CERT^® Advisory CA-2002-03 Multiple Vulnerabilities in Many Implementations of the Simple Network Management Protocol (SNMP)

A complete revision history can be found at the end of this file.

Systems Affected

Products from a very wide variety of vendors may be affected. See Vendor Information for details from vendors who have provided feedback for this advisory.

In addition to the vendors who provided feedback for this advisory, a list of vendors whom CERT/CC contacted regarding these problems is available from

http://www.kb.cert.org/vuls/id/854306
http://www.kb.cert.org/vuls/id/107186

Many other systems making use of SNMP may also be vulnerable but were not specifically tested.

Overview

Numerous vulnerabilities have been reported in multiple vendors' SNMP implementations. These vulnerabilities may allow unauthorized privileged access, denial-of-service attacks, or cause unstable behavior. If your site uses SNMP in any capacity, the CERT/CC encourages you to read this advisory and follow the advice provided in the Solution section below.

In addition to this advisory, we also have a FAQ available at

http://www.cert.org/tech_tips/snmp_faq.html

I. Description

The Simple Network Management Protocol (SNMP) is a widely deployed protocol that is commonly used to monitor and manage network devices. Version 1 of the protocol (SNMPv1) defines several types of SNMP messages that are used to request information or configuration changes, respond to requests, enumerate SNMP objects, and send unsolicited alerts. The Oulu University Secure Programming Group (OUSPG, http://www.ee.oulu.fi/research/ouspg/) has reported numerous vulnerabilities in SNMPv1 implementations from many different vendors. More information about SNMP and OUSPG can be found in Appendix C

OUSPG's research focused on the manner in which SNMPv1 agents and managers handle request and trap messages. By applying the PROTOS c06-snmpv1 test suite (http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/0100.html) to a variety of popular SNMPv1-enabled products, the OUSPG revealed the following vulnerabilities:

VU#107186 - Multiple vulnerabilities in SNMPv1 trap handling

SNMP trap messages are sent from agents to managers. A trap message may indicate a warning or error condition or otherwise notify the manager about the agent's state. SNMP managers must properly decode trap messages and process the resulting data. In testing, OUSPG found multiple vulnerabilities in the way many SNMP managers decode and process SNMP trap messages.

VU#854306 - Multiple vulnerabilities in SNMPv1 request handling

SNMP request messages are sent from managers to agents. Request messages might be issued to obtain information from an agent or to instruct the agent to configure the host device. SNMP agents must properly decode request messages and process the resulting data. In testing, OUSPG found multiple vulnerabilities in the way many SNMP agents decode and process SNMP request messages.

Vulnerabilities in the decoding and subsequent processing of SNMP messages by both managers and agents may result in denial-of-service conditions, format string vulnerabilities, and buffer overflows. Some vulnerabilities do not require the SNMP message to use the correct SNMP community string.

These vulnerabilities have been assigned the CVE identifiers CAN-2002-0012 and CAN-2002-0013, respectively.

II. Impact

III. Solution

Note that many of the mitigation steps recommended below may have significant impact on your everyday network operations and/or network architecture. Ensure that any changes made based on the following recommendations will not unacceptably affect your ongoing network operations capability.

Apply a patch from your vendor

Appendix A contains information provided by vendors for this advisory. Please consult this appendix to determine if you need to contact your vendor directly.

Disable the SNMP service

Ingress filtering

Ingress filtering manages the flow of traffic as it enters a network under your administrative control. Servers are typically the only machines that need to accept inbound traffic from the public Internet. In the network usage policy of many sites, there are few reasons for external hosts to initiate inbound traffic to machines that provide no public services. Thus, ingress filtering should be performed at the border to prohibit externally initiated inbound traffic to non-authorized services. For SNMP, ingress filtering of the following ports can prevent attackers outside of your network from impacting vulnerable devices in the local network that are not explicitly authorized to provide public SNMP services.

snmp     161/udp     # Simple Network Management Protocol (SNMP)
snmp     162/udp     # SNMP system management messages

The following services are less common, but may be used on some affected products

snmp               161/tcp     # Simple Network Management Protocol (SNMP)
snmp               162/tcp     # SNMP system management messages
smux               199/tcp     # SNMP Unix Multiplexer
smux               199/udp     # SNMP Unix Multiplexer
synoptics-relay    391/tcp     # SynOptics SNMP Relay Port
synoptics-relay    391/udp     # SynOptics SNMP Relay Port
agentx             705/tcp     # AgentX
snmp-tcp-port     1993/tcp     # cisco SNMP TCP port
snmp-tcp-port     1993/udp     # cisco SNMP TCP port

As noted above, you should carefully consider the impact of blocking services that you may be using.

It is important to note that in many SNMP implementations, the SNMP daemon may bind to all IP interfaces on the device. This has important consequences when considering appropriate packet filtering measures required to protect an SNMP-enabled device. For example, even if a device disallows SNMP packets directed to the IP addresses of its normal network interfaces, it may still be possible to exploit these vulnerabilities on that device through the use of packets directed at the following IP addresses:

• "all-ones" broadcast address
• subnet broadcast address
• any internal loopback addresses (commonly used in routers for management purposes, not to be confused with the IP stack loopback address 127.0.0.1)

Careful consideration should be given to addresses of the types mentioned above by sites planning for packet filtering as part of their mitigation strategy for these vulnerabilities.

Finally, sites may wish to block access to the following RPC services related to SNMP (listed as name, program ID, alternate names)

snmp       100122 na.snmp snmp-cmc snmp-synoptics snmp-unisys snmp-utk
snmpv2     100138 na.snmpv2     # SNM Version 2.2.2
snmpXdmid  100249

Please note that this workaround may not protect vulnerable devices from internal attacks.

Filter SNMP traffic from non-authorized internal hosts

Change default community strings

Because many of the vulnerabilities identified in this advisory occur before the community strings are evaluated, it is important to note that performing this step alone is not sufficient to mitigate the impact of these vulnerabilities. Nonetheless, it should be performed as part of good security practice.

Segregate SNMP traffic onto a separate management network

Another option is for sites to restrict SNMP traffic to separate virtual private networks (VPNs), which employ cryptographically strong authentication.

Note that these solutions may require extensive changes to a site's network architecture.

Egress filtering

Share tools and techniques

You can subscribe to the mailing list by sending an email message to majordomo@cert.org. In the body of the message, type

subscribe snmp-forum

After you receive the confirmation message, follow the instructions in the message to complete the subscription process.

Appendix A. - Vendor Information

This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments.

ADTRAN, Inc.

ADTRAN Advisory:
SNMPv1 Request and Trap Handling Vulnerabilities
Revision 1.0
Release Date: 19 February 2002

I. Summary
On February 12, 2002 the CERT®/CC released an advisory related to security vulnerabilities that may exist in network devices using SNMPv1 as the management protocol. In response to this advisory, CERT® Advisory CA-2002-03 Multiple Vulnerabilities in Many Implementations of the Simple Network Management Protocol (SNMP)", ADTRAN began executing the tests that elicit these vulnerabilities for all ADTRAN products that feature SNMPv1 capability.

II. Impact
Preliminary test results have indicated multiple ADTRAN products exhibit certain vulnerabilities to SNMP messages. Some of these vulnerabilities can be exploited, resulting in a denial of service or service interruption. These results have not indicated any vulnerability that will allow an attacker to gain access to the affected device.

III. Solution
ADTRAN is currently applying the PROTOS c06-SNMPv1 test suite to all products that feature SNMPv1 capability. Until ADTRAN has completed testing on all of its products and provided patches or fixes to eliminate these vulnerabilities, ADTRAN recommends considering one or more of the following solutions, as identified in CERT® Advisory CA-2002-03, to minimize your network’s potential exposure to these vulnerabilities:
· Disable the SNMP Service
· Ingress filtering
· Egress filtering
· Filter SNMP traffic from non-authorized internal hosts
· Segregate SNMP traffic onto a separate management network
· Restrict SNMP traffic to Virtual Private Networks (VPNs)
· Change default community strings
ADTRAN’s NetVanta Solutions
ADTRAN’s NetVanta 2000 Series of products can be used to provide most of the solutions identified above, including ingress and egress filtering, filtering SNMP traffic from non-authorized internal hosts, and restricting SNMP traffic to Virtual Private Networks (VPNs). For further information on how NetVanta’s VPN and Firewall solutions can secure your network, please see http://www.adtran.com/netvanta2000.

IV. For Further Information
For more information please see http://www.adtran.com/support/snmp.

AdventNet

This is in reference to your notification regarding [VU#107186 and VU#854306] and OUSPG#0100. AdventNet Inc. has reproduced this behavior in their products and coded a Service Pack fix which is currently in regression testing in AdventNet Inc.'s Q.A. organization. The release of AdventNet Inc's. Service Pack correcting the behavior outlined in [... OUSPG#0100] is scheduled to be generally available to all of AdventNet Inc.'s customers by February 20, 2002.

ADVA AG Optical Networking

ADVA Optical Networking is addressing the SNMP vulnerabilities identified in the advisory CA-2002-03  across the entire product line.

ADVA is currently applying the test suite provided by OUSPG (PROTOS c06-snmpv1 test suite) to all of its products.

Following products are tested against possible effects of the vulnerability report VU#854306 - Multiple vulnerabilities in SNMPv1 request:

FSP 3000
FSP 2000
FSP II
FSP I
FSP 1000
FSP 500
CELL-ACE
CELL-ACE-PLUS

The ADVA Network Management products:

FSP Element Manager
FSP Network Manager
CELL-SCOPE

are tested against vulnerabilities of the report VU#107186 - Multiple vulnerabilities in SNMPv1 trap handling.

The ongoing tests have not unveiled vulnerabilities so far.

Test results and information about product updates will be published on the ADVA Optical Networking web site: http://www.advaoptical.com .

Alcatel

The security of our customers' networks is of highest priority for Alcatel. Alcatel is aware of this industry-wide SNMP security issue and has put measures in place to assess which of its products might be affected. Within this activity, Alcatel is closely working with its customers and CERT to address and fix potential security problems as identified by CERT.

Allied Telesyn International

Please see http://www.kb.cert.org/vuls/id/IAFY-56DKQY.

Alvarion Ltd.

In response to CERT® Advisory CA-2002-03 regarding multiple vulnerabilities in many implementations of the Simple Network Management Protocol (SNMP), Alvarion performed a varied and thorough set of tests on its BreezeACCESS and WALKair products. The tests performed are the ones recommended by the PROTOS project paper.

Following these tests, Alvarion found no denial of service, memory corruption, stack corruption or other fatal error conditions in its BreezeACCESS and WALKair products.

In addition, Alvarion's BreezeACCESS and WALKair products implement the following additional security measures which are recommended by the PROTOS project report:

1. Perimeter filtering to SNMP traffic.
2. SNMP device based network access control to filter the traffic.
3. Isolation of SNMP traffic into a separate management VLAN (applicable for BreezeACCESS II, XL and MMDS).

American Power Conversion

American Power Conversion has conducted extensive testing in order to
determine the impact any vulnerabilities within SNMP pose to our customers.
We have determined that exploiting these vulnerabilities in some versions
of our firmware can interfere with the normal operation of APC's
SNMP-enabled products.

Upgrades are available that repair these vulnerabilities.

For details, refer to the APC Knowlege Base document titled " American Power
Conversion Security Bulletin" available at www.apc.com.

Apple Computer, Inc.

The only product currently shipping with SNMP software is the AirPort Base Station.  The AirPort Base Station has been tested and no security vulnerabilities associated with advisory CA-2002-03 have been found.

Aprisma

As mentioned within Aprisma’s February 2002 CERT advisory statement, we have performed the necessary SPECTRUM (6.0 rev3 and 6.5) tests required to address CERT Advisory CA-2002-03, VU#107186 - PROTOS Test-Suite: c06-SNMPv1.

Aprisma’s comprehensive testing has revealed less than ten SNMP message tests - out of thousands of individual tests conducted - exhibited irregular system behavior. As a result of these findings, Aprisma is issuing the following patches to protect our customers against known SNMPv1 vulnerabilities:

CERT Advisory CA-2002-03
VU#107186 - Multiple Vulnerabilities in SNMPv1 Trap Handling:
·    Patch 71 for SPECTRUM 6.0 rev3
·    Patch 22 for SPECTRUM 6.5 (SPECTRUM infinitya, SPECTRUM integritya, and SPECTRUM xsighta)

For customer convenience, Aprisma has combined previously released patches (Patches 9 and 21 for SPECTRUM 6.5), that help prevent a SNMPv1 trap-related vulnerability, into the aforementioned Patch 22 for SPECTRUM 6.5. 

It is recommended that all SPECTRUM customers, who have not taken alternative measures to secure their SPECTRUM servers from SNMPv1 vulnerabilities, install the appropriate patch immediately when available.  Patches will be made available over the next several weeks.

Asante Technologies, Inc.

Asante manaufactures and supplies a large range of SNMP managed  enterprise LAN switches  and related products. The following products  have been fully tested and are found NOT to be affected by the SNMP  vunerabilities outlined in VU#854306 and VU#107186.

6524 - 24 port 10/100 switch with 2 GBIC's
3524 - 24 port 10/100 stackable switch with 2 GBE slots
8000 - 24 port 10/100 modular stackable switch with 3 GBE slots
6014 - 12 port 10/100 IntraStack Switch
2072 - Chassis based modular solution
Netstacker II - 24 port 10/100 stackable hub with MII slot
FriendlyNET range of products.

Asante is continuing to address possible vulnerabilities across its entire FriendlyNET, IntraCore and all other product lines. Please contact  support@asante.com for further information.

Astracon, Inc.

The Astracon Stinger NetConnect is safe against the vulnerability reported by VU#107186. The Stinger NetConnect processes SNMP responses only. Since the trap demon is never invoked, the Stinger NetConnect will never receive a trap; it is always safe.

The Stinger NetConnect doesn't accept SNMP requests, but can send SNMP version 1 or version 3 requests. By configuring the NetConnect to use only SNMP version 3, the vulnerabilities caused when using SNMP version 1 in the network will be avoided.

In order to ensure safety against the vulnerability reported by VU#854306 and VU#107186, the test cases at http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/ were executed, with no adverse effect on the NetConnect. The Stinger NetConnect passed all of the test cases.

Avaya

Avaya is addressing the vulnerabilities identified in this advisory. The latest information on the affect of this vulnerability on Avaya products can be found at: http://support.avaya.com/security

AVET Information and Network Security

AVET FireBorder OS (any version, including 1.4) is not vulnerable to the following vulnerabilities: - CAN-2002-0012 - CAN-2002-0013

This is due to several reasons:

- AVET FireBorder OS does not contain SNMP server
- administrator user can not install SNMP server due to lack of privileges
- system architecture would not allow to run arbitrary code in any of running network daemons; theoretically under some circumstances it could be possible to perform remote DoS attack on vulnerable servers; still to install and run SNMP daemon local user would need to bypass default permission and ACL settings.

Avici Systems Inc.

Avici Systems has tested the TSR and SSR product lines, including all associated line card modules according to recommendations issued by CERT, and has found no security vulnerabilities associated with Advisory CA-2002-03 (Multiple Vulnerabilities in Many Implementations of SNMP).

BinTec Communications AG

BinTec Communications announces that SNMP vulnerabilty VU#854306 reported in
March has been resolved with System Software Release 6.2.1.  If you do not
wish to use the workarounds suggested in March in order to obviate possible
exploits of VU#854306, you can update your system. The software is currently
available as BETA software from www.bintec.net, and the final release is
expected in June.

Please, note that BETA software is susceptible to malfunctions, and that
BinTec Communications does not assume responsibility for any problems
arising from the use of BETA software. If you do not want to use System
Software Release 6.2.1 BETA, you can still use the workarounds suggested in
our initial statement.

BMC Software

BMC Software, Inc. has completed it's analysis of this security advisory
and has posted detailed information to it's web site.  Specific product
information is referenced at the following location:
http://www.bmc.com/info_center_support/snmp_cert_advise041802.html.

BMC's Patrol Agent was found to require a patch to fix problems found
when running the test suite from Oulu University Secure Programming
Group.  Information on this patch can be found by referencing the above
page or reviewing Problem Resolution ID 116035 from the BMC Support
website, http://www.bmc.com/support.html .  The BMC DevCon SNMP forum at
http://devcon.bmc.com/ also has information about the PATROL patches.

Other information about this alert is also available on the BMC Support
website, under News at "SNMP Advisory Posted by CERT", the direct
reference to this page is:
http://www.bmc.com/info_center_support/news_detail/0,2561,18962_0_125215,00.html .

CacheFlow

The purpose of this email is to advise you that CacheFlow Inc. has provided a software update. Please be advised that updated versions of the software are now available for all supported CacheFlow hardware platforms, and may be obtained by CacheFlow customers at the following URL:

http://download.cacheflow.com/

The specific reference to the software update is contained within the Release Notes for CacheOS Versions 3.1.22 Release ID 17146, 4.0.15 Release ID 17148, 4.1.02 Release ID 17144 and 4.0.15 Release ID 17149.

RELEASE NOTES FOR CACHEFLOW SERVER ACCELERATOR PRODUCTS:

• http://download.cacheflow.com/release/SA/4.0.15/relnotes.htm

RELEASE NOTES FOR CACHEFLOW CONTENT ACCELERATOR PRODUCTS:

• http://download.cacheflow.com/release/CA/3.1.22/relnotes.htm
• http://download.cacheflow.com/release/CA/4.0.15/relnotes.htm
• http://download.cacheflow.com/release/CA/4.1.02/relnotes.htm

* SR 1-1647517, VI 13045: This update modified a potential vulnerability by using an SNMP test tools exploit.

3Com Corporation

A vulnerability to an SNMP packet with an invalid length community string has been resolved in the following products. Customers concerned about this weakness should ensure that they upgrade to the following agent versions:

PS Hub 40
2.16 is due Feb 2002

PS Hub 50
2.16 is due Feb 2002

Dual Speed Hub
2.16 is due Jan 2002

Switch 1100/3300
2.68 is available now

Switch 4400
2.02 is available now

Switch 4900
2.04 is available now

WebCache1000/3000
2.00 is due Jan 2002

For updated information on CommWorks Corporation, a 3Com company, visit http://www.commworks.com/Press/Archive/2002/February/CERT_Advisory.asp

In addition, CommWorks' customers should monitor http://totalservice.commworks.com/cert_update.cfm for updated information addressing the CERT advisory, as well as information on available patches for CommWorks' products.

Caldera

Caldera International, Inc. has reproduced faulty behavior in Caldera SCO OpenServer 5, Caldera UnixWare 7, and Caldera Open UNIX 8. We have coded a software fix for supported versions of Caldera UnixWare 7 and Caldera Open UNIX 8 that will be available from our support site at http://stage.caldera.com/support/security immediately following the publication of this CERT announcement. A fix for supported versions of OpenServer 5 will be available at a later date.

Cambridge Broadband Ltd.

Cambridge Broadband's products use the ucd-snmp package, version 4.2.3, with proprietary extensions.  We have tested our build of the software with the OUSPG test suites and determined that it is not susceptible to these vulnerabilities.

Canoga Perkins Corporation

Please see http://www.canoga.com/technical_bulletins.htm

Carrier Access

Carrier Access has reviewed the  released CERT® Advisory CA-2002-03 related to security vulnerabilities that exist in network devices using SNMPv1 as the management protocol.

There are no known format string or buffer overflow vulnerabilities. Denial of service (management) is a known vulnerability of Carrier Access products residing on non-secure networks. Specific testing and a review of test reports have revealed no SNMP V1 security issues.   Carrier Access has documented this finding in a Product Technical Note (PTN-02-003).  To receive a copy of this documentation, please contact Carrier Access customer support center at 1-800-786-9929 or email to "tech-support@carrieraccess.com"

Recommended Actions for Network Security:
. Review and implementation of accepted solutions outlined in section III (Solution) of CERT ® Advisory CA-2002-03
. Filter of SNMP traffic at network access points
. Use of proprietary SNMP Community Strings
. Segregate/Filter Network Management traffic from public domains

Check Point Software Technologies Inc.

Check Point Statement on SNMP Vulnerability Test Suite

Recently, an automated suite has been released which tests products for known SNMP vulnerabilities.

FireWall-1, by default, blocks all SNMP communication to, from, or across a FireWall-1 gateway. SNMP communication is enabled only if the administrator writes a specific rule which allows the communication.

SNMP communication is not required for correct functionality of any Check Point products.

If SNMP monitoring of Check Point firewalls is needed, Check Point recommends that the FireWall-1 rule base tightly restrict SNMP communication and that all relevant operating system security patches be applied.

Check Point knows of no SNMP-related security issues in any of its products, and has conducted an extensive review to ensure that none exist.

CipherTrust, Inc.

This is in reference to your notification regarding VU#107186 and VU#854306. CipherTrust has confirmed that IronMail is not vulnerable to these issues. IronMail allows alert notification via SNMP traps. This allows the IronMail to be integrated into SNMP managed services without being open to vulnerabilities such as these. Specifically, due to the way that IronMail uses SNMP, it does not receive requests or traps.

Cisco Systems

Cisco Systems is addressing the vulnerabilities identified by VU#854306 and VU#107186 across its entire product line. Cisco has released an advisory:

http://www.cisco.com/warp/public/707/cisco-malformed-snmp-msgs-pub.shtml

CNT

Overview
On February 12, 2002, the CERT® Coordination Center of Carnegie-Mellon University issued an advisory identifying possible security vulnerabilities of multiple vendor products that utilize the Simple Network Management Protocol (SNMP) for management of those products. This advisory was based on research done by the University of Oulu in Finland. The complete advisory may be found on the CERT web site at: http://www.cert.org/advisories/CA-2002-03.html. If your site uses SNMP-based CNT products in any capacity, we encourage you to read this advisory.

I. Description
The Simple Network Management Protocol (SNMP) is a widely deployed protocol that is commonly used to monitor and manage network devices. Version 1 of the protocol (SNMPv1) defines several types of SNMP messages that are used to request information or configuration changes, respond to requests, enumerate SNMP objects, and send unsolicited alerts. The Oulu University Secure Programming Group (OUSPG, http://www.ee.oulu.fi/research/ouspg/) has reported vulnerabilities in SNMPv1 implementations from many different vendors. OUSPG's research focused on the manner in which SNMPv1 agents and managers handle request and trap messages. By applying the PROTOS c06-snmpv1 test suite (http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/0100.html) to a variety of popular SNMPv1-enabled products, the OUSPG revealed the following vulnerabilities:

VU#107186 - Multiple vulnerabilities in SNMPv1 trap handling
SNMP trap messages are sent from agents to managers. A trap message may indicate a warning or error condition or otherwise notify the manager about the agent's state. SNMP managers must properly decode trap messages and process the resulting data. In testing, OUSPG found multiple vulnerabilities in the way many SNMP managers decode and process SNMP trap messages.

VU#854306 - Multiple vulnerabilities in SNMPv1 request handling
SNMP request messages are sent from managers to agents. Request messages might be issued to obtain information from an agent or to instruct the agent to configure the host device. SNMP agents must properly decode request messages and process the resulting data. In testing, OUSPG found multiple vulnerabilities in the way many SNMP agents decode and process SNMP request messages.

Vulnerabilities in the decoding and subsequent processing of SNMP messages by both managers and agents may result in denial-of-service conditions, format string vulnerabilities, and buffer overflows. Some vulnerabilities do not require the SNMP message to use the correct SNMP community string.

II. CNT® Products
CNT has a number of products affected by the SNMP vulnerabilities described above. Each CNT product with SNMP functionality is described below along with the specific vulnerability, or lack thereof, of that product and the recommended procedures to follow with that product.

• UltraNet® Storage Director
  The UltraNet Storage Director (USD) was tested with the PROTOS test suite. Two tests caused snmpd on the USD to abort and restart; the snmpd responded to requests specifying a community string beginning with a null; several minor ASN.1 / BER handling discrepancies related to invalid encodings were noted. Corrective code for the snmpd aborts and the community string handling issue has been developed and successfully tested. This code will be made available in the USD 2.7 software release, currently scheduled for availability in April 2002. The ASN.1 / BER invalid encoding handling issues will be addressed in a future release. CNT recommends upgrading to the USD 2.7 software release as soon as it is available.

• UltraNet Edge Storage Router
  The UltraNet Edge Storage Router (Edge) was tested with the PROTOS test suite. Three tests caused the Edge to hang or abort, requiring a reboot. Corrective code for these errors has been developed and successfully tested. The Edge responded to requests specifying a bad SNMP version number; several minor ASN.1 / BER handling discrepancies related to invalid encodings were noted. The responded to bad SNMP version number and the ASN.1 / BER invalid encoding handling issues will be addressed in a future release. This code will be made available in the Edge software release 1.4.1, currently scheduled for release in April 2002. CNT recommends upgrading the Edge to release 1.4.1 as soon as it is available.

• Channelink®
  The Channelink product was tested with the PROTOS test suite. All tests ran successfully. No failures occurred. No corrective action is required with the Channelink product.

• WebView
  The WebView SNMP-based element manager was tested with the PROTOS test suite. WebView is not affected by the recent SNMP vulnerabilities found by CERT. No corrective action is required with the WebView product.

• UltraNet CMF
  The CastleRock software upon which CNT's UltraNet CMF SNMP-based management software is based was tested with the PROTOS test suite. CastleRock has reported two test failures. Corrective code for these errors has been developed and is now being tested within UltraNet CMF. This code will be made available in the CMF release 6.4, currently scheduled for release in early May 2002. CNT recommends upgrading CMF to release 6.4 as soon as it is available.

III. CNT Product Upgrades
CNT will continue to test new releases of its products against the PROTOS test suite to ensure that additional vulnerabilities are not introduced as a result of any new releases.

To determine whether a new CNT product release is available and how to upgrade to that release when available, contact CNT Technical Support (800-752-8061 or 763-268-6600) or contact your company's CNT Technical Account Engineer (TAE).

Compaq Computer Corporation

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

TITLE: (SSRT0779) Potential Security Vulnerabilities in SNMP
Posted at http://ftp.support.compaq.com/patches/.new/security.shtml

NOTICE: There are no restrictions for distribution of this
Bulletin provided that it remains complete and intact.

RELEASE DATE:   18 FEBRUARY, 2002

    UPDATED:   03 APRIL,    2002 - update Tru64, patch availability
               08 MARCH,    2002 - add StorageWorks products, and
                                   Compaq/Microcom based products.
               05 MARCH,    2002 - update TRU64 Information

SEVERITY: MEDIUM

SOURCE:  Compaq Computer Corporation
        Compaq Global Services
        Software Security Response Team

CROSS REFERENCE:   (SSRT0799, CAN-2002-0012,
                   CAN-2002-0013, CERT CA-2002-03)

PROBLEM SUMMARY:

The Computer Emergency Response Team (CERT/cc) has recently issued an
advisory regarding numerous potential vulnerabilities in SNMPv1
implementations. These potential vulnerabilities are applicable to
SNMPv1 trap handling and SNMPv1 Request handling. The CERT article
outlines vulnerabilities that can cause SNMP services to stop
functioning and in some cases may enable "unauthorized access,"
"denial of service attacks" or may cause system instability.

IMPACT:
Compaq NonStop Himalaya Servers:
Compaq TCP/IP Services for OpenVMS:
Compaq Tru64 UNIX:
Compaq Insight Management Suite:
Compaq Deskpro, Professional Workstation, Armada, Evo:
Compaq SANworks Hardware:
Compaq StorageWorks Products
Compaq/Microcom Products:

Compaq's findings to date regarding the SNMPv1 issues are as
follows:

________________________________
Compaq NonStop Himalaya Servers:

The Compaq Himalaya NonStop Kernel prohibits execution of code on the
stack or heap by hardware TLB permissions (read/write only),
preventing Trojan horse attacks by embedding code within the buffer
overflow area. However, process ABENDs can occur.

The SNMP agent ABENDs in the c06-snmpv1 buffer-overflow tests.
This affects forwarding trap messages and/or sending info responses
to SNMP managers.

Sub-agents use IPCs to communicate with the SNMP agent, so they
cannot be directly attacked.  More importantly, sub-agents are
confined to information only requests, so they cannot be used to
configure/manage their sub-systems. Our investigation an analysis is
continuing and further updates will be provided.

IPMs to address the ABEND problem of the SNMP are in development and
will be released as soon as verification is complete. Availability of
these IPMs will be announced in future updates. The exposure to
SNMP agent ABENDs can be reduced by running the SNMP agent as a
process-pair or by configuring auto-restart in the Persistence
Manager.

__________________________________
Compaq TCP/IP Services for OpenVMS:

There is some impact to the SNMP agent provided with Compaq TCP/IP
Services for OpenVMS. This problem can cause the SNMP agent to ACCVIO
and terminate temporarily denying service to SNMP, but in most cases
after this occurs Compaq TCP/IP Services for OpenVMS will restart
the SNMP agent in response to the next SNMP request. There are no
known risks of compromising system security due to this problem.
The SNMP agent executes from a non-privileged process, which
prevents any compromise to system security.

Our investigation and analysis has determined the cause of the
problem. The updated images for Compaq TCP/IP Services for OpenVMS
are now in final test. Compaq will provide updates to Compaq TCP/IP
Services for OpenVMS in the next ECO and also in the next release,
Compaq TCP/IP Services for OpenVMS V5.3. Contact Compaq's Customer
Support Center if an earlier updated is required.

__________________
Compaq Tru64 UNIX:

UPDATE: 02 April, 2002

There is no known risk of compromising Tru64 UNIX system security
due to the recent SNMP attack.  The SNMP agent provided with
Tru64 UNIX is susceptible to a limited problem - the SNMP
agent may stop responding to SNMP requests, or it may incur a
segmentation fault, generate a core file, and exit. Either scenario
denies SNMP service to SNMP-based network management applications.
However,  we have not found the attack to cause the system to be
unstable, vulnerable to "unauthorized access",  or subject to any
denial of service other than to the SNMP service.

Impacted Tru64 UNIX operating system versions include:
Tru64 UNIX 4.0f, 4.0g, 5.0a, 5.1, 5.1a.

SOLUTION:

  Until the Tru64 UNIX fixes are available in the mainstream release
  patch kits, Compaq is releasing the following Early Release Patch
  Kit(s) (ERPs) publicly for use by any customer.

  The Early Release Patch kits use dupatch to install and will not
  install over any Customer-Specific-Patches (CSPs) which have file
  intersections with the ERPs. Raise an IPMT case to UNIX Support
  Engineering if you need a CSP merged with one of the following
ERPs.

  The fixes contained in the Early Release Patch (ERP) kits will be
  available in the next mainstream patch kit(s) for:
       - Tru64 UNIX 4.0F PK8
       - Tru64 UNIX 4.0G PK4
       - Tru64 UNIX 5.0A PK4
       - Tru64 UNIX 5.1  PK5
       - Tru64 UNIX 5.1A PK2

  ---------------------
  Early Release Patches
  ---------------------

  Tru64 UNIX 4.0F
  PREREQUISITE:    Tru64 UNIX 4.0F with PK7 (BL18) installed
  ERP Kit Name:    DUV40FB18-C0071301-13866-ES-20020401
  Kit Location: http://ftp1.support.compaq.com/public/unix/v4.0f/


  Tru64 UNIX 4.0G
  PREREQUISITE:    Tru64 UNIX 4.0G with PK3 (BL17) installed
  ERP Kit Name:    T64V40GB17-C0012100-13640-ES-20020313
  Kit Location: http://ftp1.support.compaq.com/public/unix/v4.0g/


  Tru64 UNIX 5.0A
  PREREQUISITE:    Tru64 UNIX 5.0A with PK3 (BL17) installed
  ERP Kit Name:    T64V50AB17-C0019600-13593-ES-20020308
  Kit Location: http://ftp1.support.compaq.com/public/unix/v5.0a/


  Tru64 UNIX 5.1
  PREREQUISITE:    Tru64 UNIX 5.1 with PK4 (BL18) installed
  ERP Kit Name:    T64V51B18-C0109002-13712-ES-20020318
  Kit Location: http://ftp1.support.compaq.com/public/unix/v5.1/


  Tru64 UNIX 5.1A
  PREREQUISITE:    Tru64 UNIX 5.1A with PK1 (BL1) installed
  ERP Kit Name:    T64V51AB1-C0014802-13710-ES-20020318
  Kit Location: http://ftp1.support.compaq.com/public/unix/v5.1a/

  MD5 and SHA1 checksums are available in the public patch notice for
  the ERP kits. You can find information on how to verify MD5 and
  SHA1 checksums at:
       http://www.support.compaq.com/patches/whats-new.shtml

________________________________
Compaq Insight Management Suite:

(ProLiants running industry standard operating systems including
Windows 2000, NetWare, Linux, etc)

The Compaq Insight Management Suite utilizes SNMP as a primary
communications method.  Fixes to the operating systems affected will
be provided by the vendors involved.  Check
http://www.compaq.com/manage/security the most up-to-date
information.

_______________________________________________
Deskpro, Professional Workstation, Armada, Evo:

The Deskpro, Professional Workstation, Armada, Evo(Microsoft
operating systems including Windows XP, Windows 2000, Windows 98, and
Windows 95) Compaq Management Agents for Clients utilizes SNMP as an
optional communications method.

Fixes to the operating systems affected
will be provided by Microsoft.  Check
www.microsoft.com/technet/security/bulletin/MS02-006.asp for the most
up-to-date information.


_____________________________________
Compaq SANworks Management Appliance:

The SANworks management appliance is essentially a Compaq server and
our recommended configuration does not have it connected directly to
the internet.  Therefore, it is less exposed than other servers to
external SNMP security attacks.  However, the appliance is
susceptible to SNMP security attacks from inside the firewall that
could result in the graceful termination of some storage management
applications on the appliance.

Compaq will provide a patch to the appliance as soon as possible.

_____________________________
COMPAQ STORAGEWORKS PRODUCTS:

UPDATE: 08 MARCH, 2002

The following Compaq StorageWorks products have Ethernet
connections that may potentially be exposed to the SNMPv1
vulnerability:

Compaq StorageWorks SAN Switch 8, 8-EL, 16, 16-EL, 2/16, Integrated
32 or 64 Port
Compaq StorageWorks SAN Director 64
Compaq StorageWorks Modular Data Router
Compaq StorageWorks 12 Port Fibre Channel Managed Hub
Compaq StorageWorks 20/40 GB 8 Cassette AutoLoader


RESOLUTION:
Compaq StorageWorks SAN Switch 8, 8-EL,
16, 16-EL, 2/16, Integrated 32 or 64 Port:
There are currently no known issues related to vulnerability
notes VU#854306 or VU#107186 with these products.
They have passed all validation tests conducted to date.

Compaq StorageWorks SAN Director 64:
This product has been evaluated with a SNMP based test program that
attempts to overload the director with SNMP traffic such as GET, Set
and Get Next commands. No problems were found in this testing.
Additionally, Compaq is in the process of evaluating the details of
the SNMP implementation in this product. Any problems identified that
are determined to pose a risk to customer operations will be
documented and addressed in future maintenance releases. Note that
the advisory documented two areas of vulnerability. One area involves
Trap handling on the part of SNMP Management components, and the
other area involves the processing of GET, Set and Get Next commands
on the part of SNMP Agent components. The director implements only
the SNMP Agent components, so none of the problems related to Trap
handling apply. Also, the SNMP Agent on the director management
server is disabled by default.  No SNMP messages are processed by
the management server unless the systems administrator has explicitly
enabled the SNMP Agent.  On the director itself, the SNMP Agent is
enabled by default, but for read access only.

Compaq StorageWorks Modular Data Router:
The potential vulnerability has to do with SNMP Set commands.
The only Set command the MDR allows is to set the trap address.

Compaq StorageWorks 12 Port Fibre Channel Managed Hub:
Compaq is in the process of evaluating the SNMP implementation
in this product.

Compaq StorageWorks 20/40 GB 8 Cassette AutoLoader:
Compaq is in the process of evaluating the SNMP implementation
in this product.

________________________
COMPAQ/MICROCOM PRODUCTS:

UPDATE: MARCH 08, 2002
_________________________________________
Microcom Access Integrator (All Versions)
Compaq-Microcom 6000 Series Remote Access Concentrators(All Versions)

Both products use SNMPv1 protocol as the transport for system
management, either through expressWATCH, or third party SNMP clients.
These products are normally managed over the LAN by clients using IP
ports UDP 161 for SNMP and UDP 162 for SNMP Traps.  The SNMP agents
integrated in these products cannot be disabled. Access to the system
via the PRI, T1 or analog modules do not present a security risk
related to SNMPv1.

Incursions may result in instability of the system requiring a hard
reset of one or more of the systems modules, which will result in
temporary loss of connectivity to dial in clients. Users will be
able to reconnect after the systems has reset.

RECOMMENDATIONS:
Compaq recommends the following precautions in accordance with good
general networking administration practices.

1. Apply perimeter filtering to SNMP traffic. Upstream
internet routers, or Firewall should be configured to filter
UDP ports 161 and 162.

2. Compaq has always recommended that the associated
engines contained in the CM6000 Series reside on an internal
network using a non-routable private addressing scheme.

3. The system should not be managed over the internet or
an non secure LAN.

______________________________
Microcom ISPorte (All Versions)
Compaq Microcom 4000 concentrator

These products make very limited use of the SNMPv1 protocol on
the Ethernet portion of their PRI/T1 modules. In the limited
number of installations where digital calls are being tunneled
to NT servers on the connected LAN, there is a potential for
SNMP packets to reach the PRI/T1 card through it's Ethernet
port. Access to the system via the analog modem modules do
not present security risk related to SNMPv1.

Incursions may result in instability of the PRI/T1 card, resulting
in a loss of connectivity for dial in users. A hard reset is the
only way to correct these failure, but a hard reset will also
disconnect all remaining users. Users will be able to reconnect
after the system resets.

RECOMMENDATIONS:
Compaq recommends the following precautions in accordance with good
general networking administration practices.

1. Apply perimeter filtering to SNMP traffic. Upstream internet
routers should be configured to filter UDP ports 161 and 162.

2. If the system is being used for analog dial in access only,
it should not be connected to the LAN via the Ethernet port on
the PRI/T1 card.

___________________________
Microcom SNMP HDMS+ System (Version 1.3.1)

The great majority of HDMS+ systems installed do not have SNMP
capabilities and are therefore not at risk. These systems can be
identified by the absence of a 10baseT connector on the rear of the
controller card.

A limited number of SNMP HDMS+ systems were produced, this product
uses SNMPv1 protocol as the transport for system management.
Management clients can include either expressWATCH, or third party
SNMP clients.

The product can be managed over the LAN by clients using IP ports
UDP 161 for SNMP and UDP 162 for SNMP Traps, or through a serial
RS232 port using SLIP.  The SNMP agents integrated in these products
cannot be disabled. Access to the system via the analog modem modules
do not present security risk related to SNMPv1.

Incursions may result in instability of the systems management
controller, which may require a hard reset. The reset of this
controller may result in a temporary loss of connectivity for
dial in users. Dial in users will be able to reconnect after
the system has reset.

RECOMMENDATIONS:
Compaq recommends the following precautions in accordance with good
general networking administration practices.

1. Apply perimeter filtering to SNMP traffic. Upstream
internet routers or firewalls should be configured to filter
UDP ports 161 and 162.

2. The system should not be managed over the internet.

3. The system should not be managed over a non secure LAN.
Direct management via a serial RS232 SLIP connection would be
recommended.

For assistance or clarification on any of the recommendation for
Compaq/Microcom products, please call 01-800-652-6672 and from
the menu select 2,3,1 then enter routing code 1851

____________________________________________________________________




NOTE:

Many systems operate behind firewalls and would normally
implement SNMP blocking for SNMP as standard procedure. Based on SNMP
blocking and ingress/egress filtering, the potential Security
vulnerability may only be exploited by users who have access to your
local security domain, therefore the risk is diminished.


SUPPORT:

This advisory bulletin will be updated for the various
products requiring patches and individual patch notifications
will be done through standard "patch notification" procedures
for those products. For further information, contact your normal
Compaq Support channel.


SUBSCRIBE:

To subscribe to automatically receive future Security
Advisories from the Compaq's Software Security Response Team via
electronic mail:

http://www.support.compaq.com/patches/mailing-list.shtml

REPORT:

To report a potential security vulnerability with any Compaq
supported product, send email mailto:security-ssrt@compaq.com
or mailto:sec-alert@compaq.com

Compaq appreciates your cooperation and patience. As always,
Compaq urges you to periodically review your system management
and security procedures. Compaq will continue to review and
enhance the security features of its products and work with
our customers to maintain and improve the security and integrity
of their systems.

"Compaq is broadly distributing this Security Bulletin in order to
bring to the attention of users of the affected Compaq products the
important security information contained in this Bulletin.
Compaq recommends that all users determine the applicability of
this information to their individual situations and take appropriate
action.  Compaq does not warrant that this information is necessarily
accurate or complete for all user situations and, consequently,
Compaq will not be responsible for any damages resulting from
user's use or disregard of the information provided in this
Bulletin."

Copyright 2002 Compaq Information Technologies Group, L.P.
Compaq shall not be liable for technical or editorial errors
or omissions contained herein. The information in this document
is subject to change without notice. Compaq and the names of
Compaq products referenced herein are, either, trademarks
and/or service marks or registered trademarks and/or service
marks of Compaq Information Technologies Group, L.P. Other product
and company names mentioned herein may be trademarks and/or service
marks of their respective owners.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1

iQA/AwUBPLQ7jznTu2ckvbFuEQLuTwCgrJV3CBEwYiFEbWsCF0mbHBRVc/oAoNcI
1KxCsylGTohymyn9t4kbuR/C
=F6B1
-----END PGP SIGNATURE-----

Computer Associates

Computer Associates has confirmed Unicenter vulnerability to the SNMP advisory identified by CERT notification reference [VU#107186 & VU#854306] and OUSPG#0100. We have produced corrective maintenance to address these vulnerabilities, which is in the process of publication for all applicable releases / platforms and will be offered through the CA Support site. Please contact our Technical Support organization for information regarding availability / applicability for your specific configuration(s).

COMTEK Services, Inc.

In reference to your notification regarding [VU#617947] [OUSPG#0100], vulnerabilities in COMTEK Services' SNMP products are as follows:

NMServer for AS/400 is not an SNMP master and is therefore not vulnerable. However this product requires the use of the AS/400 SNMP master agent supplied by IBM.  Please refer to IBM for statements of vulnerabilities for the AS/400 SNMP master agent.

NMServer for OpenVMS has been tested and has shown to be vulnerable.  COMTEK Services has released a new version (version 3.5) of this product that includes a fix for this problem.  Contact COMTEK Services support@comtekservices.com to arrange to download the new version.

NMServer for VOS has not as yet been tested; vulnerability of this agent is unknown.  Contact support@comtekservices.com for further information on the testing schedule of the VOS product.

Concord Communications, Inc.

Concord's eHealth Console product has some vulnerabilities to the OUSPG test suite. Patches are available.

Concord's SystemEDGE agent has been tested and is not vulnerable on Unix platforms. Under Windows, it is a sub-agent of the Windows SNNMP agent, and therefore the Windows hot fixes should be applied. SystemEDGE is not vulnerable on Win2K and XP with Microsoft's hot fixes.

Please see this page on Concord's web site for more detail and for patch availability: http://www.concord.com/certadvisory.shtml

Conectiva

The ucd-snmp package from Conectiva Linux 5.0, 5.1, 6.0, 7.0, "ferramentas gráficas" and "ecommerce" are affected by this vulnerability. Previous Conectiva Linux are also affected, but they are no longer supported and no update will be provided for them.

New packages will be provided shortly and will be announced to our mailing lists and updates website ( http://distro.conectiva.com.br/atualizacoes/).

Controlware GmbH

Controlware GmbH

In order to determine the impact of these vulnerabilities, Controlware immediately started extensive testing of the effected products. The results of these tests can be viewed on the Website.

Corsaire Limited

Corsaire Limited response to SNMP Vulnerability Test Suite (CERT Advisory CA-2002-03)

Corsaire Limited have analysed the Secure Technical Assistance Centre (STAC) SNMP agent software that is used as part of their managed services solution and can confirm that the agent is not susceptible to any of the vulnerabilities reported.

The STAC SNMP agent software has been entirely developed in-house and does not rely on any third-party libraries. Probing by the PROTOS test suite is correctly recognised as malformed packets and reported as such within the audit trail.

Further information is available from http://www.corsaire.com

Covalent Technologies

Covalent Technologies has tested the Enterprise Ready Server, Managed Server, and Covalent Conductor SNMP module according to recommendations issued by CERT, and has found no security vulnerabilities associated with Advisory CA-2002-03.

Cray Inc.

Cray, Inc. had opened spr 721879 to track this problem. At this time, Cray suggests that Unicos and Unicos/mk sites disable the SNMP daemon.

CSCare, Inc.

As a result of this advisory, CSCare has conducted extensive testing of its products. We have determined that exploiting these vulnerabilities can interfere with the normal operation of Trap Console 1.4b. Results have not indicated any vulnerability that will allow an attacker to gain access to the host computer. It has been determined that Active SNMP 2.0b is not vulnerable.

CSCare has released Trap Console 1.4c update on March 5, 2002. This release containing fixes for all known vulnerabilities is now available for download at http://www.cscare.com/TrapConsole.

For more information, please feel free to contact CSCare by email at info@cscare.com or by phone at 408-490-2736.

Dart Communications

In response to CERT® Advisory CA-2002-03, the PowerTCP SNMP Tool has been reviewed and found vulnerable for issue VU#854306 and VU#107186.  To address these issues, an update of the PowerTCP SNMP Tool will be released on February 28th, 2002.  Details of the specific problems found and the methods used to address these vulnerabilities will be included in the PowerTCP Release History at http://www.dart.com/downloads/update.txt .  If you have any questions concerning PowerTCP SNMP security vulnerabilities, please contact Dart Communications at support@dart.com.

Dartware, LLC

Dartware, LLC (www.dartware.com) supplies two products that use SNMPv1 in a manager role, InterMapper and SNMP Watcher. These products are not vulnerable to the SNMP vulnerability described in [VU#854306 and VU#107186]. This statement applies to all present and past versions of these two software packages.

In addition, our port of net-snmp to MacOS X has been updated to version 4.2.2, and is not susceptible to this attack. More information is available from http://www.dartware.com/net-snmp/

Dell

Title
Dell Response to CERT® Advisory CA-2002-03 Multiple Vulnerabilities in Many Implementations of the Simple Network Management Protocol (SNMP)

Audience
For worldwide distribution provided that the contents are not altered in any way.

Released
April 8, 2002

Updated
April 19, 2002 (Updated the Dell PowerVault section regarding PowerVault 701N and PowerVault 705N)

Reference
CERT Advisory CA-2002-03 - http://www.cert. org/advisories/CA-2002-03.html

Overview
The CERT/CC released an industry-wide SNMP advisory on February 12, 2002. An SNMPv1 test suite provided by the Oulu University Secure Programming Group (OUSPG) has been found to adversely affect many SNMPv1 implementations, causing the potential for “unauthorized privileged access”, “denial-of-service attacks” and general unstable behavior.

Potential Impact
Dell PowerEdge
Dell OpenManage
Dell PowerVault
Dell PowerApp
Dell PowerConnect

---

Dell PowerEdge, Dell OpenManage
Dell PowerEdge servers running Dell OpenManage software utilize SNMPv1, however this software makes use of the operating system’s master SNMP agent. After applying the appropriate update(s) from the operating system manufacturer, Dell SNMP agents are not affected.

Solution: Apply the appropriate update(s) provided by the operating system vendor. For more information, click here.

---

Dell PowerVault
The following Dell PowerVault storage systems have been found vulnerable to the OUSPG SNMPv1 test suite:

Dell PowerVault 701N
Dell PowerVault 705N

Solution: These devices require an update from Dell.

The Dell PowerVault Assist utility that is required to update both PowerVault 701N and PowerVault 705N devices can be found here.
The updated image for both the PowerVault 701N and PowerVault 705N devices can be found here.

---

Dell PowerApp
The following Dell PowerApp appliance has been found vulnerable to the OUSPG SNMPv1 test suite:

Dell PowerApp 220 (Dell PowerApp.BIG-IP)

Solution: This device requires an update from Dell.

Information regarding the update for non-encrypted devices can be found here.
Information regarding the update for encrypted devices can be found here.

---

Dell PowerConnect
All Dell PowerConnect devices successfully passed the test cases provided by the OUSPG SNMPv1 test suite.

---

Operating System Vendor Information
The following Dell supported operating system vendors have released information regarding their SNMPv1 vulnerabilities:

Microsoft®
http://www.microsoft.com/technet/security/bulletin/MS02-006.asp

Novell®
http://supp ort.novell.com/servlet/tidfinder/2961546

Red Hat®
http:// www.redhat.com/support/errata/RHSA-2001-163.html

---

Dell Computer Corporation has provided this advisory bulletin in response to the concerns raised by OUSPG and to provide information to users of Dell systems regarding its SNMP implementation. Dell recommends that user's review this information and determine its applicability to their individual situations. In addition, Dell does not provide any warranty as to the accuracy or completeness of this information and will not be liable for damages that may result from usage or disregard of the information provided. The information provided is subject to change. For further information and related updates, please contact your standard Dell support channel. Dell retains ownership of its trademarks and service marks as well as the information contained in this advisory bulletin.

Digital Networks

Digital Networks is addressing the vulnerabilities identified in this
advisory.  The latest information on the affect of this vulnerability on
Digital Networks products as well as any remedial software patches can be
found at http://www.digitalnetworks.net/support.

D-Link Systems, Inc.

D-Link has tested our DES-3226, DES-3326, DES-3624i and DES-6000 products and determined that these products are not susceptible to the SNMP vulnerability issue.  Since all D-Link products with SNMP agent use the same code base, D-Link has concluded that all of our products do not have the SNMP vulnerability issue.  However, we continue to evaluate and investigate all D-Link products implemented with SNMP agent.  Upon completion of our evaluation, D-Link will provide and post an update with our thorough test results.

DMH Software

DMH Software applied the OULU University test suite to its various
portable snmp-agent products: SNMPv1, SNMPv2c and SNMPv3.

We found that the following or later releases of DMH portable
snmp-agent products are NOT vulnerable to CERT vulnerability advisory
VU#854306 (Multiple vulnerabilities in SNMPv1 request handling)


(1) SNMPv1  Agent version - 2.0.9.1

(2) SNMPv2c Agent version - 3.0.5.3

(3) SNMPv3  Agent version - 4.0.8.2


The above releases, or newer releases, are currently available to our
customers. We strongly recommend our customers to contact us to obtain
an upgrade and update their source code.

Please note that we received notes from some of our customers who
reported that previous releases of DMH snmp-agent products were tested
an found not vulnerable to VU#107186. Nevertheless we recommend an
upgrade to the recent releases.

Efficient Networks, Inc.

Efficient Networks, Inc. has reviewed CERT Advisory CA-2002-03 and is performing the recommended tests to determine if its products are impacted. The following products do not have SNMP management capabilities and are not affected: SpeedStream 1000, 2000, 3000, 4000, 5200, and 5300 series devices, as well as the 5667 bridge product.  Testing is still in progress on other Efficient Networks' products. Efficient Networks will continue to update its statement on this site as additional information becomes available.

EnGarde Secure Linux

EnGarde Secure Linux did not ship any SNMP packages in version 1.0.1 of our distribution, so we are not vulnerable to either bug.

Enterasys

On 12-February-2002, CERT (http://www.cert.org) announced serious vulnerabilities in the SNMP implementations of virtually every networking vendor's equipment. These vulnerabilities were discovered by a Finnish research group known as OUSPG, associated with Oulu University, and are documented in advisory CA-2002-03.

These vulnerabilities exist in all versions of SNMP (v1/v2c/v3) and can be used to cause SNMP implementations to behave in an unpredictable manner, resulting in denials of service or system failures.

Given the serious nature of these vulnerabilities, Enterasys is testing our product line to determine which products are affected. Patches for affected products will be made available to our customers. Please check the Enterasys Support web site periodically for further details and patch information.

Until these patches become available, Enterasys recommends that the following steps be taken to help reduce exposure to these vulnerabilities.

• Disable SNMP from interfaces through which SNMP commands should not be received, such as those providing connection from the Internet or Extranets.
• Use Access Control Lists at the access edge to prevent SNMP traffic from unauthorized internal hosts from entering the network.
• Use management VLANs or out-of-band management to contain SNMP traffic and multicasts. These do not prevent an attacker from exploiting these vulnerabilities, but they may make it more difficult to initiate the attacks.
• Enable 802.1X port-locking and RADIUS to prevent unauthenticated users from attaching to the network.
• Use NetSight Policy Manager to automatically restrict the use of SNMP to authenticated, SNMP-authorized personnel.
• Update Dragon IDS signatures to help identify when these attacks are being used.

Entrada Networks

This is in reference to you notification regarding VU#854306, VU#107186, and OUSPG#0100. Entrada Networks has reproduced this behavior and coded a software release enhancement for the affected products which is currently in regression testing within Entrada Networks' Quality Assurance organization. The release of Entrada Networks software enhancement addressing the behavior outlined in VU#854306, VU#107186, and OUSPG#0100 will be available to Entrada Networks, Sync Research, and Rixon Networks customers with Software Subscription Service on a request basis, no later than April 15, 2002.

Entrada Networks has also produced a document discussing the alternative workarounds or configuration options to address the behavior outlined in VU#854306, VU#107186, and OUSPG#0100.This document is also available on request from customers. Please contact the Technical Support organization at 800-331-8669 for more information.

Entrada Networks is providing the statement below as a response to
be included in your vendor's statement section on SNMP CERT Alert 2002-03.

Entrada Networks Sync Research, Inc. and Rixon Networks, Inc., (both are companies of Entrada Networks)

Entrada Networks, through the companies of Sync Research, Inc. and
Rixon Networks ,has confirmed vulnerability to the SNMP advisory identified
by CERT notification reference [VU#107186 & VU#854306] and OUSPG#0100.

Sync Research also manufactures and supports products formerly
manufactured by Tylink, Inc. and Osicom, Inc.
Rixon Networks, Inc. also manufactures and supports products
formerly manufactured by Osicom, Inc.

Entrada Networks has run all the test cases found in the PROTOS test-suite, c06snmpv1:
   1. c06-snmpv1-req-app-pr1.jar
   2. c06-snmpv1-req-enc-pr1.jar
   3. c06-snmpv1-trap-app-pr1.jar
   4. c06-snmpv1-trap-enc-pr1.jar

   The tests were run with standard delay time between the requests
(100ms).

   Entrada Networks, through their companies of Sync Research and Rixon
Networks, supplies a broad range of networking products, some of which are
affected by the SNMP vulnerabilities identified by CERT Coordination Center.
The manner, in which, they are affected and the actions required to avoid
being impacted by exploitation of these vulnerabilities varies from product
to product.
  
Entrada Networks customers may contact our Technical Support Center
via either telephone 800-331-8669 or via email: mailto:support@sync,com  for
additional information, especially regarding their availability of the
latest enhanced code releases addressing the SNMP vulnerabilities.

   The tests that were run apply to the following Entrada Networks,
Sync Research, and Rixon Networks  products.

   The Sync Research FRADs (3600,3700, 4200, and 4300 series), the
Tylink FRAPs (D-FRAP, M-FRAP, S-FRAP, T-FRAP),
   Sync Research management platform (Envisage for Windows and Envisage
for UNIX) and the Osicom Routermate series.
   The software tested on these products was the latest software
releases that are generally available.

   Entrada Networks is in the process of creating a publication for all
applicable releases / platforms and will be offering this publication
through the Entrada Networks Support site at
<http://www.entradanetworks.com>  or the Sync Research, Inc. site at
<http://www.sync.com> at a future date.

   Please contact our Technical Support organization for information
regarding availability / applicability for your specific configurations.

   Following is a list of companies whose products are addressed by
this preliminary response:

   Sync Research, Inc. (see Entrada Networks)
   Osicom, Inc. (see Entrada Networks)
   Rixon Networks, Inc. (see Entrada Networks)
   Torrey Pines Networks, Inc. (see Entrada Networks)
   Tylink, Inc. (see Entrada Networks)

Equinox Systems

This is in reference to the CERT Advisory CA-2002-03 addressing potential security vulnerabilities that exist in network devices using SNMPv1 as the management protocol.  Equinox has determined that exploitation of these vulnerabilities may interfere with normal operation of our ESP serial hub through malicious use of the management interfaces provided for its Equiview Plus application.  We are evaluating the impact on the ESP and will release appropriate fixes if necessary.  In the interim, Equinox recommends the following mitigation procedures.

In most network environments, firewalls are deployed to prohibit externally originating SNMP traffic and both detect and prevent Denial of Service attacks.  Since the ESP does not currently allow for disabling of SNMP, it is recommended that this device be operated in a secure environment in conjunction with the following SNMP network security safeguards:

1.    Filter SNMP access to managed devices to ensure the traffic originates from known management systems
2.    Use upstream firewall/access lists to deny access to the SNMP agents accessible on the network
3.    Use access profiles to deny SNMP access to unknown users
4.    Use dedicated management VLANs or out-of-band management to contain SNMP traffic and multicasts
5.    Change the default community strings

Equinox will continue to address potential security problems across its product line and provide patches as circumstances dictate.

e-Security, Inc.

e-Security Advisory:
SNMPv1 Request and Trap Handling Vulnerabilities
Revision 1.0
Release Date: March 14, 2002

Summary

On February 12, 2002 the CERT®/CC released an advisory related to security vulnerabilities that may exist in network devices using SNMPv1 as the management protocol. The vulnerabilities may allow unauthorized privileged access, denial of service attacks, or cause unstable behavior.  In response to this advisory, "CERT® Advisory CA-2002-03 Multiple Vulnerabilities in Many Implementations of the Simple Network Management Protocol (SNMP)", e-Security began executing the tests that elicit these vulnerabilities for all e-Security products.

The issue centers on the SNMP library that we use in our products to communicate in SNMP versions 1,2 & 3.  Currently, e-Security uses SNMP Research's Emanate 15.2.7 on with our agents (e-Wizard and eSAW) and UC Davis 4.0.1 with our control center (e-Sentinel and OeSP).

Preliminary test results have indicated that e-Sentinel, e-Wizard, OeSP, and e-SAW products exhibited the vulnerabilities in the CERT® Advisory.

Though we were affected with the vulnerabilities in our code, note this should not be viewed as a negative statement on SNMP protocol, as the latest packages from UC Davis and SNMP Research are not vulnerable to these exploits.

Solution

e-Security has applied the PROTOS c06-SNMPv1 test suite to all e-Security products and has released patches to eliminate these vulnerabilities.  Our patches address e-Security products through v.3.1.  Future releases of e-Security products will utilize the latest packages from UC Davis and SNMP Research which have resolved these vulnerabilities.

e-Security also  recommends considering one or more of the following solutions to minimize your network's potential exposure to these vulnerabilities:

· Ingress filtering
· Egress filtering
· Filter SNMP traffic from non-authorized internal hosts
· Change default community strings

For Further Information

Contact e-Security Customer Support at 1-800-474-3131, or you can e-mail us at support@esecurityinc.com.

Evidian Inc.

VU#854306

This advisory is not applicable to OpenMaster for Telecom as it is a management system and not an agent. As a management system, OpenMaster for Telecom processes subsequent SNMP responses or send SNMP requests but doesn't process any SNMP requests.

VU#107186

Evidian will issue a bulletin regarding this advisory once we have completed the investigation.

Extreme Networks

Extreme Networks has identified the vulnerability outlined in this CERT Advisory CA-2002-03 and is in addressing the issue. A technical advisory has been released. Please go to the following web site for information:
http://www.extremenetworks.com/support/techsupport.asp.

F5 Networks

All versions of BIG-IP, 3-DNS, GLOBAL-SITE and EDGE-FX are vulnerable if the SNMP agent is enabled. Most versions have the SNMP agent enabled by default. Patches are available for all affected versions.

SEE-IT is not affected by this vulnerability.

If a customer is unable to install the patch, the SNMP service may be disabled. Below are instructions for obtaining patches and for disabling the SNMP service for each vulnerable product.

BIG-IP

A patch exists to correct this problem. Please see http://tech.f5.com/home/bigip/solutions/security/sol1622.html .

Alternatively, you can simply disable the SNMP service using the instructions below:

1. Log in to the BIG-IP Configuration utility.
   
   
2. Navigate to the SNMP section. For version 4.0 and above this is a tab under System Administration.
   
   
3. De-select the Enable box at the top of the screen and click the Apply button.

This will disable the SNMP service on BIG-IP.

3-DNS

A patch exists to correct this problem. Please see http://tech.f5.com/home/3dns/solutions/security/sol1624.html .

Alternatively, you can simply disable the SNMP service using the instructions below:

1. Log in to the 3-DNS Configuration utility.
   
   
2. Navigate to the SNMP section. This is the tab under 3-DNS Sync .
   
   
3. De-select the Enable box at the top of the screen and click the Apply button.
   
   
4. Log in to the Command Line Interface of the 3-DNS.
   
   
5. Run the following command:

   kill -9 `ps -ax | grep snmpd | awk '{print $1}'`

This will disable the SNMP service on 3-DNS.

GLOBAL-SITE

A patch exists to correct this problem. Please see http://tech.f5.com/home/globalsite/solutions/security/sol1626.html.

Alternatively, you can simply disable the SNMP service using the instructions below:

GLOBAL-SITE version 2.2

To disable the SNMP agent for GLOBAL-SITE version 2.2, type the following command from the command prompt:

ITCMconsole service snmpd stop

This command stops the snmpd agent.

ITCMconsole service snmpd disable

This command disables snmpd so it does not start again at the next boot.

To verify the status of snmpd, enter the following command:

ITCMconsole show snmpd status

GLOBAL-SITE version 2.1PTF-01 and earlier:

On versions 2.1 PTF-01 and earlier, snmpd is not running by default so the GLOBAL-SITE Controller should not be affected. However, if you have enabled snmpd manually, you should disable it.

EDGE-FX

A patch exists to correct this problem. Please see http://tech.f5.com/home/edgefx/solutions/security/sol1625.html .

Alternatively, you can simply disable the SNMP service using the instructions below:

There are three SNMP daemons running on the cache. By default, the EDGE-FX Cache runs the snmpd, the edgefxsnmpd, and Inktomi's snmpdm .

Disabling snmpd and edgefxsnmpd

To disable and stop the SNMP agents, you should use the ITCMconsole. Type the following commands from the command prompt:

ITCMconsole service snmpd stop

This command stops the snmpd agent.

ITCMconsole service snmpd disable

This command disables snmpd so it does not start again at the next boot.

To verify the status of snmpd, enter the following command:

ITCMconsole show snmpd status

Once the snmpd and edgefxsnmpd daemons are disabled, no other snmp traffic will be accepted.

Disabling snmpdm

The snmpdm agent, is also enabled by default. This Inktomi specific agent can be disabled or killed. In order to avoid traffic server anomalies, you should not kill this this daemon.

According to CERT^® Advisory CA-2002-03 :

"Inktomi Corporation does not believe our [Inktomi] CDS product is vulnerable. Vulnerability would stem from the use of SNMP Research software in the CDS product. However, SNMP Research has stated that their product Emanate, versions 15.x and higher, is not vulnerable. As Inktomi's CDS uses Emanate 15.3, we [Inktomi] conclude that CDS is not vulnerable."

Inktomi's CDS contains the same Traffic Server that EDGE-FX utilizes, which contains the Emanate 15.3 daemon (snmpdm).

If you still want to kill this SNMP agent, you can use the Configuration utility or the command line.

To disable the SNMP agent from the Configuration utility:

1. From your browser, access the Configuration utility (refer to Accessing the Configuration utility).
   
   
2. On the Configure tab, click the Server button.
   
   
3. Scroll to the SNMP section of the Server Basics page.
   
   
4. Click the SNMP Agent Off radio button.
   
   
5. Click the Make These Changes button.

To disable the SNMP agent manually:

1. In a text editor, open the records.config file located in the EDGE-FX Cache’s /config/traffic_server/config directory.
   
   
2. Edit the following variable:

   proxy.config.snmp.master_agent_enabled

   Set this variable to 0 to disable SNMP on the EDGE-FX Cache node.

3. Save and close the records.config file.
   
   
4. Make the /usr/local/cache/bin directory the working directory and run the following command to apply the configuration changes.

   ./traffic_line -x

   Note: you can also use the following command to restart the traffic_server: start_traffic_server.

SEE-IT

It has been determined that SEE-IT is not vulnerable.

Fluke Corporation

Fluke Networks' response to CERT Advisory 2002-03

           The CERT® Coordination Center recently announced that numerous
           vulnerabilities have been reported in multiple vendors' SNMP
           implementations. For your information, Fluke Networks has created
           the following Q&A which includes a tutorial, Using Fluke Networks
           products to manage SNMP risk on your network.

           Q&A

           What is the actual risk?

           The impact of the vulnerability is different for each vendor and
           their own products. For SNMP agents and Trap listeners running on
           network operating systems, some attacks could bypass system security
           controls. Overall, most attacks resulted in a “denial-of-service” in
           which the entire product or portions of the product stopped working
           properly.

           Which Fluke Networks products are affected?

           Fluke Networks has tested its products that listen for SNMP Traps or
           contain an internal SNMP agent. It has been discovered that some
           circumstances exist that could potentially cause a
           “denial-of-service” condition for a Fluke Networks product, forcing
           the product to “hang” or reboot. However, this situation would only
           affect Fluke Networks products and would not compromise our
           customers’ networks.

           Fluke Networks products that could be affected include the OptiView™
           Integrated Network Analyzer, the OptiView™ Workgroup Analyzer and
           the OptiView™ Link Analyzer.

           As of this writing, there have been no known "denial-of-service"
           incidents reported with Fluke Networks products. To reiterate,
           should such an event occur involving a Fluke Networks product, this
           would not affect the operation of customers' networks or any of
           their network infrastructures. Nor would there be any risk of anyone
           externally gaining access to customer data.

           Future action

           At this time, we plan to resolve all known vulnerabilities in the
           next scheduled software update for the affected products. Customers
           who participate in the Gold Priority Support program will be
           eligible to receive these updates as part of their membership.
           Customers who do not participate in this program should contact our
           Technical Assistance Center (TAC) at 1-800-638-3497 (North America)
           or +1-425-446-4519 (Outside North America).

           Recommendations

           We recommend the following "best practices" to reduce the potential
           risk of SNMP related attacks:   
           1.   Ensure that yourexternal firewalls deny all incoming SNMP traffic.
           2.   Change the default community strings for all SNMP devices. Audit
                your network for devices using the community strings of "public"
                and "private" as well as for those other community strings that
                are set by default by equipment manufacturers.
           3.   Analyze SNMP traffic for patterns of attack.

           Tutorial: Using Fluke Networks products to manage this risk on your
           network

           1. Identify SNMP agents on the network
           The OptiView Integrated Network Analyzer and OptiView Workgroup
           Analyzer have the capability of discovering all devices within a
           broadcast domain that are SNMP enabled.

           On the Setup/Security screen, configure all known and old community
           strings making sure you include strings such as "public", "private"
           and "security".

           Re-run the tests by selecting the "Rerun Test" tab.

           Select the "Discovery" tab and then select the SNMP Agents category
           in the left hand pane. The resulting display shows all SNMP agents
           discovered by the test.

           2. Test your firewall for filtering SNMP traffic
           From a LAN segment outside your firewall, use the OptiView
           Integrated Network Analyzer to query known SNMP agents on the
           protected side of your network. After the "Network-Under-Test"
           interface has a proper IP configuration, enter the IP address of a
           known SNMP agent on the Tools screen.

           Note: Using Fluke Networks’ Protocol Expert™ on the protected side
           of your firewall, allows you to see if the firewall is denying any
           and all SNMP traffic from flowing through the firewall as well as
           preventing SNMP responses from leaving your network.

           Using two OptiView Analyzers, one on either side of the firewall,
           can be used to easily check this condition. Use the Packet Capture
           and Statistics feature to ensure that no SNMP traffic is flowing in
           from outside of the firewall.

           3. Analyze network patterns for SNMP attacks
           Using the OptiView Integrated Network Analyzer, the OptiView
           Workgroup Analyzer or the OptiView Link Analyzer, a combination of
           packet capture and protocol statistics can be used to gather
           evidence of an SNMP attack.

           Select the "Top Hosts" tab to look for nodes that should not be
           sending SNMP queries. Select the "Top Conversations" to check for
           unusual Conversation Pairs within the SNMP traffic.

              Fluke Networks' Copper and Fiber taps can be used to access
           switch-to-switch links and the Switch-TAP™ capability of the
           OptiView™ Inspector Console can be used to program the mirror ports
           of a variety of switches.

           For more information

           For questions, concerns or more information, please contact the
           Fluke Networks TAC at 1-800-638-3497 (North America),
           +1-425-446-4519 (outside North America) or email us at:
           nettech@flukenetworks.com.

Foundry Networks, Inc.

According to testing completed by Foundry engineering using the stress tools recommended by CERT, we determined that NO Foundry devices are affected by any known SNMP security issue. All of Foundry's products use the same SNMP engine with varying SNMP versions (v1, v2c, and v3), and all SNMP versions have been tested.

We are extremely appreciative to CERT's help during our testing period, and would like to wholeheartedly thank everyone involved.

FreeBSD

FreeBSD does not include any SNMP software by default, and so is not vulnerable. However, the FreeBSD Ports Collection contains the UCD-SNMP / NET-SNMP package. Package versions prior to ucd-snmp-4.2.3 are vulnerable. The upcoming FreeBSD 4.5 release will ship the corrected version of the UCD-SNMP / NET-SNMP package. In addition, the corrected version of the packages is available from the FreeBSD mirrors.

FreeBSD has issued the following FreeBSD Security Advisory regarding the UCD-SNMP / NET-SNMP package:

ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:11.snmp.asc.

Future Communications Software

FutureSoft has tested its SNMP Product FutureSoftSNMP Release 5.0.1.0 according to the recommendations issued by CERT, and has found no security vulnerabilities associated with Advisory CA-2002-03 (Multiple Vulnerabilities in Many Implementations of SNMP).

General DataComm

General DataComm Advisory Bulletin

http://www.gdc.com/products/bulletin.shtml

Ref:  CERT Advisory CA-2002-03
Multiple Vulnerabilities in Many Implementations of Simple Network Management Protocol (SNMP)

GDC  TEAM  SNMP

The GDC TEAM applications use the HP OpenView NNM SNMP protocol stack for its SNMP network management communication to its SpectraComm Manager (SCM) card. The SCM contains an SNMP proxy agent.

Recommendations:

1. The SCM does not have a default read/write community name of "private" which makes it less susceptible for hackers to change device configurations or taking down the management or data network. The SCM does have a default read only community name of "public". The customer is advised to change this.

2. The major GDC network management customers usually use a separate private LAN for their management traffic to eliminate the exposure to outside illegal entry.

3. Please read below, obtain and install the HP HPOV patches from the listed sites.

HP HPOV NNM (Network Node Manager)
Some problems were found in NNM product were related to trap handling. Patches in process. Watch for the associated HP Security Bulletin.

----------------------------------------------------------
HP-UX Systems running snmpd or OPENVIEW
----------------------------------------------------------
The following patches are available now:

       PHSS_26137 s700_800 10.20 OV EMANATE14.2 Agent Consolidated Patch
       PHSS_26138 s700_800 11.X OV EMANATE14.2 Agent Consolidated Patch

       PSOV_03087 EMANATE Release 14.2 Solaris 2.X Agent Consolidated Patch

All three patches are available from:

http://support.openview.hp.com/cpe/patches/

In addition PHSS_26137 and PHSS_26138 will soon be available from:

http://itrc.hp.com

NOTE: The patches are labeled OV(Open View). However, the patches are also applicable to systems that are not running Open View.

Any HP-UX 10.X or 11.X system running snmpd or snmpdm is vulnerable. To determine if your HP-UX system has snmpd or snmpdm installed:

       swlist -l file | grep snmpd

If a patch is not available for your platform or you cannot install an available patch, snmpd and snmpdm can be disabled by removing their entries from /etc/services and removing the execute permissions from /usr/sbin/snmpd and /usr/sbin/snmpdm.

Hewlett-Packard Company

HP Support Information Digests

==================================================
o  Security Bulletin Digest Split
  ------------------------------

The security bulletins digest has been split into multiple digests based on the operating system (HP-UX, MPE/iX, and HP Secure OS Software for Linux).  You will continue to receive all security bulletin digests unless you choose to update your subscriptions. 
 
To update your subscriptions, use your browser to access the IT Resource Center on the World Wide Web at:

http://www.itresourcecenter.hp.com/

Under the Maintenance and Support Menu, click on the "more..." link. Then use the 'login' link at the left side of the screen to login using your IT Resource Center User ID and Password.

Under the notifications section (near the bottom of the page), select Support Information Digests.

To subscribe or unsubscribe to a specific security bulletin digest, select or unselect the checkbox beside it. Then click the "Update Subscriptions" button at the bottom of the page.

o  IT Resource Center World Wide Web Service
  -----------------------------

If you subscribed through the IT Resource Center and would like to be REMOVED from this mailing list, access the IT Resource Center on the World Wide Web at:

http://www.itresourcecenter.hp.com/

Login using your IT Resource Center User ID and Password. Then select Support Information Digests (located under Maintenance and Support).  You may then unsubscribe from the appropriate digest.
==================================================


Digest Name:  daily HP-UX security bulletins digest
  Created:  Tue Feb 26  8:45:03 PST 2002

Table of Contents:

Document ID      Title
---------------  -----------
HPSBUX0202-184   Sec. Vulnerability in SNMP (rev. 3)

The documents are listed below.
----------------------------------


Document ID:  HPSBUX0202-184
Date Loaded:  20020212
    Title:  Sec. Vulnerability in SNMP (rev. 3)

TEXT
-----------------------------------------------------------------
**REVISED 03**  HEWLETT-PACKARD COMPANY SECURITY BULLETIN: #0184,
  Originally issued: 12 Feb. 2002
  Last revised:  24 Feb. 2002
-----------------------------------------------------------------

The information in the following Security Bulletin should be acted upon as soon as possible.  Hewlett-Packard Company will not be liable for any consequences to any customer resulting from customer's failure to fully implement instructions in this Security Bulletin as soon as possible.

------------------------------------------------------------------
PROBLEM:  Vulnerabilities in SNMP request and trap handling.

PLATFORM: HP 9000 Series 700 and Series 800 running HP-UX
        releases 10.X and 11.X
        HP Procurve switches
**REVISED 03**
---->>    JetDirect Firmware
        MC/ServiceGuard, EMS HA Monitors

DAMAGE:   Possible denial-of-service, service interruptions,
        unauthorized access.

SOLUTION: Apply patches or implement workarounds.  See below.
       For HP-UX releases:
      PHSS_26137    s700_800  HP-UX 10.20 OV EMANATE14.2 Agent
      PHSS_26138    s700_800  HP-UX 11.X  OV EMANATE14.2 Agent
      PSOV_03087    Solaris 2.X      EMANATE Release 14.2
       For systems running OV NNM:
      PHSS_26286    s700_800  HP-UX  10.20  ovtrapd large trap fix
      PHSS_26287    s700_800  HP-UX  11.X   ovtrapd large trap fix
      PSOV_03100    Solaris 2.X             ovtrapd large trap fix
      NNM_00857     NT 4.X/Windows 2000     ovtrapd large trap fix

MANUAL ACTIONS: Upgrade or workaround action per below.

AVAILABILITY:  Patches for some affected systems are available now.
CHANGE SUMMARY: Rev.01 affected HP Procurve scope expanded,
                     plus Procurve patch availability added.
                     NNM ovtrapd patch availability added.
              Rev.02 SG and EMS found not vulnerable.
              Rev.03 Jetdirect vulnerability updated
------------------------------------------------------------------

A. Background
CERT has issued an advisory:
CERT Advisory CA-2002-03 Multiple Vulnerabilities in Many Implementations of the Simple Network Management Protocol (SNMPv1) containing information about the vulnerabilities.
 
Hewlett-Packard Company will revise this bulletin as new information becomes available.

---------------------------------------------------------
hp Procurve switches
---------------------------------------------------------

We are still in the process of determining which other HP Procurve products are subject to these vulnerabilities. We have created fixes for products below which will resolve these issues.  See Section C below.

Customers can download these patches in the form of software upgrades at:
            http://www.hp.com/rnd/software/switches.htm

                 Product                      Fix revision number
     ----------------------------------       --------------------
     HP Procurve Switch 2524   (J4813A)        F.04.08 or greater
     HP Procurve Switch 2512   (J4812A)        F.04.08 or greater
     HP Procurve Switch 4108GL (J4865A)        G.04.05 or greater
     HP Procurve Switch 4108GL-bundle (J4861A) G.04.05 or greater

Not all HP Procurve products have completed testing, nor are they listed here, and may or may not have these vulnerabilities. This bulletin will again be updated as new information becomes available.

---------------------------------------------------------
NNM  (Network Node Manager)
---------------------------------------------------------

Some problems found in NNM product were related to trap handling.  Patches are available.  See Section C below.

**REVISED 03**
---------------------------------------------------------
-->> JetDirect Firmware
---------------------------------------------------------

 JetDirect Firmware Version      State
  ==========================      =====
--->>   X.08.32 and lower           VULNERABLE
--->>   (where X = A through K)
--->>   X.21.00 and higher          NOT vulnerable
--->>   (where X = L through P)

----------------------------------------------------------
HP-UX Systems running snmpd or OPENVIEW
----------------------------------------------------------
Any HP-UX 10.X or 11.X system running snmpd or snmpdm is vulnerable.  To determine if your HP-UX system has snmpd or snmpdm installed:

  swlist -l file | grep snmpd

B. Fixing the problem
Install the appropriate patch or firmware revision or work around problem as detailed below.

C. Recommended solution
---------------------------------------------------------
hp Procurve switches
---------------------------------------------------------

Customers can download these patches in the form of software upgrades at:
            http://www.hp.com/rnd/software/switches.htm

          Product                      Fix revision number
-----------------------------------     -------------------
HP Procurve Switch 2524    (J4813A)       F.04.08 or greater
HP Procurve Switch 2512    (J4812A)       F.04.08 or greater
HP Procurve Switch 4108GL  (J4865A)       G.04.05 or greater
HP Procurve Switch 4108GL-bundle (J4861A) G.04.05 or greater

---------------------------------------------------------
NNM  (Network Node Manager)
---------------------------------------------------------

Problems found in the NNM product (related only to trap handling) are ad