---------------------------------------------------------
MC/ServiceGuard
---------------------------------------------------------
Concerning the impact of disabling the SNMP agent on nodes
in MC/ServiceGuard or ServiceGuard OPS Edition clusters:
If SNMP is disabled on nodes running in MC/ServiceGuard
or ServiceGuard OPS Edition clusters, it will no longer be
possible for cluster monitoring applications that use the
cluster SNMP MIB to obtain the correct status for the cluster.
Examples of such applications are ClusterView, ClusterView Plus
or EMS High Availability Monitors, which all receive
cluster-related SNMP information from the cluster nodes.
This means that these applications will no longer display the
correct status for the cluster, including the cluster starting
or halting, nodes leaving or joining the cluster, and application
packages starting up or halting in the cluster.
NOTE: All supported versions of MC/ServiceGuard as well as
ServiceGuard OPS Edition are affected by this issue.
The ServiceGuard Manager product does not use the cluster
SNMP MIB, and therefore is _NOT_ affected by the
disabling of SNMP on cluster nodes.
---------------------------------------------------------
Event Monitoring System (EMS)
---------------------------------------------------------
It should also be noted that if an MC/ServiceGuard or ServiceGuard
OPS Edition application package has package resources defined
that use EMS High Availability Monitors, then those package
resources will no longer contain the current status for the
cluster. It may be necessary to remove the definition for these
package resources in order to allow continued operation of the
package after SNMP has been disabled.
---------------------------------------------------------
JetDirect Firmware (older versions only)
---------------------------------------------------------
Update firmware to X.08.32(or higher) or X.21.00(or higher)
as applicable.
----------------------------------------------------------
HP-UX Systems running snmpd or OPENVIEW
----------------------------------------------------------
The following patches are available now:
PHSS_26137 s700_800 HP-UX 10.20 OV EMANATE14.2 Agent$
PHSS_26138 s700_800 HP-UX 11.X OV EMANATE14.2 Agent$
PSOV_03087 Solaris 2.X EMANATE Release 14.2 $
All three patches are available from:
http://support.openview.hp.com/cpe/patches/
**Revised 01**
-->> In addition PHSS_26137 and PHSS_26138 are now available
from:
http://itrc.hp.com
============================================================
NOTE: The patches are labeled OV (Open View). However, the
patches are also applicable to systems that are _NOT_
running Open View.
============================================================
Workaround for HP-UX Systems:
If a patch is not available for your platform or you cannot
install an available patch, snmpd and snmpdm can be disabled
by removing their entries from /etc/services and removing the
execute permissions from /usr/sbin/snmpd and /usr/sbin/snmpdm.
D. To subscribe to automatically receive future NEW HP Security
Bulletins from the HP IT Resource Center via electronic
mail, do the following:
Use your browser to get to the HP IT Resource Center page
at:
http://itrc.hp.com
Use the 'Login' tab at the left side of the screen to login
using your ID and password. Use your existing login or the
"Register" button at the left to create a login, in order to
gain access to many areas of the ITRC. Remember to save the
User ID assigned to you, and your password.
In the left most frame select "Maintenance and Support".
Under the "Notifications" section (near the bottom of
the page), select "Support Information Digests".
To -subscribe- to future HP Security Bulletins or other
Technical Digests, click the check box (in the left column)
for the appropriate digest and then click the "Update
Subscriptions" button at the bottom of the page.
or
To -review- bulletins already released, select the link
(in the middle column) "Search Technical Knowledge
Database".
To -gain access- to the Security Patch Matrix, or the
"The Security Bulletins Archive" select the link for
"The Security Bulletins Archive" (near the bottom of
the page). Once in the archive the third link is
to the current Security Patch Matrix. Updated daily, this
matrix categorizes security patches by platform/OS release,
and by bulletin topic. Security Patch Check completely
automates the process of reviewing the patch matrix for
11.XX systems.
For information on the Security Patch Check tool, see:
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/
displayProductInfo.pl?productNumber=B6834AA"
The security patch matrix is also available via anonymous
ftp:
ftp.itrc.hp.com:~ftp/export/patches/hp-ux_patch_matrix
On the "Support Information Digest Main" page:
click on the "HP Security Bulletin Archive".
E. To report new security vulnerabilities, send email to
security-alert@hp.com
Please encrypt any exploit information using the
security-alert PGP key, available from your local key
server, or by sending a message with a -subject- (not body)
of 'get key' (no quotes) to security-alert@hp.com.
Permission is granted for copying and circulating this
Bulletin to Hewlett-Packard (HP) customers (or the Internet
community) for the purpose of alerting them to problems,
if and only if, the Bulletin is not edited or changed in
any way, is attributed to HP, and provided such reproduction
and/or distribution is performed for non-commercial purposes.
Any other use of this information is prohibited. HP is not
liable for any misuse of this information by any third party.
Hirschmann Electronics GmbH & Co. KG
Hirschmann Electronics GmbH & Co. KG supplies a broad range of networking products,
some of which are affected by the SNMP vulnerabilities identified by CERT Coordination
Center. The manner in which they are affected and the actions required to avoid being
impacted by exploitation of these vulnerabilities, vary from product to product. Hirschmann
customers may contact our Competence Center (phone +49-7127-14-1538, email: ans-
support@nt.hirschmann.de) for additional information, especially regarding availability of
latest firmware releases addressing the SNMP vulnerabilities.
IBM Corporation
Based upon the results of running the test suites we have determined
that our version of SNMP shipped with AIX is NOT vulnerable.
The AIX version of SNMP was patched under APAR # IY17630
for AIX 4.3.3 and under APAR # IY20943 for AIX 5.1.
Customers should apply the appropriate APAR to their systems
if they have not already done so. To remain consistent with IBM's
standing agreement with our customers who use zOS and OS/400,
IBM asks that these customers contact IBM Service for information
regarding this vulnerability.
Inktomi Corporation
Inktomi Corporation does not believe our CDS product is vulnerable. Vulnerability would
stem from the use of SNMP Research software in the CDS product. However, SNMP Research has
stated that their product Emanate, versions 15.x and higher, is not vulnerable. As Inktomi's
CDS uses Emanate 15.3, we conclude that CDS is not vulnerable.
Innerdive Solutions, LLC
Innerdive Solutions, LLC has two SNMP based products:
1. The "SNMP MIB Scout" (http://www.innerdive.com/products/mibscout/)
2. The "Router IP Console" (http://www.innerdive.com/products/ric/)
The "SNMP MIB Scout" is not vulnerable to either bug.
The "Router IP Console" releases prior to 3.3.0.407 are vulnerable. The release of
"Router IP Console" correcting the behavior outlined in OUSPG#0100 is 3.3.0.407 and is
already available on our site. Also, we will notify all our customers about this new release
no later than March 5, 2002.
iTouch Communications
iTouch Communications has confirmed that the following tests failed
(software crash) in the run-time image NEMC_IR.SYS version 3.0 and earlier:
1. APP tests, 10545 and 10549
2. ENC tests 878,7643,7686,7687,7688,13358 & 13486
These issues were fixed in 3.0s1 of NEMC_IR.SYS and it is now fully
compliant with the SNMP vulnerability CERT tests.
Customers requesting software updates or more information may
contact iTouch Communications at 800-435-7997 (domestic) and
978-952-4888 (International) and select the Customer Service option.
Juniper Networks
This is in reference to your notification regarding CAN-2002-0012 and CAN-2002-0013.
Juniper Networks has reproduced this behavior and coded a software fix. The fix will be
included in all releases of JUNOS Internet software built after January 5, 2002. Customers
with current support contracts can download new software with the fix from Juniper's web
site at http://www.juniper.net
Note: The behavior described in CAN-2002-0012 and CAN-2002-0013 can only be reproduced
in JUNOS Internet software if "snmp traceoptions flag pdu" is enabled. Tracing of SNMP PDUs
is generally not enabled in production routers.
Lantronix, Inc.
Lantronix is committed to resolving security issues with our products.
The SNMP security bug you reported has been fixed in LRS firmware version B1.3/611(020123).
Lexmark International, Inc.
Lexmark International has tested the current MarkNet network adapters
and current Lexmark Utilities (MarkVision Professional) according to
recommendations issued by CERT. Lexmark Utilities are not
vulnerable. Below is a list of tested MarkNet devices and
information on obtaining updated network firmware when necessary:
Printer/Network Adapter type Fix Revision (if applicable)
Lexmark E322n Laser Printer 4.20.14 or greater
Lexmark T520n Laser Printer Not vulnerable
Lexmark T522n Laser Printer Not vulnerable
Lexmark T620n Laser Printer Not vulnerable
Lexmark T622n Laser Printer Not vulnerable
Lexmark Optra W810n Laser Printer 3.20.14 or greater
Lexmark W820n Laser Printer Not vulnerable
Lexmark Optra C710nSBE Laser Printer 3.20.14 or greater
Lexmark Optra C710n Laser Printer 3.20.14 or greater
Lexmark C720n Color Laser Printer 3.20.14 or greater
Lexmark C720dn Color Laser Printer 3.20.14 or greater
Lexmark C750n Color Printer Not vulnerable
Lexmark C750dn Color Printer Not vulnerable
Lexmark C910n Color Printer Not vulnerable
Lexmark C910dn Color Printer Not vulnerable
Lexmark Optra Color 45n 3.20.14 or greater
Lexmark Optra T610n Laser Printer 3.20.14 or greater
MarkNet N2001e 3.20.14 or greater
MarkNet N2000t 3.20.14 or greater
MarkNet N2002e 3.20.14 or greater
MarkNet N2003fx-MTRJ 3.20.14 or greater
MarkNet N2003fx-SC 3.20.14 or greater
MarkNet N2401e 5.20.14 or greater
MarkNet N2501e 5.20.14 or greater
MarkNet X2011e 4.20.14 or greater
MarkNet X2012e 4.20.14 or greater
MarkNet X2030t 4.20.14 or greater
MarkNet X2031e 4.20.14 or greater
MarkNet XI 4.20.14 or greater
MarkNet XP 4.20.14 or greater
MarkNet Pro network family 2.10.193 or greater
MarkNet S network family 1.10.193 or greater
Lexmark X820e MFP Not vulnerable
Lexmark X7500 MFP Not vulnerable
None of the Lexmark network adapters are vulnerable once the
community name is changed. If unable to update to one of the above
firmware levels, Lexmark recommends changing the community name.
Firmware updates are available at:
http://support.lexmark.com/en/cert_ca-2002-03.html
For questions related to these or other Lexmark devices please
contact 1-800-LEXMARK.
Lotus Development Corporation
Lotus Software evaluated the Lotus Domino Server for vulnerabilities using the test
suite materials provided by OUSPG.
This problem does not affect default installations of the Domino Server. However, SNMP
agents can be installed from the CD to provide SNMP services for the Domino Server (these
are located in the /apps/sysmgmt/agents directory). The optional platform specific master
and encapsulator agents included with the Lotus Domino SNMP Agents for HP-UX and Solaris
have been found to be vulnerable. For those platforms, customers should upgrade to version
R5.0.1 a of the Lotus Domino SNMP Agents, available for download from the Lotus Knowledge
Base on the IBM Support Web Site (http://www.ibm.com/software/lotus/support/). Please
refer to Document #191059, "Lotus Domino SNMP Agents R5.0.1a", also in the Lotus Knowledge
Base, for more details.
LOGEC Systems Inc
The products from LOGEC Systems are exposed to SNMP only via HP OpenView. We do not
have an implementation of SNMP ourselves. As such, there is nothing in our products that
would be an issue with this alert.
Lucent
Lucent is aware of reports that there is a vulnerability in certain implementations of
the SNMP (Simple Network Management Protocol) code that is used in data switches and other
hardware throughout the telecom industry.
As soon as we were notified by CERT, we began assessing our product portfolio
and notifying customers with products that might be affected.
Our 5ESS switch and most of our optical portfolio were not affected. Our core and edge
ATM switches and most of our edge access products are affected, but we have developed,
tested, and deployed fixes for many of those products to our customers. Fixes for the rest
of the affected product portfolio will be available shortly.
We consider the security and reliability of our customers' networks to be one of our
critical measures of success. We take every reasonable measure to ensure their satisfaction.
In addition, we are working with customers on ways to further enhance the security they
have in place today.
Marconi
Marconi supplies a broad range of telecommunications and related products, some of
which are affected by the SNMP vulnerabilities identified here. The manner in which they
are affected and the actions required (if any) to avoid being impacted by exploitation of
these vulnerabilities, vary from product to product. Those Marconi customers with support
entitlement may contact the appropriate Technical Assistance Center (TAC) for additional
information. Those not under support entitlement may contact their sales representative.
MG-SOFT Corporation
MG-SOFT is currently performing detailed verification of the SNMP (SNMPv1, SNMPv2c and
SNMPv3) engine implementation.
So far we have noticed that our WinSNMP implementation, the core of all our SNMP
products, is vulnerable only in one case. We will post fixed versions of all affected MG-
SOFT's SNMP products in few days, on our web site at http://www.mg-soft.com/.
Micromuse
Micromuse has published the following response to this advisory :
http://www.micromuse.com/supportgate/certadvisoryca2002-03.html
This will be continually updated.
Microsoft Corporation
The following documents regarding this vulnerability are available from Microsoft:
http://www.microsoft.com/technet/security/bulletin/MS02-006.asp
Multinet
MultiNet and TCPware customers should contact Process Software to check for the
availability of patches for this issue. A couple of minor problems were found and fixed, but
there is no security risk related to the SNMP code included with either product.
NET-SNMP
All ucd-snmp version prior to 4.2.2 are susceptible to this vulnerability and users of
versions prior to version 4.2.2 are encouraged to upgrade their software as soon as possible
(http://www.net-snmp.org/download/). Version 4.2.2 and higher are not susceptible.
Netaphor
NETAPHOR SOFTWARE INC. is the creator of Cyberons for Java -- SNMP Manager Toolkit and
Cyberons for Java -- NMS Application Toolkit, two Java based products that may be affected
by the SNMP vulnerabilities identified here. The manner in which they are affected and the
actions required (if any) to avoid being impacted by exploitation of these vulnerabilities,
may be obtained by contacting Netaphor via email at info@netaphor.com Customers with annual
support may contact support@netaphor.com directly. Those not under support entitlement may
contact Netaphor sales: sales@netaphor.com or (949) 470 7955 in USA.
NetBSD
NetBSD does not ship with any SNMP tools in our 'base' releases. We do provide optional
packages which provide various support for SNMP. These packages are not installed by
default, nor are they currently provided as an install option by the operating system
installation tools. A system administrator/end-user has to manually install this with our
package management tools. These SNMP packages include:
* netsaint-plugin-snmp-1.2.8.4 (SNMP monitoring plug-in for netsaint)
* p5-Net-SNMP-3.60 (perl5 module for SNMP queries)
* p5-SNMP-3.1.0 (Perl5 module for interfacing to the UCD SNMP library
* p5-SNMP_Session-0.83 (perl5 module providing rudimentary access to remote SNMP
agents)
* ucd-snmp-4.2.1 (Extensible SNMP implementation) (conflicts with ucd-snmp-4.1.2)
* ucd-snmp-4.1.2 (Extensible SNMP implementation) (conflicts with ucd-snmp-4.2.1)
We do provide a software monitoring mechanism called 'audit-packages', which allows us
to highlight if a package with a range of versions has a potential vulnerability, and
recommends that the end-user upgrade the packages in question.
Netscape Communications Corporation
Netscape continues to be committed to maintaining a high level of quality in our
software and service offerings. Part of this commitment includes prompt response to security
issues discovered by organizations such as the CERT® Coordination Center.
According to a recent CERT/CC advisory, The Oulu University Secure Programming Group
(OUSPG) has reported numerous vulnerabilities in multiple vendor SNMPv1 implementations.
These vulnerabilities may allow unauthorized privileged access, denial of service attacks,
or unstable behavior.
We have carefully examined the reported findings, performing the tests suggested by the
OUSPG to determine whether Netscape server products were subject to these vulnerabilities.
It was determined that several products fell into this category. As a result, we have
created fixes which will resolve the issues, and these fixes will appear in future releases
of our product line. To Netscape's knowledge, there are no known instances of these
vulnerabilities being exploited and no customers have been affected to date.
When such security warnings are issued, Netscape has committed to - and will continue
to commit to - resolving these issues in a prompt and timely fashion, ensuring that our
customers receive products of the highest quality and security.
NetScreen
In response to CERT Advisory CA-2002-03 "Multiple Vulnerabilities in Many
Implementations of the Simple Network Management Protocol (SNMP)" NetScreen began
reproducing the tests and evaluating our vulnerability to the various problems reported by
CERT and OUSPG.
NetScreen's Global PRO and Global PRO Express do not have an SNMP agent or manager and
are not sensitive to the issues raised in VU#107186 (CAN-2002-0012), "Multiple
vulnerabilities in SNMP v1 trap handling". No change in behavior or operation is required.
NetScreen has tested selected security appliances and ScreenOS software versions for
the issues raised in VU#854306 (CAN-2002-0013) "Multiple vulnerabilities in SNMP v1 request
handling", and has determined that the SNMP agent within all versions of ScreenOS is
sensitive to certain of the tests described by CERT and OUSPG. NetScreen is continuing to
test to confirm the full extent of platform and ScreenOS versions affected. These
vulnerabilities can in certain circumstances be exploited to produce a denial of service.
These vulnerabilities cannot be used to gain management control of the device.
NetScreen is working as quickly as possible to develop and test maintenance releases of
ScreenOS software that address these vulnerabilities. All NetScreen security appliances and
systems shipped from NetScreen after Wednesday 13 February 2002 have software pre-installed
at the factory that addresses these vulnerabilities.
For more information please see
http://www.netscreen.com/support/snmp.html
Network Associates
PGP is not affected, impacted, or otherwise related to this VU#.
Network Computing Technologies
Network Computing Technologies has reviewed the information regarding SNMP
vulnerabilities and is currently investigating the impact to our products.
Nokia
This vulnerability is known to affect IPSO versions 3.1.3, 3.3, 3.3.1, 3.4, and 3.4.1.
Patches are currently available for versions 3.3, 3.3.1, 3.4 and 3.4.1 for download from
the Nokia website. In addition, version 3.4.2 shipped with the patch incorporated, and the
necessary fix will be included in all future releases of IPSO.
We recommend customers install the patch immediately or follow the recommended
precautions below to avoid any potential exploit.
If you are not using SNMP services, including Traps, simply disable the SNMP daemon to
completely eliminate the potential vulnerability.
If you are using only SNMP Traps and running Check Point FireWall-1, create a firewall
policy to disallow incoming SNMP messages on all appropriate interfaces. Traps will continue
to work normally.
Nortel Networks
Nortel Networks products not affected by the CERT SNMP Advisory
February 18, 2002
Enclosed is a current listing of Nortel Networks products not
impacted by the potential vulnerabilities in the Simple Network
Management Protocol (SNMP) as outlined by the CERT advisory
(CA-2002-003). We are continuing to test and evaluate our remaining
products and will be providing updates to this document. Additional
products may be added to this list as further product testing is
completed.
ATM/IP PRODUCTS
Intelligent Internet (reduce font size to be a subheading)
Alteon Content Manager (ACM)
DPN-100 Portfolio
NetID 4.X
Optivity Policy Services 1.1
Preside Magellan Data Provider (MDP)
Java Device Manager (JDM)
Optivity Network Configuration System CS 3.x (NCS)
Optivity Switch Manager (OSM)
Alteon iSD Secure Socket Layer Accelerator (SSL)
Alteon 180 and ACE Director Web Switches (WebOS) Releases 8.x and 9.0
Carrier Voice over Packet
Succession Multi-Service Gateway 4000 (MG4K)
ENTERPRISE
Meridian Integrated Applications (MIxxx)
Meridian Integrated Call Assistant (MICA)
Meridian Integrated Conference Bridge (MICB)
Meridian Integrated Voice Services (MIVS)
Meridian Integrated Personal Call Director (MIPCD)
DMS (Enhanced) Intelligent Peripheral Equipment (IPE/EIPE)
DMS Link Peripheral Processor/Ethernet Interface Unit (LPP/EIU)
Digital Telephones
M3900 Series
M2000 Series
M3000 Executive Telephone
Analog Telephones
M8000/M9000 series
500/2500 type
Fibre Remote products
LONG HAUL OPTICAL
OPTera Connect DX Connection Manager
OPTera Connect HDX Connection Manager
OPTera Connect PX Connection Manager
S/DMS TransportNode OC-192
S/DMS TransportNode OC-48
S/DMS TransportNode OC-12 TBM
S/DMS TransportNode TN-16X
S/DMS TransportNode TN-64X
Long Haul Optical Management Products
These software products either do not use an SNMP agent or have
passed the CERT recommended test suite. The third party compute
platforms on which these products run may be equipped with an SNMP
agent software, but the server platform environment is controlled by
the customer. Nortel Networks recommends customers contact their
compute platform vendors for recommended corrective action.
Preside Site Manager
Preside Application Platform
Preside Trail Manager
Preside Multiterabit Element Manager
Preside Optical Applications
Preside Configurable Surveillance Adapter
Preside Configurable Trail Adapter
Preside IP Device Adapter
Metro Optical
OPTera Metro 3300/3400/3500 Next Generation SONET Multiservice
Platform (all versions)
S/DMS TransportNode OC-48
S/DMS TransportNode OC-48 OPTera Packet Edge (OPE)
OPTera Connect DX Connection Manager
S/DMS TransportNode OC-12 TBM
OPTera Metro 4200
OPTera Metro 4100 without OPE 100 card
S/DMS TransportNode TN-1X
S/DMS TransportNode TN-1C
S/DMS TransportNode TN-1P
S/DMS TransportNode TN-4T
(See Long Haul Optical Management Products comment above for the
following Metro Optical Preside products.)
Preside Site Manager
Preside Application Platform
Preside Trail Manager
Preside Manager for OPTera Metro
Preside Optical Applications
Preside Configurable Surveillance Adapter
Preside Configurable Trail Adapter
Circuit Switching
DMS Enhanced Network (ENET)
DMS Message Switch (MS)
DMS-10
DMS Series 60/70 Core
NT40
DMS XA-Core
DMS TOPS
DMS-100
DMS 100i
DMS-200
DMS-250
DMS-300
DMS-500
DMS Custom Specific Variants
DMS MMP/GSP
DMS LPP/EIU
DMS Input Output Module (IOM)
NETOnline
Spectrum Peripheral Module (SPM)
Real Time 1000 (RT-1000)
Extended Peripheral Module (XPM)
WIRELESS
TDMA Access
Intelligent Cellular Peripheral (ICP) - all versions and all
subsystems Intelligent Cellular Radio Module (ICRM) - all versions and
subsystems
CDMA Access
Legacy Base Transceiver Station (BTS)--all versions and all
subsystems Metro Cell all versions and all subsystems Base Station Controller
(BSC) - except Passport versions
GSM/GPRS/UMTS Access
GSM: Base Transceiver Station S8000 (S8000 BTS)-all versions
GSM: Base Station Controllers 12000, 6000 (BSC12000, BSC6000) -all
versions GSM: e-cell Base Transceiver Station (e-cell BTS)-all
versions
GSM: S2000 Base Transceiver Station (S2000 BTS)-all versions
GSM: Base Station Controller e3 (BSCe3) -all versions
UMTS Node B (all versions)
UMTS iRNC (excluding MDP/MDM OA&M device for Passport)
Wireless Core
Wireless Prepaid - (Nortel Intelligent Network-based prepaid product
for CDMA/TDMA/AMPS)
MDS
Adept
Novell
Novell ships SNMP.NLM and SNMPLOG.NLM with NetWare 4.x, NetWare 5.x and 6.0 systems.
The SNMP and SNMPLOG vulnerabilities detected on NetWare are fixed and will be available
through NetWare 6 Support Pack 1 & NetWare 5.1 Support Pack 4. Support packs are available
at http://support.novell.com/tools/csp/.
OpenBSD
OpenBSD does not ship SNMP code.
Qualcomm
WorldMail does not support SNMP by default, so customers who run unmodified
installations are not vulnerable.
Radware
Radware has assessed its SNMP based products against the
vulnerabilities identified in CERT Advisory CA-2002-03. Product
specific software maintenance releases are being developed and will
be available in the near future. Please consult our web site
(www.radware.com) for additional information.
Until the releases addressing the SNMP vulnerabilities are available,
Radware recommends taking the following standard security
precautions:
* Disable all remote management access through all unecessary
interfaces using the SNMP or Management Ports Table feature,
depending on the specific software release in use.
* If possible, limit all remote management access to a physically
separate port that is connected to a secure management segment.
Redback Networks, Inc.
Redback Networks, Inc. has identified that the vulnerability in question affects
certain versions of AOS software on the SMS 500, SMS 1800, and SMS 10000 platforms, and is
taking the appropriate steps necessary to correct the issue.
Red Hat
RedHat has released a security advisory at
http://www.redhat.com/support/errata/RHSA-2001-163.html
with updated versions of the ucd-snmp package for all supported releases and
architectures. For more information or to download the update please visit this page.
Sierra Wireless
We are not vulnerable.
SGI
SGI acknowledges the SNMP vulnerabilities reported by CERT and is currently investigating.
No further information is available at this time.
For the protection of all our customers, SGI does not disclose, discuss or confirm
vulnerabilities until a full investigation has occurred and any necessary patch(es) or
release streams are available for all vulnerable and supported IRIX operating systems. Until
SGI has more definitive information to provide, customers are encouraged to assume all
security vulnerabilities as exploitable and take appropriate steps according to local site
security policies and requirements. As further information becomes available, additional
advisories will be issued via the normal SGI security information distribution methods
including the wiretap mailing list on http://www.sgi.com/support/security/.
SNMP Research International
The most recent releases (15.3.1.7 and above) of all SNMP Research products address the
vulnerabilities identified in the following CERT vulnerability advisories:
VU#854306 (Multiple vulnerabilities in SNMPv1 request handling)
VU#107186 (Multiple vulnerabilities in SNMPv1 trap handling)
A few of the malformed packets sent in these tests result in out of bound array
references in allocated memory and minor memory leaks. No consequences, other than potential
denial of service on some platforms,are known.
All customers who maintain a support contract have received either the new release or
the appropriate patch sets to their 15.3.1.1 and later source code releases addressing these
vulnerabilities. Users maintaining earlier releases should update to the current release if
they have not already done so. Up-to-date information is available from support@snmp.com.
Stonesoft
Stonesoft's StoneGate product does not include an SNMP agent, and is therefore not
vulnerable to this. Other Stonesoft's products are still under investigation. As further
information becomes available, additional advisories will be available at
http://www.stonesoft.com/support/techcenter/
Sun Microsystems, Inc.
Sun's SNMP product, Solstice Enterprise Agents (SEA), described here:
http://www.sun.com/solstice/products/ent.agents/
is affected by VU#854306 but not VU#107186. More specifically the main agent of SEA,
snmpdx(1M), is affected on Solaris 2.6, 7, 8. Sun has released Security Bulletin #00215.
Sun Security Bulletins are available from:
http://sunsolve.sun.com/security
Sun patches are available from:
http://sunsolve.sun.com/securitypatch
Symantec Corporation
Symantec Corporation has investigated the SNMP issues identified by the OUSPG test
suite and determined that Symantec products are not susceptible to these issues.
TANDBERG
Tandberg have run all the testcases found the PROTOS test-suite, c06snmpv1:
1. c06-snmpv1-req-app-pr1.jar
2. c06-snmpv1-req-enc-pr1.jar
3. c06-snmpv1-trap-app-pr1.jar
4. c06-snmpv1-trap-enc-pr1.jar
The tests were run with standard delay time between the requests (100ms), but also with
a delay of 1ms. The tests applies to all TANDBERG products (T500, T880, T1000, T2500, T6000
and T8000). The software tested on these products were B4.0 (our latest software) and no
problems were found when running the test suite.
Tivoli Systems
IBM Tivoli has identified that, in the absence of properly configured perimeter
firewall protection, the following Tivoli products are potentially vulnerable with respect
to the CERT Advisory CA-2002-03.
· Tivoli NetView for OS/390 Version 1 Release 2, 3 and 4
· Tivoli NetView for Unix Version 7.1and earlier
· Tivoli NetView for Windows Version 7.1 and earlier
· Tivoli Enterprise Console (SNMP adapter only)
· Tivoli Storage Network Manager
IBM is not aware of other affected Tivoli products at this time. IBM is investigating
this vulnerability on an ongoing basis and will update vulnerability information on its IBM
Tivoli website if new information becomes available.
· Tivoli NetView for OS/390
Evaluation is underway to assess any vulnerability. If exposures are found due to the
advisory, PTFs will be provided.
· Tivoli NetView for Unix, Tivoli NetView for Windows
The “trap handling” subsystems are vulnerable to a service interruption
related to VU#107186. The Mid-Level Manager agents on some platforms are vulnerable to a
service interruption related to VU#854306. These conditions are present in Tivoli NetView
V7.1 and earlier. Solutions are currently being tested and will be available in an upcoming
service release.
· Tivoli Enterprise Console (SNMP adapter only)
Evaluation is underway to determine whether the SNMP adapter is vulnerable to a service
interruption. If exposures are found due to the advisory, fixes will be provided.
· Tivoli Storage Network Manager
Evaluation is underway to assess any vulnerability. If exposures are found due to the
advisory, fixes will be provided.
Please contact Tivoli support either via our web site at
(http://www.tivoli.com/secure/support/documents/security/index.html) or refer to PMR
number (41203,000,866) for patch availability and the most current information.
IBM Tivoli is expanding its usage of the Oulu University Secure Programming
Group’s PROTOS c06-snmpv1 test suite to provide an expanded set of test scenarios.
Wind River Systems, Inc.
Current SNMP products from Wind River Systems: Envoy SNMP v9.3 Beta, Envoy
v9.2, Envoy v9.1, and WindNet SNMP v2.0, are not susceptible to VU#854306
and VU#107186 in our internal testing. We are continuing regression testing
on previous versions of Wind River SNMP products, and working with our
customers on more test cases. We will update this vendor statement as new
information becomes available.
Note: As Wind River's Envoy SNMP is a source code product, customer's
modifying of Envoy and implementation of proprietary MIB access methods MAY
introduce vulnerability to VU#854306 and VU#107186. Wind River recommends
individual testing of customer product's incorporating MODIFIED Envoy SNMP
source code.
Wind River customers under support and maintenance have received the current
product releases.
Please contact Wind River support at support@windriver.com or call (800)
458-7767 with any test reports related to VU#854306 and VU#107186.
Appendix B. - References
1. http://www.ee.oulu.fi/research/ouspg/protos/
2. http://www.kb.cert.org/vuls/id/854306
3. http://www.kb.cert.org/vuls/id/107186
4. http://www.cert.org/tech_tips/denial_of_service.html
5. http://www.ietf.org/rfc/rfc1067.txt
6. http://www.ietf.org/rfc/rfc1089.txt
7. http://www.ietf.org/rfc/rfc1140.txt
8. http://www.ietf.org/rfc/rfc1155.txt
9. http://www.ietf.org/rfc/rfc1156.txt
10. http://www.ietf.org/rfc/rfc1215.txt
11. http://www.ietf.org/rfc/rfc1270.txt
12. http://www.ietf.org/rfc/rfc1352.txt
Appendix C. - Background Information
Background Information on the OUSPG
OUSPG is an academic research group located at Oulu University in Finland. The purpose of
this research group is to test software for vulnerabilities.
History has shown that the techniques used by the OUSPG have discovered a large number of
previously undetected problems in the products and protocols they have tested. In 2001, the
OUSPG produced a comprehensive test suite for evaluating implementations of the Lightweight
Directory Access Protocol (LDAP). This test suite was developed with the strategy of abusing
the protocol in unsupported and unexpected ways, and it was very effective in uncovering a
wide variety of vulnerabilities across several products. This approach can reveal
vulnerabilities that would not manifest themselves under normal conditions.
After completing its work on LDAP, OUSPG moved its focus to SNMPv1. As with LDAP, they
designed a custom test suite, began testing a selection of products, and found a number of
vulnerabilities. Because OUSPG's work on LDAP was similar in procedure to its current work
on SNMP, you may wish to review the LDAP Test Suite and CERT Advisory CA-2001-18, which
outlined results of application of the test suite.
In order to test the security of protocols like SNMPv1, the PROTOS project presents a server
with a wide variety of sample packets containing unexpected values or illegally formatted
data. As a member of the PROTOS project consortium, the OUSPG used the PROTOS c06-snmpv1
test suite to study several implementations of the SNMPv1 protocol. Results of the test
suites run against SNMP indicate that there are many different vulnerabilities on many
different implementations of SNMP.
Background Information on the Simple Network Management Protocol
The Simple Network Management Protocol (SNMP) is the most popular protocol in use to manage
networked devices. SNMP was designed in the late 80's to facilitate the exchange of
management information between networked devices, operating at the application layer of the
ISO/OSI model. The SNMP protocol enables network and system administrators to remotely
monitor and configure devices on the network (devices such as switches and routers).
Software and firmware products designed for networks often make use of the SNMP protocol.
SNMP runs on a multitude of devices and operating systems, including, but not limited to,
* Core Network Devices (Routers, Switches, Hubs, Bridges, and Wireless Network Access
Points)
* Operating Systems
* Consumer Broadband Network Devices (Cable Modems and DSL Modems)
* Consumer Electronic Devices (Cameras and Image Scanners)
* Networked Office Equipment (Printers, Copiers, and FAX Machines)
* Network and Systems Management/Diagnostic Frameworks (Network Sniffers and Network
Analyzers)
* Uninterruptible Power Supplies (UPS)
* Networked Medical Equipment (Imaging Units and Oscilloscopes)
* Manufacturing and Processing Equipment
The SNMP protocol is formally defined in RFC1157. Quoting from that RFC:
Implicit in the SNMP architectural model is a collection of network management stations
and network elements. Network management stations execute management applications which
monitor and control network elements. Network elements are devices such as hosts, gateways,
terminal servers, and the like, which have management agents responsible for performing the
network management functions requested by the network management stations. The Simple
Network Management Protocol (SNMP) is used to communicate management information between the
network management stations and the agents in the network elements.
Additionally, SNMP is discussed in a number of other RFC documents:
* RFC 3000 Internet Official Protocol Standards
* RFC 1212 Concise MIB Definitions
* RFC 1213 Management Information Base for Network Management of TCP/IP-based Internets:
MIB-II
* RFC 1215 A Convention for Defining Traps for use with the SNMP
* RFC 1270 SNMP Communications Services
* RFC 2570 Introduction to Version 3 of the Internet-standard Network Management
Framework
* RFC 2571 An Architecture for Describing SNMP Management Frameworks
* RFC 2572 Message Processing and Dispatching for the Simple Network Management Protocol
(SNMP)
* RFC 2573 SNMP Applications
* RFC 2574 User-based Security Model (USM) for version 3 of the Simple Network Management
Protocol (SNMPv3)
* RFC 2575 View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP)
* RFC 2576 Coexistence between Version 1, Version 2, and Version 3 of the
Internet-standard Network Management Framework
---------------------------------------
The CERT Coordination Center thanks the Oulu University Secure Programming Group for
reporting these vulnerabilities to us, for providing detailed technical analyses, and for
assisting us in preparing this advisory.
We also thank Steven M. Bellovin (AT&T Labs -- Research), Wes Hardaker (Net-SNMP), Steve
Moulton (SNMP Research), Tom Reddington (Bell Labs), Mike Duckett (Bell South), Rob Thomas,
Blue Boar (Thievco), Sunil Chitnis (Foundry Networks), the Cisco Systems Product Security
Incident Response Team (psirt@cisco.com) and the many others who contributed to this
document.
---------------------------------------
Feedback on this document can be directed to the authors, Ian A. Finlay, Shawn V. Hernan,
Jason A. Rafail, Chad Dougherty, Allen D. Householder, Marty Lindner, and Art Manion.
---------------------------------------
This document is available from: http://www.cert.org/advisories/CA-2002-03.html
---------------------------------------
CERT/CC Contact Information
Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through
Friday; they are on call for emergencies during other hours, on U.S. holidays, and on
weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is
available from
http://www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for more information.
Getting security information
CERT publications and other security information are available from our web site
http://www.cert.org/
To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org.
Please include in the body of your message
subscribe cert-advisory
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.
---------------------------------------
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering Institute
is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any
kind, either expressed or implied as to any matter including, but not limited to, warranty
of fitness for a particular purpose or merchantability, exclusivity or results obtained from
use of the material. Carnegie Mellon University does not make any warranty of any kind with
respect to freedom from patent, trademark, or copyright infringement.
---------------------------------------
Conditions for use, disclaimers, and sponsorship information
Copyright 2002 Carnegie Mellon University.
Revision History
Feb 12, 2002: Initial release
Feb 12, 2002: Corrected vendor appendix formatting issues
Feb 12, 2002: Added vendor statement for Inktomi
Feb 12, 2002: Fixed formatting problem in "Disable stack execution" section
Feb 12, 2002: Updated vendor statement for Juniper
Feb 12, 2002: Fixed broken link in Juniper statement
Feb 12, 2002: Updated Public Thanks section
Feb 12, 2002: Updated Covalent statement
Feb 12, 2002: Updated SNMP Research statement
Feb 12, 2002: Updated CVE and Comtek services links
Feb 13, 2002: Updated Cisco, Enterasys, FreeBSD, HP, Microsoft, Sun, and Tandberg statements,
removed Tivoli statement
Feb 14, 2002: Added vendor statement for Aprisma
Feb 14, 2002: Added vendor statements for MG-Soft and NetScreen
Feb 14, 2002: Added vendor statement for iTouch Communications
Feb 14, 2002: Added vendor statement for F5 Networks
Feb 14, 2002: Added vendor statement for Sierra Wireless
Feb 15, 2002: Added vendor statement for MICROMUSE
Feb 15, 2002: Updated HP statement
Feb 16, 2002: Updated Nortel Networks statement
Feb 16, 2002: Added vendor statement for Foundry Networks
Feb 18, 2002: Added vendor statement for Tivoli
Feb 18, 2002: Added vendor statement for Radware
Feb 18, 2002: Updated Nortel Networks statement
Feb 19, 2002: Updated Nortel Networks statement
Feb 19, 2002: Updated F5 Networks statement
Feb 19, 2002: Updated Compaq statement
Feb 19, 2002: Updated IBM statement
Feb 19, 2002: Added vendor statement for Dell
Feb 19, 2002: Fixed bad link in Enterasys statement
Feb 19, 2002: Updated IBM statement
Feb 19, 2002: Added vendor statement for BMC Software
Feb 20, 2002: Added vendor statement for Wind River Systems
Feb 20, 2002: Added vendor statement for Concord Communications
Feb 20, 2002: Added vendor statement for CommWorks Corporation (a 3Com company)
Feb 20, 2002: Added vendor statement for Lexmark International
Feb 20, 2002: Added vendor statement for Check Point Software Technologies Inc.
Feb 20, 2002: Added vendor statement for Alcatel
Credits
-- UnKnown --
|