the way many SNMP agents decode and process
SNMP request messages.
Vulnerabilities in the decoding and subsequent processing of SNMP messages by both managers
and agents may result in denial-of-service conditions, format string vulnerabilities, and
buffer overflows. Some vulnerabilities do not require the SNMP message to use the correct
SNMP community string.
These vulnerabilities have been assigned the CVE identifiers CAN-2002-0012 and CAN-2002-
0013, respectively.
II. Impact
These vulnerabilities may cause denial-of-service conditions, service interruptions, and in
some cases may allow an attacker to gain access to the affected device. Specific impacts
will vary from product to product.
III. Solution
Note that many of the mitigation steps recommended below may have significant impact on your
everyday network operations and/or network architecture. Ensure that any changes made based
on the following recommendations will not unacceptably affect your ongoing network
operations capability.
Apply a patch from your vendor
Appendix A contains information provided by vendors for this advisory. Please consult this
appendix to determine if you need to contact your vendor directly.
Disable the SNMP service
As a general rule, the CERT/CC recommends disabling any service or capability that is not
explicitly required, including SNMP. Unfortunately, some of the affected products exhibited
unexpected behavior or denial of service conditions when exposed to the OUSPG test suite
even if SNMP was not enabled. In these cases, disabling SNMP should be used in conjunction
with the filtering practices listed below to provide additional protection.
Ingress filtering
As a temporary measure, it may be possible to limit the scope of these vulnerabilities by
blocking access to SNMP services at the network perimeter.
Ingress filtering manages the flow of traffic as it enters a network under your
administrative control. Servers are typically the only machines that need to accept inbound
traffic from the public Internet. In the network usage policy of many sites, there are few
reasons for external hosts to initiate inbound traffic to machines that provide no public
services. Thus, ingress filtering should be performed at the border to prohibit externally
initiated inbound traffic to non-authorized services. For SNMP, ingress filtering of the
following ports can prevent attackers outside of your network from impacting vulnerable
devices in the local network that are not explicitly authorized to provide public
SNMP services.
snmp 161/udp # Simple Network Management Protocol (SNMP)
snmp 162/udp # SNMP system management messages
The following services are less common, but may be used on some affected products
snmp 161/tcp # Simple Network Management Protocol (SNMP)
snmp 162/tcp # SNMP system management messages
smux 199/tcp # SNMP Unix Multiplexer
smux 199/udp # SNMP Unix Multiplexer
synoptics-relay 391/tcp # SynOptics SNMP Relay Port
synoptics-relay 391/udp # SynOptics SNMP Relay Port
agentx 705/tcp # AgentX
snmp-tcp-port 1993/tcp # cisco SNMP TCP port
snmp-tcp-port 1993/udp # cisco SNMP TCP port
As noted above, you should carefully consider the impact of blocking services that you may
be using.
It is important to note that in many SNMP implementations, the SNMP daemon may bind to all
IP interfaces on the device. This has important consequences when considering appropriate
packet filtering measures required to protect an SNMP-enabled device. For example, even if a
device disallows SNMP packets directed to the IP addresses of its normal network interfaces,
it may still be possible to exploit these vulnerabilities on that device through the use of
packets directed at the following IP addresses:
* "all-ones" broadcast address
* subnet broadcast address
* any internal loopback addresses (commonly used in routers for management purposes, not
to be confused with the IP stack loopback address 127.0.0.1)
Careful consideration should be given to addresses of the types mentioned above by sites
planning for packet filtering as part of their mitigation strategy for these
vulnerabilities.
Finally, sites may wish to block access to the following RPC services related to SNMP
(listed as name, program ID, alternate names)
snmp 100122 na.snmp snmp-cmc snmp-synoptics snmp-unisys snmp-utk
snmpv2 100138 na.snmpv2 # SNM Version 2.2.2
snmpXdmid 100249
Please note that this workaround may not protect vulnerable devices from internal attacks.
Filter SNMP traffic from non-authorized internal hosts
In many networks, only a limited number of network management systems need to originate SNMP
request messages. Therefore, it may be possible to configure the SNMP agent systems (or the
network devices in between the management and agent systems) to disallow request messages
from non-authorized systems. This can reduce, but not wholly eliminate, the risk from
internal attacks. However, it may have detrimental effects on network performance due to the
increased load imposed by the filtering, so careful consideration is required before
implementation. Similar caveats to the previous workaround regarding broadcast and loopback
addresses apply.
Change default community strings
Most SNMP-enabled products ship with default community strings of "public" for read-only
access and "private" for read-write access. As with any known default access control
mechanism, the CERT/CC recommends that network administrators change these community strings
to something of their own choosing. However, even when community strings are changed from
their defaults, they will still be passed in plaintext and are therefore subject to packet
sniffing attacks. SNMPv3 offers additional capabilities to ensure authentication and privacy
as described in RFC2574.
Because many of the vulnerabilities identified in this advisory occur before the community
strings are evaluated, it is important to note that performing this step alone is not
sufficient to mitigate the impact of these vulnerabilities. Nonetheless, it should be
performed as part of good security practice.
Segregate SNMP traffic onto a separate management network
In situations where blocking or disabling SNMP is not possible, exposure to these
vulnerabilities may be limited by restricting all SNMP access to separate, isolated
management networks that are not publicly accessible. Although this would ideally involve
physically separate networks, that kind of separation is probably not feasible in most
environments. Mechanisms such as virtual LANs (VLANs) may be used to help segregate traffic
on the same physical network. Note that VLANs may not strictly prevent an attacker from
exploiting these vulnerabilities, but they may make it more difficult to initiate the
attacks.
Another option is for sites to restrict SNMP traffic to separate virtual private networks
(VPNs), which employ cryptographically strong authentication.
Note that these solutions may require extensive changes to a site's network architecture.
Egress filtering
Egress filtering manages the flow of traffic as it leaves a network under your
administrative control. There is typically limited need for machines providing public
services to initiate outbound traffic to the Internet. In the case of SNMP vulnerabilities,
employing egress filtering on the ports listed above at your network border can prevent
your network from being used as a source for attacks on other sites.
Disable stack execution
Disabling executable stacks (on systems where this is configurable) can reduce the risk of
"stack smashing" attacks based on these vulnerabilities. Although this does not provide 100
percent protection against exploitation of these vulnerabilities, it makes the likelihood of
a successful exploit much smaller. On many UNIX systems, executable stacks can be disabled
by adding the following lines to /etc/system:
set noexec_user_stack = 1
set noexec_user_stack_log = 1
Note that this may go against the SPARC and Intel ABIs and can be bypassed as required in
programs with mprotect(2). For the changes to take effect you will then need to reboot.
Other operating systems and architectures also support the disabling of executable stacks
either through native configuration parameters or via third-party software. Consult your
vendor(s) for additional information.
Share tools and techniques
Because dealing with these vulnerabilities to systems and networks is so complex, the
CERT/CC will provide a forum where administrators can share ideas and techniques that can be
used to develop proper defenses. We have created an unmoderated mailing list for system and
network administrators to discuss helpful techniques and tools.
You can subscribe to the mailing list by sending an email message to majordomo@cert.org. In
the body of the message, type
subscribe snmp-forum
After you receive the confirmation message, follow the instructions in the message to
complete the subscription process.
Appendix A. - Vendor Information
This appendix contains information provided by vendors for this advisory. As vendors report
new information to the CERT/CC, we will update this section and note the changes in our
revision history. If a particular vendor is not listed below, we have not received their
comments.
AdventNet
This is in reference to your notification regarding [VU#107186 and VU#854306] and
OUSPG#0100. AdventNet Inc. has reproduced this behavior in their products and coded a
Service Pack fix which is currently in regression testing in AdventNet Inc.'s Q.A.
organization. The release of AdventNet Inc's. Service Pack correcting the behavior outlined
in [... OUSPG#0100] is scheduled to be generally available to all of AdventNet Inc.'s
customers by February 20, 2002.
Alcatel
The security of our customers' networks is of highest priority for Alcatel.
Alcatel is aware of this industry-wide SNMP security issue and has
put measures in place to assess which of its products might be
affected. Within this activity, Alcatel is closely working with its
customers and CERT to address and fix potential security problems as
identified by CERT.
Aprisma
Aprisma is currently performing tests on the SPECTRUM
product suite to reveal any applicable issues. Our findings
to date regarding the recent CERT advisory are as follows:
CERT Advisory CA-2002-03
VU#854306 - Multiple Vulnerabilities in SNMPv1 Request Handling –
This advisory is not applicable to SPECTRUM as it is a management
system and not an agent. As a management system, SPECTRUM
does not accept SNMP requests rather; SPECTRUM sends SNMP
requests and processes subsequent SNMP responses.
CERT Advisory CA-2002-03
VU#107186 - Multiple Vulnerabilities in SNMPv1 Trap Handling –
Although relevant to SPECTRUM, Aprisma’s preliminary testing has
revealed no issues. We are currently conducting more in-depth tests
and will shortly convey our results.
Upon completion of the testing process Aprisma will post
additional information to this site.
Avaya
Avaya Inc. acknowledges the potential of SNMP vulnerabilities and is currently
investigating whether these vulnerabilities impact Avaya's products or solutions. No further
information is available at this time.
BMC Software
BMC Software has reviewed the information about SNMP vulnerabilities and is
fully investigating these issues across our products. While we have seen no
evidence of exploitable problems at this time, we are continuing to
investigate and will issue a bulletin regarding this advisory once we have
completed a thorough investigation.
CacheFlow
The purpose of this email is to advise you that CacheFlow Inc. has provided a software
update. Please be advised that updated versions of the software are now available for all
supported CacheFlow hardware platforms, and may be obtained by CacheFlow customers at the
following URL:
http://download.cacheflow.com/
The specific reference to the software update is contained within the Release Notes for
CacheOS Versions 3.1.22 Release ID 17146, 4.0.15 Release ID 17148, 4.1.02 Release ID 17144
and 4.0.15 Release ID 17149.
RELEASE NOTES FOR CACHEFLOW SERVER ACCELERATOR PRODUCTS:
* http://download.cacheflow.com/release/SA/4.0.15/relnotes.htm
RELEASE NOTES FOR CACHEFLOW CONTENT ACCELERATOR PRODUCTS:
* http://download.cacheflow.com/release/CA/3.1.22/relnotes.htm
* http://download.cacheflow.com/release/CA/4.0.15/relnotes.htm
* http://download.cacheflow.com/release/CA/4.1.02/relnotes.htm
* SR 1-1647517, VI 13045: This update modified a potential vulnerability by using an
SNMP test tools exploit.
3Com Corporation
A vulnerability to an SNMP packet with an invalid length community string has been
resolved in the following products. Customers concerned about this weakness should ensure
that they upgrade to the following agent versions:
PS Hub 40
2.16 is due Feb 2002
PS Hub 50
2.16 is due Feb 2002
Dual Speed Hub
2.16 is due Jan 2002
Switch 1100/3300
2.68 is available now
Switch 4400
2.02 is available now
Switch 4900
2.04 is available now
WebCache1000/3000
2.00 is due Jan 2002
For updated information on CommWorks Corporation, a 3Com company,
visit http://www.commworks.com/Press/Archive/2002/February/CERT_Advisory.asp
In addition, CommWorks' customers should monitor http://totalservice.commworks.com/cert_update.cfm
for updated information addressing the
CERT advisory, as well as information on available patches for CommWorks' products.
Caldera
Caldera International, Inc. has reproduced faulty behavior in Caldera SCO OpenServer 5,
Caldera UnixWare 7, and Caldera Open UNIX 8. We have coded a software fix for supported
versions of Caldera UnixWare 7 and Caldera Open UNIX 8 that will be available from our
support site at http://stage.caldera.com/support/security immediately following the
publication of this CERT announcement. A fix for supported versions of OpenServer 5 will be
available at a later date.
Check Point Software Technologies Inc.
Check Point Statement on SNMP Vulnerability Test Suite (CERT Advisory CA-2002-03)
Recently, an automated suite was released which tests products for known SNMP
vulnerabilities.
Check Point knows of no SNMP-related security issues in any of its products, and is
conducting an extensive
review to ensure that none exist. SNMP communication is not required for correct
functionality of any Check Point products.
FireWall-1, by default, blocks all SNMP communication to, from, or across a FireWall-1
gateway. The SNMP service is disabled by default, and SNMP communication is enabled only if
the administrator writes a specific rule which allows the communication.
If SNMP monitoring of Check Point firewalls or internal networks is needed, Check Point
recommends that the FireWall-1 rule base tightly restrict SNMP communication.
Cisco Systems
Cisco Systems is addressing the vulnerabilities identified by VU#854306 and VU#107186
across its entire product line. Cisco has released an advisory:
http://www.cisco.com/warp/public/707/cisco-malformed-snmp-msgs-pub.shtml
Compaq Computer Corporation
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TITLE: (SSRT0799) Potential Security Vulnerabilities in SNMP
Posted at http://ftp.support.compaq.com/patches/.new/security.shtml
NOTICE: There are no restrictions for distribution of this
Bulletin provided that it remains complete and intact.
RELEASE DATE: 18 FEBRUARY, 2002
SEVERITY: MEDIUM
SOURCE: Compaq Computer Corporation
Compaq Global Services
Software Security Response Team
CROSS REFERENCE: (SSRT0799, CAN-2002-0012,
CAN-2002-0013, CERT CA-2002-03)
PROBLEM SUMMARY:
The Computer Emergency Response Team (CERT/cc) has recently issued an
advisory regarding numerous potential vulnerabilities in SNMPv1
implementations. These potential vulnerabilities are applicable to
SNMPv1 trap handling and SNMPv1 Request handling. The CERT article
outlines vulnerabilities that can cause SNMP services to stop
functioning and in some cases may enable "unauthorized access,"
"denial of service attacks" or may cause system instability.
IMPACT:
Compaq NonStop Himalaya Servers:
Compaq TCP/IP Services for OpenVMS:
Compaq Tru64 UNIX:
Compaq Insight Management Suite:
Compaq Deskpro, Professional Workstation, Armada, Evo:
Compaq SANworks:
Compaq's findings to date regarding the SNMPv1 issues are as
follows:
________________________________
Compaq NonStop Himalaya Servers:
The Compaq Himalaya NonStop Kernel prohibits execution of code on the
stack or heap by hardware TLB permissions (read/write only),
preventing Trojan horse attacks by embedding code within the buffer
overflow area. However, process ABENDs can occur.
The SNMP agent ABENDs in the c06-snmpv1 buffer-overflow tests.
This affects forwarding trap messages and/or sending info responses
to SNMP managers.
Sub-agents use IPCs to communicate with the SNMP agent, so they
cannot be directly attacked. More importantly, sub-agents are
confined to information only requests, so they cannot be used to
configure/manage their sub-systems. Our investigation an analysis is
continuing and further updates will be provided.
RESOLUTION:
IPMs to address the ABEND problem of the SNMP are in development
and will be released as soon as verification is complete. Updates
to include availability of these IPMs will be included in future
updates.
__________________________________
Compaq TCP/IP Services for OpenVMS:
There is some impact to the SNMP agent provided with Compaq TCP/IP
Services for OpenVMS. This problem can cause the SNMP agent to ACCVIO
and terminate temporarily denying service to SNMP, but in most cases
after this occurs Compaq TCP/IP Services for OpenVMS will restart
the SNMP agent in response to the next SNMP request. There are no
known risks of compromising system security due to this problem.
The SNMP agent executes from a non-privileged process, which
prevents any compromise to system security.
RESOLUTION:
Our investigation and analysis has determined the cause of the
problem. The updated images for Compaq TCP/IP Services for OpenVMS
are now in final test. Compaq will provide updates to Compaq TCP/IP
Services for OpenVMS in the next ECO and also in the next release,
Compaq TCP/IP Services for OpenVMS V5.3. Contact Compaq's Customer
Support Center if an earlier updated is required.
__________________
Compaq Tru64 UNIX:
There is some impact to the SNMP agent provided with Tru64 UNIX. This
problem can cause the SNMP agent to suffer a segmentation fault,
generate a core file and exit, denying SNMP service to SNMP-based
network management applications. There are no known risks of
compromising system security due to this problem. We do not believe
this can cause the system to be unstable, vulnerable to 'unauthorized
access" nor be the cause of any other denial of service (except of
course to the SNMP service).
RESOLUTION:
Until a fix is implemented, users will have to manually restart
snmpd. Our investigation and analysis has determined the cause of the
problem. The updated images are now in final test. When completed,
Compaq will provide patches to all impacted versions of Tru64 UNIX
4.0f, 4.0g, 5.0a, 5.1, 5.1a.
________________________________
Compaq Insight Management Suite:
(ProLiants running industry standard operating systems including
Windows 2000, NetWare, Linux, etc)
The Compaq Insight Management Suite utilizes SNMP as a primary
communications method. Fixes to the operating systems affected will
be provided by the vendors involved. Check
http://www.compaq.com/manage/security the most up-to-date
information.
_______________________________________________
Deskpro, Professional Workstation, Armada, Evo:
The Deskpro, Professional Workstation, Armada, Evo(Microsoft
Operating systems including Windows XP, Windows 2000, Windows 98, and Windows
95) Compaq Management Agents for Clients utilizes SNMP as an optional
communications method. Fixes to the operating systems affected will
be provided by Microsoft.
Check www.microsoft.com/technet/security/bulletin/MS02-006.asp for the most up-to-date
information.
_____________________________________
Compaq SANworks Management Appliance:
The SANworks management appliance is essentially a Compaq server and
our recommended configuration does not have it connected directly to
the internet. Therefore, it is less exposed than other servers to
external SNMP security attacks. However, the appliance is
susceptible to SNMP security attacks from inside the firewall that
could result in the graceful termination of some storage management
applications on the appliance.
Compaq will provide a patch to the appliance as soon as possible.
____________________________________________________________________
NOTE:
Many systems operate behind firewalls and would normally
implement SNMP blocking for SNMP as standard procedure. Based on SNMP
blocking and ingress/egress filtering, the potential Security
vulnerability may only be exploited by users who have access to your
local security domain, therefore the risk is diminished.
SUPPORT:
This advisory bulletin will be updated for the various
products requiring patches and individual patch notifications
will be done through standard "patch notification" procedures
for those products. For further information, contact your normal
Compaq Support channel.
SUBSCRIBE:
To subscribe to automatically receive future Security
Advisories from the Compaq's Software Security Response Team via
electronic mail:
http://www.support.compaq.com/patches/mailing-list.shtml
REPORT:
To report a potential security vulnerability with any Compaq
supported product, send email to: security-ssrt@compaq.com
Compaq appreciates your cooperation and patience. As always,
Compaq urges you to periodically review your system management
and security procedures. Compaq will continue to review and
enhance the security features of its products and work with
our customers to maintain and improve the security and integrity
of their systems.
"Compaq is broadly distributing this Security Bulletin in order to
bring to the attention of users of the affected Compaq products the
important security information contained in this Bulletin.
Compaq recommends that all users determine the applicability of
this information to their individual situations and take appropriate
action. Compaq does not warrant that this information is necessarily
accurate or complete for all user situations and, consequently,
Compaq will not be responsible for any damages resulting from
user's use or disregard of the information provided in this
Bulletin."
Copyright 2002 Compaq Information Technologies Group, L.P.
Compaq shall not be liable for technical or editorial errors
or omissions contained herein. The information in this document
is subject to change without notice. Compaq and the names of
Compaq products referenced herein are, either, trademarks
and/or service marks or registered trademarks and/or service
marks of Compaq Information Technologies Group, L.P. Other product
and company names mentioned herein may be trademarks and/or service
marks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1
iQA/AwUBPHJVdjnTu2ckvbFuEQJSzACgkeJmchHLSlYMdH19gwc6cySgzUoAnjol
vfjGzJqaiVrX0OgMgv21LoGd
=/srv
-----END PGP SIGNATURE-----
Computer Associates
Computer Associates has confirmed Unicenter vulnerability to the SNMP advisory
identified by CERT notification reference [VU#107186 & VU#854306] and OUSPG#0100. We have
produced corrective maintenance to address these vulnerabilities, which is in the process of
publication for all applicable releases / platforms and will be offered through the CA
Support site. Please contact our Technical Support organization for information regarding
availability / applicability for your specific configuration(s).
COMTEK Services, Inc.
NMServer for AS/400 is not an SNMP master and is therefore not vulnerable. However this
product requires the use of the AS/400 SNMP master agent supplied by IBM. Please refer to
IBM for statements of vulnerabilities for the AS/400 SNMP master agent.
NMServer for OpenVMS has been tested and has shown to be vulnerable. COMTEK Services is
preparing a new release of this product (version 3.5) which will contain a fix for this
problem. This new release is scheduled to be available in February 2002. Contact COMTEK
Services for further information.
NMServer for VOS has not as yet been tested; vulnerability of this agent is unknown.
Contact for further information on the testing schedule of the VOS product.
Concord Communications, Inc.
Concord's eHealth Console product has some vulnerabilities to the OUSPG test
suite. Patches are being developed and tested.
Concord's SystemEDGE agent has been tested and is not vulnerable on Unix
platforms. Under Windows, it is a sub-agent of the Windows SNNMP agent, and
therefore the Windows hot fixes should be applied. SystemEDGE is not
vulnerable on Win2K and XP with Microsoft's hot fixes.
Please see this page on Concord's web site for more detail and for patch
availability: http://www.concord.com/certadvisory.shtml
Covalent Technologies
Covalent Technologies has tested the Enterprise Ready Server,
Managed Server, and Covalent Conductor SNMP module according to
recommendations issued by CERT, and has found no security vulnerabilities
associated with Advisory CA-2002-03.
Dartware, LLC
Dartware, LLC (www.dartware.com) supplies two products that use SNMPv1 in a manager
role, InterMapper and SNMP Watcher. These products are not vulnerable to the SNMP
vulnerability described in [VU#854306 and VU#107186]. This statement applies to all present
and past versions of these two software packages.
Dell
Dell (www.dell.com) is currently investigating the impact CERT Advisory CA-2002-03
(VU#854306 and VU#107186) may have against any products which make use of the SNMP protocol.
Provided that products are found vulnerable, patches will be made available via normal
support channels including support.dell.com.
DMH Software
DMH Software is in the process of evaluating and attempting to reproduce this behavior.
It is unclear at this point if our snmp-agent is sensitive to the tests described
above.
If any problems will be discovered, DMH Software will code a software fix.
The release of DMH Software OS correcting the behavior outlined in VU#854306,
VU#107186, and OUSPG#0100 will be generally available to all of DMH Software's customers as
soon as possible.
EnGarde Secure Linux
EnGarde Secure Linux did not ship any SNMP packages in version 1.0.1 of our
distribution, so we are not vulnerable to either bug.
Enterasys
On 12-February-2002, CERT (http://www.cert.org) announced serious vulnerabilities in
the SNMP implementations of virtually every networking vendor's equipment. These
vulnerabilities were discovered by a Finnish research group known as OUSPG, associated with
Oulu University, and are documented in advisory CA-2002-03.
These vulnerabilities exist in all versions of SNMP (v1/v2c/v3) and can be used to
cause SNMP implementations to behave in an unpredictable manner, resulting in denials of
service or system failures.
Given the serious nature of these vulnerabilities, Enterasys is testing our product
line to determine which products are affected. Patches for affected products will be made
available to our customers. Please check the Enterasys Support web site periodically for
further details and patch information.
Until these patches become available, Enterasys recommends that the following steps be
taken to help reduce exposure to these vulnerabilities.
* Disable SNMP from interfaces through which SNMP commands should not be received,
such as those providing connection from the Internet or Extranets.
* Use Access Control Lists at the access edge to prevent SNMP traffic from
unauthorized internal hosts from entering the network.
* Use management VLANs or out-of-band management to contain SNMP traffic and
multicasts. These do not prevent an attacker from exploiting these vulnerabilities, but they
may make it more difficult to initiate the attacks.
* Enable 802.1X port-locking and RADIUS to prevent unauthenticated users from
attaching to the network.
* Use NetSight Policy Manager to automatically restrict the use of SNMP to
authenticated, SNMP-authorized personnel.
* Update Dragon IDS signatures to help identify when these attacks are being used.
F5 Networks
All versions of BIG-IP, 3-DNS, GLOBAL-SITE and EDGE-FX are vulnerable if the SNMP agent
is enabled. Most versions have the SNMP agent enabled by default. Patches are available for
all affected versions.
SEE-IT is not affected by this vulnerability.
If a customer is unable to install the patch, the SNMP service may be disabled. Below
are instructions for obtaining patches and for disabling the SNMP service for each
vulnerable product.
BIG-IP
A patch exists to correct this problem. Please see
http://tech.f5.com/home/solutions/bigip/security/sol1622.html.
Alternatively, you can simply disable the SNMP service using the instructions below:
1. Log in to the BIG-IP Configuration utility.
2. Navigate to the SNMP section. For version 4.0 and above this is a tab under System
Administration.
3. De-select the Enable box at the top of the screen and click the Apply button.
This will disable the SNMP service on BIG-IP.
3-DNS
A patch exists to correct this problem. Please see
http://tech.f5.com/home/solutions/3dns/security/sol1624.html.
Alternatively, you can simply disable the SNMP service using the instructions below:
1. Log in to the 3-DNS Configuration utility.
2. Navigate to the SNMP section. This is the tab under 3-DNS Sync .
3. De-select the Enable box at the top of the screen and click the Apply button.
4. Log in to the Command Line Interface of the 3-DNS.
5. Run the following command:
kill -9 `ps -ax | grep snmpd | awk '{print $1}'`
This will disable the SNMP service on 3-DNS.
GLOBAL-SITE
A patch exists to correct this problem. Please see
http://tech.f5.com/home/solutions/globalsite/security/sol1626.html.
Alternatively, you can simply disable the SNMP service using the instructions below:
GLOBAL-SITE version 2.2
To disable the SNMP agent for GLOBAL-SITE version 2.2, type the following command from
the command prompt:
ITCMconsole service snmpd stop
This command stops the snmpd agent.
ITCMconsole service snmpd disable
This command disables snmpd so it does not start again at the next boot.
To verify the status of snmpd, enter the following command:
ITCMconsole show snmpd status
GLOBAL-SITE version 2.1PTF-01 and earlier:
On versions 2.1 PTF-01 and earlier, snmpd is not running by default so the GLOBAL-SITE
Controller should not be affected. However, if you have enabled snmpd manually, you should
disable it.
EDGE-FX
A patch exists to correct this problem. Please see
http://tech.f5.com/home/solutions/edgefx/security/sol1625.html.
Alternatively, you can simply disable the SNMP service using the instructions below:
There are three SNMP daemons running on the cache. By default, the EDGE-FX Cache runs
the snmpd, the edgefxsnmpd, and Inktomi's snmpdm .
Disabling snmpd and edgefxsnmpd
To disable and stop the SNMP agents, you should use the ITCMconsole. Type the following
commands from the command prompt:
ITCMconsole service snmpd stop
This command stops the snmpd agent.
ITCMconsole service snmpd disable
This command disables snmpd so it does not start again at the next boot.
To verify the status of snmpd, enter the following command:
ITCMconsole show snmpd status
Once the snmpd and edgefxsnmpd daemons are disabled, no other snmp traffic will be
accepted.
Disabling snmpdm
The snmpdm agent, is also enabled by default. This Inktomi specific agent can be
disabled or killed. In order to avoid traffic server anomalies, you should not kill this
this daemon.
According to CERT® Advisory CA-2002-03 :
"Inktomi Corporation does not believe our [Inktomi] CDS product is vulnerable.
Vulnerability would stem from the use of SNMP Research software in the CDS product. However,
SNMP Research has stated that their product Emanate, versions 15.x and higher, is not
vulnerable. As Inktomi's CDS uses Emanate 15.3, we [Inktomi] conclude that CDS is not
vulnerable."
Inktomi's CDS contains the same Traffic Server that EDGE-FX utilizes, which contains
the Emanate 15.3 daemon (snmpdm).
If you still want to kill this SNMP agent, you can use the Configuration utility or the
command line.
To disable the SNMP agent from the Configuration utility:
1. From your browser, access the Configuration utility (refer to Accessing the
Configuration utility).
2. On the Configure tab, click the Server button.
3. Scroll to the SNMP section of the Server Basics page.
4. Click the SNMP Agent Off radio button.
5. Click the Make These Changes button.
To disable the SNMP agent manually:
1. In a text editor, open the records.config file located in the EDGE-FX Caches
/config/traffic_server/config directory.
2. Edit the following variable:
proxy.config.snmp.master_agent_enabled
Set this variable to 0 to disable SNMP on the EDGE-FX Cache node.
3. Save and close the records.config file.
4. Make the /usr/local/cache/bin directory the working directory and run the
following command to apply the configuration changes.
./traffic_line -x
Note: you can also use the following command to restart the traffic_server: start_traffic_server.
SEE-IT
It has been determined that SEE-IT is not vulnerable.
Foundry Networks, Inc.
According to testing completed by Foundry engineering using
the stress tools recommended by CERT, we determined that NO Foundry
devices are affected by any known SNMP security issue. All of Foundry's
products use the same SNMP engine with varying SNMP versions (v1, v2c,
and v3), and all SNMP versions have been tested.
We are extremely appreciative to CERT's help during our testing period,
and would like to wholeheartedly thank everyone involved.
FreeBSD
FreeBSD does not include any SNMP software by default, and so is not vulnerable.
However, the FreeBSD Ports Collection contains the UCD-SNMP / NET-SNMP package. Package
versions prior to ucd-snmp-4.2.3 are vulnerable. The upcoming FreeBSD 4.5 release will ship
the corrected version of the UCD-SNMP / NET-SNMP package. In addition, the corrected version
of the packages is available from the FreeBSD mirrors.
FreeBSD has issued the following FreeBSD Security Advisory regarding the UCD-SNMP / NET-SNMP package:
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:11.snmp.asc.
Hewlett-Packard Company
HP Support Information Digests
o Security Bulletin Digest Split
------------------------------
The security bulletins digest has been split into multiple digests
based on the operating system (HP-UX, MPE/iX, and HP Secure OS
Software for Linux). You will continue to receive all security
bulletin digests unless you choose to update your subscriptions.
To update your subscriptions, use your browser to access the
IT Resource Center on the World Wide Web at:
http://www.itresourcecenter.hp.com/
Under the Maintenance and Support Menu, click on the "more..."
link.
Then use the 'login' link at the left side of the screen to login
using your IT Resource Center User ID and Password.
Under the notifications section (near the bottom of the page),
select Support Information Digests.
To subscribe or unsubscribe to a specific security bulletin digest,
select or unselect the checkbox beside it. Then click the
"Update Subscriptions" button at the bottom of the page.
o IT Resource Center World Wide Web Service
---------------------------------------------------
If you subscribed through the IT Resource Center and would
like to be REMOVED from this mailing list, access the
IT Resource Center on the World Wide Web at:
http://www.itresourcecenter.hp.com/
Login using your IT Resource Center User ID and Password.
Then select Support Information Digests (located under
Maintenance and Support). You may then unsubscribe from the
appropriate digest.
========================================================================
=======
Digest Name: daily HP-UX security bulletins digest
Created: Thu Feb 14 13:00:06 PST 2002
Table of Contents:
Document ID Title
--------------- -----------
HPSBUX0202-184 Sec. Vulnerability in SNMP (rev. 1)
The documents are listed below.
------------------------------------------------------------------------
-------
Document ID: HPSBUX0202-184
Date Loaded: 20020214
Title: Sec. Vulnerability in SNMP (rev. 1)
TEXT
-----------------------------------------------------------------
**REVISED 01** HEWLETT-PACKARD COMPANY SECURITY BULLETIN: #0184,
Originally issued: 12 Feb. 2002
Last revised: 13 Feb. 2002
-----------------------------------------------------------------
The information in the following Security Bulletin should be acted
upon as soon as possible. Hewlett-Packard Company will not be
liable for any consequences to any customer resulting from customer's
failure to fully implement instructions in this Security Bulletin as
soon as possible.
------------------------------------------------------------------
PROBLEM: Vulnerabilities in SNMP request and trap handling.
PLATFORM: HP 9000 Series 700 and Series 800 running HP-UX
releases 10.X and 11.X
** Revised 01**
HP Procurve switches
JetDirect Firmware (older versions only)
DAMAGE: Possible denial-of-service, service interruptions,
unauthorized access.
SOLUTION: Apply patches or implement workarounds.
For HP-UX releases:
PHSS_26137 s700_800 HP-UX 10.20 OV EMANATE14.2 Agent
PHSS_26138 s700_800 HP-UX 11.X OV EMANATE14.2 Agent
PSOV_03087 Solaris 2.X EMANATE Release 14.2
MANUAL ACTIONS: Upgrade or workaround action per below.
AVAILABILITY: Patches for some affected systems are available now.
CHANGE SUMMARY: Rev.01 affected HP Procurve scope expanded,
plus Procurve patch availability added.
NNM ovtrapd patch availability added.
------------------------------------------------------------------
A. Background
CERT has issued an advisory:
CERT Advisory CA-2002-03 Multiple Vulnerabilities in Many
Implementations of the Simple Network Management Protocol
(SNMPv1) containing information about the vulnerabilities.
Hewlett-Packard Company will revise this bulletin as new
information becomes available.
---------------------------------------------------------
hp Procurve switches
---------------------------------------------------------
**REVISED 01**
We are still in the process of determining which other HP
Procurve products are subject to these vulnerabilities.
We have created fixes for products below which will resolve
these issues. See Section C below.
Customers can download these patches in the form of software
upgrades at:
http://www.hp.com/rnd/software/switches.htm
Product Fix revision number
---------------------------------- --------------------
HP Procurve Switch 2524 (J4813A) F.04.08 or greater
HP Procurve Switch 2512 (J4812A) F.04.08 or greater
HP Procurve Switch 4108GL (J4865A) G.04.05 or greater
HP Procurve Switch 4108GL-bundle (J4861A) G.04.05 or greater
Not all HP Procurve products have completed testing, nor are
they listed here, and may or may not have these vulnerabilities.
This bulletin will again be updated as new information becomes
available.
---------------------------------------------------------
NNM (Network Node Manager)
---------------------------------------------------------
**REVISED 01**
Some problems found in NNM product were related to trap
handling. Patches are available. See Section C below.
---------------------------------------------------------
JetDirect Firmware (older versions only)
---------------------------------------------------------
ONLY some older versions of JetDirect Firmware are
vulnerable to some of the issues. The older firmware
can be upgraded in most cases, see list below.
JetDirect Firmware Version State
========================== =====
X.08.32 and higher NOT Vulnerable
X.21.00 and higher NOT Vulnerable
where X represents an alpha character for your device.
JetDirect Product Numbers that can be freely upgraded
to X.08.32 or X.21.00 or higher firmware.
EIO (Peripherals Laserjet 4000, 5000, 8000, etc...)
J3110A 10T
J3111A 10T/10B2/LocalTalk
J3112A Token Ring (discontinued)
J3113A 10/100 (discontinued)
J4169A 10/100
J4167A Token Ring
MIO (Peripherals LaserJet 4, 4si, 5si, etc...)
J2550A/B 10T (discontinued)
J2552A/B 10T/10Base2/LocalTalk (discontinued)
J2555A/B Token Ring (discontinued)
J4100A 10/100
J4105A Token Ring
J4106A 10T
External Print Servers
J2591A EX+ (discontinued)
J2593A EX+3 10T/10B2 (discontinued)
J2594A EX+3 Token Ring (discontinued)
J3263A 300X 10/100
J3264A 500X Token Ring
J3265A 500X 10/100
----------------------------------------------------------
HP-UX Systems running snmpd or OPENVIEW
----------------------------------------------------------
Any HP-UX 10.X or 11.X system running snmpd or snmpdm is
vulnerable. To determine if your HP-UX system has snmpd
or snmpdm installed:
swlist -l file | grep snmpd
B. Fixing the problem
Install the appropriate patch or firmware revision or work
around problem as detailed below.
C. Recommended solution
---------------------------------------------------------
hp Procurve switches
---------------------------------------------------------
**REVISED 01**
Customers can download these patches in the form of firmware
upgrades at:
http://www.hp.com/rnd/software/switches.htm
Product Fix revision number
----------------------------------- -------------------
HP Procurve Switch 2524 (J4813A) F.04.08 or greater
HP Procurve Switch 2512 (J4812A) F.04.08 or greater
HP Procurve Switch 4108GL (J4865A) G.04.05 or greater
HP Procurve Switch 4108GL-bundle (J4861A) G.04.05 or greater
---------------------------------------------------------
NNM (Network Node Manager)
---------------------------------------------------------
**REVISED 01**
Problems found in the NNM product (related only to trap
handling) are addressed in patches available at:
http://support.openview.hp.com/cpe/patches/nnm/6.2/s700_800_11.X.jsp
PHSS_26286 s700_800 HP-UX 10.20 ovtrapd large trap fix
PHSS_26287 s700_800 HP-UX 11.X ovtrapd large trap fix
PSOV_03100 Solaris 2.X ovtrapd large trap fix
NNM_00857 NT 4.X/Windows 2000 ovtrapd large trap fix
Next To :: Multiple Vulnerabilities in Many Implementations of the Simple Network Management Protocol (SNMP) - Part 2
Credits
-- UnKnown --
|