SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   SNMP Daemon Vendors:   [Multiple Authors/Vendors]
(Sun Issues Fix [Duplicate Notice]) Re: Many Simple Network Management Protocol (SNMP) Implementations Allow Remote Users to Deny Service or Obtain Access to the System
SecurityTracker Alert ID:  1003939
SecurityTracker URL:  http://securitytracker.com/id/1003939
CVE Reference:   CVE-2002-0012, CVE-2002-0013   (Links to External Site)
Date:  Apr 1 2002
Impact:   Denial of service via network, Execution of arbitrary code via network, Root access via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   CERT reported that the University of Oulu (Finland) has discovered vulnerabilities in many vendor implementations of the Simple Network Management Protocol (SNMP) version 1.

The Oulu University Secure Programming Group (OUSPG, http://www.ee.oulu.fi/research/ouspg/) reports that there are numerous vulnerabilities in SNMPv1 implementations from many different vendors. A remote user can reportedly cause denial of service attacks or gain elevated privileges on the system.

The extent of the vulnerabilities depends on the specific vendor implementation. Vulnerabilities apparently include denial-of-service conditions, format string vulnerabilities, and buffer overflows. Some vulnerabilities do not require the request message to use the correct SNMP community string, according to CERT.

OUSPG reportedly performed two sets of tests of SNMP request message handling: one test focused on ASN.1 decoding, and the second looked for exceptions in the processing of the decoded data. The testers used the PROTOS c06-snmpv1 test suite:

http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/0100.html

Some of the products implement defective SNMPv1 trap handling. A remote user can reportedly send a specially crafted SNMP trap message to an SNMP manager to trigger the vulnerability.

Some of the products implement defective SNMPv1 request handling. A remote user can reportedly send a specially crafted SNMP request message to an SNMP agent to trigger the vulnerability.

Specific technical results were not available at the time of this entry. However, CERT reports that the following vendors are affected to some degree:

3Com,
AdventNet,
CacheFlow,
Caldera,
Cisco,
Compaq,
Computer Associates,
COMTEK Services,
FreeBSD,
Hewlett Packard,
Hirschmann Electronics,
Innerdive Solutions,
Juniper Networks,
Lantronix,
Lotus,
Lucent,
Marconi,
Microsoft,
Multinet,
Netscape,
NET-SNMP,
Nokia,
Novell,
Red Hat,
Redback Networks,
SNMP Research

CERT has provided more information at the following URLs:

http://www.kb.cert.org/vuls/id/854306
http://www.kb.cert.org/vuls/id/107186

Impact:   A remote user may be able to cause denial of service conditions or may be able to obtain elevated privileges on the system.
Solution:   Please note that this alert is based on Sun Alert 42769, which is also covered by Sun in Sun Security Bulletin #00215, for which an alert was previously issued.

Sun has issued a fix:

SPARC

Solaris 2.6 with patch 106787-17 or later
Solaris 7 with patch 107709-18 or later
Solaris 8 with patch 108869-15 or later

Intel

Solaris 2.6 with patch 106872-17 or later
Solaris 7 with patch 107710-18 or later
Solaris 8 with patch 108870-15 or later

Cause:   Access control error, Boundary error, Input validation error
Underlying OS:  UNIX (Solaris - SunOS)
Underlying OS Comments:  Solaris 2.6, 7, and 8

Message History:   This archive entry is a follow-up to the message listed below.
Feb 12 2002 Many Simple Network Management Protocol (SNMP) Implementations Allow Remote Users to Deny Service or Obtain Access to the System



 Source Message Contents

Subject:  Buffer Overflow in snmpdx(1M) May Allow Remote Root Compromise


DOCUMENT ID: 42769 
SYNOPSIS: Buffer Overflow in snmpdx(1M) May Allow Remote Root Compromise 
DETAIL DESCRIPTION: 

Sun(sm) Alert Notification 

     Sun Alert ID: 42769 

     Synopsis: Buffer Overflow in snmpdx(1M) May Allow Remote Root
Compromise 

     Category: Security 

     Product: Solaris 
     BugIDs: 4563124 
     Avoidance: Patch 

     State: Resolved 
     Date Released: 13-Feb-2002 
     Date Closed: 13-Feb-2002 
     Date Modified: 

1. Impact 

Unprivileged local or remote users may be able to gain unauthorized root
access due to a buffer overflow in snmpdx(1M). 

This issue is described in the CERT Vulnerability VU#854306 (see
http://www.kb.cert.org/vuls/id/854306) which is referenced in CA-2002-03
(see http://www.cert.org/advisories/CA-2002-03.html). 

2. Contributing Factors 

This issue can occur in the following releases: 

SPARC 

     Solaris 2.6 without patch 106787-17 
     Solaris 7 without patch 107709-18 
     Solaris 8 without patch 108869-15 

Intel 

     Solaris 2.6 without patch 106872-17 
     Solaris 7 without patch 107710-18 
     Solaris 8 without patch 108870-15 

Notes: Solaris 2.5.1 is not vulnerable to this problem as the snmpdx
daemon is part of the Solstice Enterprise Agent which is not supported
on this release. 

This issue can occur when the "snmpdx" daemon is running which is
started by default when the system comes up. 

3. Symptoms 

There are no symptoms that would show the described problem has been
exploited to gain unauthorized root access to a host. 

The snmpdx(1M) daemon may exit resulting in a file named "core" in the
root ('/') directory. Running file(1) on the '/core' file will reference
snmpdx (1M), similar to the following example: 

        # file /core
        /core:    ELF 32-bit MSB core file SPARC Version 1, from
'snmpdx'                                    


SOLUTION SUMMARY: 

4. Relief/Workaround 

a) Stop the running snmpdx daemon: 

        # /etc/init.d/init.snmpdx
stop                                    

b) Disable the snmpdx daemon from being restarted on system reboot: 

        # mv /etc/rc3.d/S76snmpdx /etc/rc3.d/_S76snmpdx
                                    

5. Resolution 

This issue is addressed in the following releases: 

SPARC 

     Solaris 2.6 with patch 106787-17 or later 
     Solaris 7 with patch 107709-18 or later 
     Solaris 8 with patch 108869-15 or later 

Intel 

     Solaris 2.6 with patch 106872-17 or later 
     Solaris 7 with patch 107710-18 or later 
     Solaris 8 with patch 108870-15 or later 

This Sun Alert notification is being provided to you on an "AS IS"
basis. Sun makes no representations, warranties, or guaranties as to the
quality, suitability, truth, accuracy or completeness of any of the
information contained herein. This Sun Alert notification may contain
information provided by third parties. ANY AND ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE, OR NON-INGRINGEMENT, ARE HEREBY
DISCLAIMED. The issues described in this Sun Alert notification may or
may not impact your system(s). 

BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL
DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION
CONTAINED HEREIN. 

This Sun Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your Confidential Disclosure Agreement or the confidentiality provisions
of your agreement to purchase services from Sun. In the event that you
do not have one of the above-referenced agreements with Sun, this
information is provided pursuant to the confidentiality provisions of
the Sun.com Terms of Use. This Sun Alert notification may only be used
for the purposes contemplated by these agreements. 

Copyright 2001 Sun Microsystems, Inc., 901 San Antonio Road, Palo Alto,
CA 94303 U.S.A. All rights reserved.


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC