SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Net-snmp Vendors:   [Multiple Authors/Vendors]
(Caldera Issues Fix for ucd-snmp) Many Simple Network Management Protocol (SNMP) Implementations Allow Remote Users to Deny Service or Obtain Access to the System
SecurityTracker Alert ID:  1003620
SecurityTracker URL:  http://securitytracker.com/id/1003620
CVE Reference:   CVE-2002-0012, CVE-2002-0013   (Links to External Site)
Date:  Feb 21 2002
Impact:   Denial of service via network, Execution of arbitrary code via network, Root access via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   CERT reported that the University of Oulu (Finland) has discovered vulnerabilities in many vendor implementations of the Simple Network Management Protocol (SNMP) version 1.

The Oulu University Secure Programming Group (OUSPG, http://www.ee.oulu.fi/research/ouspg/) reports that there are numerous vulnerabilities in SNMPv1 implementations from many different vendors. A remote user can reportedly cause denial of service attacks or gain elevated privileges on the system.

The extent of the vulnerabilities depends on the specific vendor implementation. Vulnerabilities apparently include denial-of-service conditions, format string vulnerabilities, and buffer overflows. Some vulnerabilities do not require the request message to use the correct SNMP community string, according to CERT.

OUSPG reportedly performed two sets of tests of SNMP request message handling: one test focused on ASN.1 decoding, and the second looked for exceptions in the processing of the decoded data. The testers used the PROTOS c06-snmpv1 test suite:

http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/0100.html

Some of the products implement defective SNMPv1 trap handling. A remote user can reportedly send a specially crafted SNMP trap message to an SNMP manager to trigger the vulnerability.

Some of the products implement defective SNMPv1 request handling. A remote user can reportedly send a specially crafted SNMP request message to an SNMP agent to trigger the vulnerability.

Specific technical results were not available at the time of this entry. However, CERT reports that the following vendors are affected to some degree:

3Com,
AdventNet,
CacheFlow,
Caldera,
Cisco,
Compaq,
Computer Associates,
COMTEK Services,
FreeBSD,
Hewlett Packard,
Hirschmann Electronics,
Innerdive Solutions,
Juniper Networks,
Lantronix,
Lotus,
Lucent,
Marconi,
Microsoft,
Multinet,
Netscape,
NET-SNMP,
Nokia,
Novell,
Red Hat,
Redback Networks,
SNMP Research

CERT has provided more information at the following URLs:

http://www.kb.cert.org/vuls/id/854306
http://www.kb.cert.org/vuls/id/107186

Impact:   A remote user may be able to cause denial of service conditions or may be able to obtain elevated privileges on the system.
Solution:   The vendor has released a fix for net-snmp (ucd-snmp).

For OpenLinux eServer 2.3.1 and OpenLinux eBuilder for ECential 3.0:

ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/RPMS

The corresponding source code package can be found at:

ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/SRPMS

The verification checksums are:

39455abae12c26af0767e73ce5fa21ba RPMS/ucd-snmp-4.2.1-17.i386.rpm
2a13a2370c9da23d09a9fdfb94242cb0 RPMS/ucd-snmp-devel-4.2.1-17.i386.rpm
552a1f07b57743ea2f83a77878f8b307 RPMS/ucd-snmp-tkmib-4.2.1-17.i386.rpm
02914263b92c14023b6a8a986739975a RPMS/ucd-snmp-utils-4.2.1-17.i386.rpm
6f3b52721566b814f3937f135a82c6f5 SRPMS/ucd-snmp-4.2.1-17.src.rpm

Upgrade the affected packages with the following commands:

rpm -Fvh ucd-snmp-4.2.1-17.i386.rpm \
ucd-snmp-devel-4.2.1-17.i386.rpm \
ucd-snmp-tkmib-4.2.1-17.i386.rpm \
ucd-snmp-utils-4.2.1-17.i386.rpm


For OpenLinux 3.1 Server:

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/RPMS

The corresponding source code package can be found at:

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/SRPMS

The verification checksums are:

e1f2eab37121fd66aefab49da3f6173b RPMS/ucd-snmp-4.2.1-17.i386.rpm
ad7405f4578ca3f25a56d8e5d96020bb RPMS/ucd-snmp-devel-4.2.1-17.i386.rpm
980115ed7580c8a772e8111ad1494067 RPMS/ucd-snmp-tkmib-4.2.1-17.i386.rpm
48f82f6ee0561fc0961cf99e471a14de RPMS/ucd-snmp-utils-4.2.1-17.i386.rpm
6f3b52721566b814f3937f135a82c6f5 SRPMS/ucd-snmp-4.2.1-17.src.rpm

Upgrade the affected packages with the following commands:

rpm -Fvh ucd-snmp-4.2.1-17.i386.rpm \
ucd-snmp-devel-4.2.1-17.i386.rpm \
ucd-snmp-tkmib-4.2.1-17.i386.rpm \
ucd-snmp-utils-4.2.1-17.i386.rpm


For OpenLinux 3.1 Workstation:

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/RPMS

The corresponding source code package can be found at:

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/SRPMS

The verification checksums are:

e1f2eab37121fd66aefab49da3f6173b RPMS/ucd-snmp-4.2.1-17.i386.rpm
ad7405f4578ca3f25a56d8e5d96020bb RPMS/ucd-snmp-devel-4.2.1-17.i386.rpm
980115ed7580c8a772e8111ad1494067 RPMS/ucd-snmp-tkmib-4.2.1-17.i386.rpm
48f82f6ee0561fc0961cf99e471a14de RPMS/ucd-snmp-utils-4.2.1-17.i386.rpm
6f3b52721566b814f3937f135a82c6f5 SRPMS/ucd-snmp-4.2.1-17.src.rpm

Upgrade the affected packages with the following commands:

rpm -Fvh ucd-snmp-4.2.1-17.i386.rpm \
ucd-snmp-devel-4.2.1-17.i386.rpm \
ucd-snmp-tkmib-4.2.1-17.i386.rpm \
ucd-snmp-utils-4.2.1-17.i386.rpm

For OpenLinux 3.1.1 Server:

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/RPMS

The corresponding source code package can be found at:

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/SRPMS

The verification checksums are:

0bf1e8d5ec70518f2b548871fb1d00b7 RPMS/ucd-snmp-4.2.1-17.i386.rpm
7b8f7fd19b3a0dd61a1113e3d12bd00d RPMS/ucd-snmp-devel-4.2.1-17.i386.rpm
b0bf4250ba668660b0c9d859d164e918 RPMS/ucd-snmp-tkmib-4.2.1-17.i386.rpm
df84f06b86e973ee8d38f5f995fa7905 RPMS/ucd-snmp-utils-4.2.1-17.i386.rpm
6f3b52721566b814f3937f135a82c6f5 SRPMS/ucd-snmp-4.2.1-17.src.rpm

Upgrade the affected packages with the following commands:

rpm -Fvh ucd-snmp-4.2.1-17.i386.rpm \
ucd-snmp-devel-4.2.1-17.i386.rpm \
ucd-snmp-tkmib-4.2.1-17.i386.rpm \
ucd-snmp-utils-4.2.1-17.i386.rpm

For OpenLinux 3.1.1 Workstation:

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/RPMS

The corresponding source code package can be found at:

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/SRPMS

The verification checksums are:

0bf1e8d5ec70518f2b548871fb1d00b7 RPMS/ucd-snmp-4.2.1-17.i386.rpm
7b8f7fd19b3a0dd61a1113e3d12bd00d RPMS/ucd-snmp-devel-4.2.1-17.i386.rpm
b0bf4250ba668660b0c9d859d164e918 RPMS/ucd-snmp-tkmib-4.2.1-17.i386.rpm
df84f06b86e973ee8d38f5f995fa7905 RPMS/ucd-snmp-utils-4.2.1-17.i386.rpm
6f3b52721566b814f3937f135a82c6f5 SRPMS/ucd-snmp-4.2.1-17.src.rpm

Upgrade the affected packages with the following commands:

rpm -Fvh ucd-snmp-4.2.1-17.i386.rpm \
ucd-snmp-devel-4.2.1-17.i386.rpm \
ucd-snmp-tkmib-4.2.1-17.i386.rpm \
ucd-snmp-utils-4.2.1-17.i386.rpm

Vendor URL:  www.calderasystems.com/support/security/ (Links to External Site)
Cause:   Access control error, Boundary error, Input validation error
Underlying OS:  Linux (Caldera/SCO)

Message History:   This archive entry is a follow-up to the message listed below.
Feb 12 2002 Many Simple Network Management Protocol (SNMP) Implementations Allow Remote Users to Deny Service or Obtain Access to the System



 Source Message Contents

Subject:  Security Update: [CSSA-2002-004.0] Linux - Various security problems in ucd-snmp


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________
		   Caldera International, Inc.  Security Advisory

Subject:		Linux - Various security problems in ucd-snmp
Advisory number: 	CSSA-2002-004.0
Issue date: 		2002, January 22
Cross reference:
______________________________________________________________________________


1. Problem Description

   Researchers at the university of Oulo, Finnland, discovered several
   remotely exploitable vulnerabilities in ucd-snmp. This security update
   fixes these vulnerabilities. This update also contains a patch from
   the SuSE security team that cleans up a number of unchecked memory
   operations.


2. Vulnerable Versions

   System                       Package
   -----------------------------------------------------------
   OpenLinux 2.3                 not vulnerable                
   
   OpenLinux eServer 2.3.1       All packages previous to      
   and OpenLinux eBuilder        ucd-snmp-4.2.1-17             
   
   OpenLinux eDesktop 2.4        not vulnerable                
   
   OpenLinux Server 3.1          All packages previous to      
                                 ucd-snmp-4.2.1-17             
   
   OpenLinux Workstation 3.1     All packages previous to      
                                 ucd-snmp-4.2.1-17             
   
   OpenLinux 3.1 IA64            not vulnerable                
   
   OpenLinux Server 3.1.1        All packages previous to      
                                 ucd-snmp-4.2.1-17             
   
   OpenLinux Workstation         All packages previous to      
   3.1.1                         ucd-snmp-4.2.1-17             
   


3. Solution

   Workaround

     none

   The proper solution is to upgrade to the latest packages.

4. OpenLinux 2.3

    not vulnerable

5. OpenLinux eServer 2.3.1 and OpenLinux eBuilder for ECential 3.0

    5.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/RPMS

       The corresponding source code package can be found at:

       ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/SRPMS

   5.2 Verification

       39455abae12c26af0767e73ce5fa21ba  RPMS/ucd-snmp-4.2.1-17.i386.rpm
       2a13a2370c9da23d09a9fdfb94242cb0  RPMS/ucd-snmp-devel-4.2.1-17.i386.rpm
       552a1f07b57743ea2f83a77878f8b307  RPMS/ucd-snmp-tkmib-4.2.1-17.i386.rpm
       02914263b92c14023b6a8a986739975a  RPMS/ucd-snmp-utils-4.2.1-17.i386.rpm
       6f3b52721566b814f3937f135a82c6f5  SRPMS/ucd-snmp-4.2.1-17.src.rpm
       

   5.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

         rpm -Fvh ucd-snmp-4.2.1-17.i386.rpm \
              ucd-snmp-devel-4.2.1-17.i386.rpm \
              ucd-snmp-tkmib-4.2.1-17.i386.rpm \
              ucd-snmp-utils-4.2.1-17.i386.rpm
         

6. OpenLinux eDesktop 2.4

    not vulnerable

7. OpenLinux 3.1 Server

    7.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/RPMS

       The corresponding source code package can be found at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/SRPMS

   7.2 Verification

       e1f2eab37121fd66aefab49da3f6173b  RPMS/ucd-snmp-4.2.1-17.i386.rpm
       ad7405f4578ca3f25a56d8e5d96020bb  RPMS/ucd-snmp-devel-4.2.1-17.i386.rpm
       980115ed7580c8a772e8111ad1494067  RPMS/ucd-snmp-tkmib-4.2.1-17.i386.rpm
       48f82f6ee0561fc0961cf99e471a14de  RPMS/ucd-snmp-utils-4.2.1-17.i386.rpm
       6f3b52721566b814f3937f135a82c6f5  SRPMS/ucd-snmp-4.2.1-17.src.rpm
       

   7.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

         rpm -Fvh ucd-snmp-4.2.1-17.i386.rpm \
              ucd-snmp-devel-4.2.1-17.i386.rpm \
              ucd-snmp-tkmib-4.2.1-17.i386.rpm \
              ucd-snmp-utils-4.2.1-17.i386.rpm
         

8. OpenLinux 3.1 Workstation

    8.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/RPMS

       The corresponding source code package can be found at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/SRPMS

   8.2 Verification

       e1f2eab37121fd66aefab49da3f6173b  RPMS/ucd-snmp-4.2.1-17.i386.rpm
       ad7405f4578ca3f25a56d8e5d96020bb  RPMS/ucd-snmp-devel-4.2.1-17.i386.rpm
       980115ed7580c8a772e8111ad1494067  RPMS/ucd-snmp-tkmib-4.2.1-17.i386.rpm
       48f82f6ee0561fc0961cf99e471a14de  RPMS/ucd-snmp-utils-4.2.1-17.i386.rpm
       6f3b52721566b814f3937f135a82c6f5  SRPMS/ucd-snmp-4.2.1-17.src.rpm
       

   8.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

         rpm -Fvh ucd-snmp-4.2.1-17.i386.rpm \
              ucd-snmp-devel-4.2.1-17.i386.rpm \
              ucd-snmp-tkmib-4.2.1-17.i386.rpm \
              ucd-snmp-utils-4.2.1-17.i386.rpm
         

9. OpenLinux 3.1 IA64

    not vulnerable

10. OpenLinux 3.1.1 Server

    10.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/RPMS

       The corresponding source code package can be found at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/SRPMS

   10.2 Verification

       0bf1e8d5ec70518f2b548871fb1d00b7  RPMS/ucd-snmp-4.2.1-17.i386.rpm
       7b8f7fd19b3a0dd61a1113e3d12bd00d  RPMS/ucd-snmp-devel-4.2.1-17.i386.rpm
       b0bf4250ba668660b0c9d859d164e918  RPMS/ucd-snmp-tkmib-4.2.1-17.i386.rpm
       df84f06b86e973ee8d38f5f995fa7905  RPMS/ucd-snmp-utils-4.2.1-17.i386.rpm
       6f3b52721566b814f3937f135a82c6f5  SRPMS/ucd-snmp-4.2.1-17.src.rpm
       

   10.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

         rpm -Fvh ucd-snmp-4.2.1-17.i386.rpm \
              ucd-snmp-devel-4.2.1-17.i386.rpm \
              ucd-snmp-tkmib-4.2.1-17.i386.rpm \
              ucd-snmp-utils-4.2.1-17.i386.rpm
         

11. OpenLinux 3.1.1 Workstation

    11.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/RPMS

       The corresponding source code package can be found at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/SRPMS

   11.2 Verification

       0bf1e8d5ec70518f2b548871fb1d00b7  RPMS/ucd-snmp-4.2.1-17.i386.rpm
       7b8f7fd19b3a0dd61a1113e3d12bd00d  RPMS/ucd-snmp-devel-4.2.1-17.i386.rpm
       b0bf4250ba668660b0c9d859d164e918  RPMS/ucd-snmp-tkmib-4.2.1-17.i386.rpm
       df84f06b86e973ee8d38f5f995fa7905  RPMS/ucd-snmp-utils-4.2.1-17.i386.rpm
       6f3b52721566b814f3937f135a82c6f5  SRPMS/ucd-snmp-4.2.1-17.src.rpm
       

   11.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

         rpm -Fvh ucd-snmp-4.2.1-17.i386.rpm \
              ucd-snmp-devel-4.2.1-17.i386.rpm \
              ucd-snmp-tkmib-4.2.1-17.i386.rpm \
              ucd-snmp-utils-4.2.1-17.i386.rpm
         


12. References

   This and other Caldera security resources are located at:

   http://www.caldera.com/support/security/index.html

   This security fix closes Caldera's internal Problem Report 10987.


13. Disclaimer

   Caldera International, Inc. is not responsible for the misuse of
   any of the information we provide on this website and/or through our
   security advisories. Our advisories are a service to our customers
   intended to promote secure installation and use of Caldera OpenLinux.

14. Acknowledgements

   Caldera International wishes to thank the Secure Programming Research
   Group at Oulu University for their work, and for sharing their research
   results in this fashion. We also wish to thank Thomas Biege at SuSE for
   his additional patches.
______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8XrgL18sy83A/qfwRAuhgAJ9gtSLdWozsFnY3ofHp9MGhSrMJSwCfWfj2
OoEiOStF4FrXEhw3dlZuH6Q=
=pLMu
-----END PGP SIGNATURE-----



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC