SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   SNMP Daemon Vendors:   [Multiple Authors/Vendors]
(Compaq Issues Fix for Tru64) Many Simple Network Management Protocol (SNMP) Implementations Allow Remote Users to Deny Service or Obtain Access to the System
SecurityTracker Alert ID:  1003966
SecurityTracker URL:  http://securitytracker.com/id/1003966
CVE Reference:   CVE-2002-0012, CVE-2002-0013   (Links to External Site)
Date:  Apr 4 2002
Impact:   Denial of service via network, Execution of arbitrary code via network, Root access via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   CERT reported that the University of Oulu (Finland) has discovered vulnerabilities in many vendor implementations of the Simple Network Management Protocol (SNMP) version 1.

The Oulu University Secure Programming Group (OUSPG, http://www.ee.oulu.fi/research/ouspg/) reports that there are numerous vulnerabilities in SNMPv1 implementations from many different vendors. A remote user can reportedly cause denial of service attacks or gain elevated privileges on the system.

The extent of the vulnerabilities depends on the specific vendor implementation. Vulnerabilities apparently include denial-of-service conditions, format string vulnerabilities, and buffer overflows. Some vulnerabilities do not require the request message to use the correct SNMP community string, according to CERT.

OUSPG reportedly performed two sets of tests of SNMP request message handling: one test focused on ASN.1 decoding, and the second looked for exceptions in the processing of the decoded data. The testers used the PROTOS c06-snmpv1 test suite:

http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/0100.html

Some of the products implement defective SNMPv1 trap handling. A remote user can reportedly send a specially crafted SNMP trap message to an SNMP manager to trigger the vulnerability.

Some of the products implement defective SNMPv1 request handling. A remote user can reportedly send a specially crafted SNMP request message to an SNMP agent to trigger the vulnerability.

Specific technical results were not available at the time of this entry. However, CERT reports that the following vendors are affected to some degree:

3Com,
AdventNet,
CacheFlow,
Caldera,
Cisco,
Compaq,
Computer Associates,
COMTEK Services,
FreeBSD,
Hewlett Packard,
Hirschmann Electronics,
Innerdive Solutions,
Juniper Networks,
Lantronix,
Lotus,
Lucent,
Marconi,
Microsoft,
Multinet,
Netscape,
NET-SNMP,
Nokia,
Novell,
Red Hat,
Redback Networks,
SNMP Research

CERT has provided more information at the following URLs:

http://www.kb.cert.org/vuls/id/854306
http://www.kb.cert.org/vuls/id/107186

Impact:   A remote user may be able to cause denial of service conditions or may be able to obtain elevated privileges on the system.
Solution:   The vendor has released an Early Release Patch kit. Until the Tru64 UNIX fixes are available in the mainstream release patch kits, Compaq is releasing the following Early Release Patch Kit(s) (ERPs) publicly for use by any customer.

The Early Release Patch kits use dupatch to install and will not install over any Customer-Specific-Patches (CSPs) which have file intersections with the ERPs. Raise an IPMT case to UNIX Support Engineering if you need a CSP merged with one of the following ERPs.

The fixes contained in the Early Release Patch (ERP) kits will be available in the next mainstream patch kit(s) for:
- Tru64 UNIX 4.0F PK8
- Tru64 UNIX 4.0G PK4
- Tru64 UNIX 5.0A PK4
- Tru64 UNIX 5.1 PK5
- Tru64 UNIX 5.1A PK2

Early Release Patches
---------------------

Tru64 UNIX 4.0F
PREREQUISITE: Tru64 UNIX 4.0F with PK7 (BL18) installed
ERP Kit Name: DUV40FB18-C0071301-13866-ES-20020401
Kit Location: http://ftp1.support.compaq.com/public/unix/v4.0f/


Tru64 UNIX 4.0G
PREREQUISITE: Tru64 UNIX 4.0G with PK3 (BL17) installed
ERP Kit Name: T64V40GB17-C0012100-13640-ES-20020313
Kit Location: http://ftp1.support.compaq.com/public/unix/v4.0g/


Tru64 UNIX 5.0A
PREREQUISITE: Tru64 UNIX 5.0A with PK3 (BL17) installed
ERP Kit Name: T64V50AB17-C0019600-13593-ES-20020308
Kit Location: http://ftp1.support.compaq.com/public/unix/v5.0a/


Tru64 UNIX 5.1
PREREQUISITE: Tru64 UNIX 5.1 with PK4 (BL18) installed
ERP Kit Name: T64V51B18-C0109002-13712-ES-20020318
Kit Location: http://ftp1.support.compaq.com/public/unix/v5.1/


Tru64 UNIX 5.1A
PREREQUISITE: Tru64 UNIX 5.1A with PK1 (BL1) installed
ERP Kit Name: T64V51AB1-C0014802-13710-ES-20020318
Kit Location: http://ftp1.support.compaq.com/public/unix/v5.1a/

MD5 and SHA1 checksums are available in the public patch notice for the ERP kits. You can find information on how to verify MD5 and SHA1 checksums at:

http://www.support.compaq.com/patches/whats-new.shtml

Cause:   Access control error, Boundary error, Input validation error
Underlying OS:  UNIX (Tru64)
Underlying OS Comments:  Tru64 UNIX 4.0f, 4.0g, 5.0a, 5.1, 5.1a.

Message History:   This archive entry is a follow-up to the message listed below.
Feb 12 2002 Many Simple Network Management Protocol (SNMP) Implementations Allow Remote Users to Deny Service or Obtain Access to the System



 Source Message Contents

Subject:  (SSRT0779) UPDATE #3 Potential Security Vulnerabilities in SNMP


 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

TITLE: (SSRT0779) Potential Security Vulnerabilities in SNMP
Posted at http://ftp.support.compaq.com/patches/.new/security.shtml

NOTICE: There are no restrictions for distribution of this
Bulletin provided that it remains complete and intact.

RELEASE DATE:   18 FEBRUARY, 2002

     UPDATED:   03 APRIL,    2002 - update Tru64, patch availability
                08 MARCH,    2002 - add StorageWorks products, and
                                    Compaq/Microcom based products.
                05 MARCH,    2002 - update TRU64 Information

SEVERITY: MEDIUM

SOURCE:  Compaq Computer Corporation
         Compaq Global Services
         Software Security Response Team

CROSS REFERENCE:   (SSRT0799, CAN-2002-0012,
                    CAN-2002-0013, CERT CA-2002-03)

PROBLEM SUMMARY:

The Computer Emergency Response Team (CERT/cc) has recently issued an
advisory regarding numerous potential vulnerabilities in SNMPv1
implementations. These potential vulnerabilities are applicable to
SNMPv1 trap handling and SNMPv1 Request handling. The CERT article
outlines vulnerabilities that can cause SNMP services to stop
functioning and in some cases may enable "unauthorized access,"
"denial of service attacks" or may cause system instability.

IMPACT:
 Compaq NonStop Himalaya Servers:
 Compaq TCP/IP Services for OpenVMS:
 Compaq Tru64 UNIX:
 Compaq Insight Management Suite:
 Compaq Deskpro, Professional Workstation, Armada, Evo:
 Compaq SANworks Hardware:
 Compaq StorageWorks Products
 Compaq/Microcom Products:

 Compaq's findings to date regarding the SNMPv1 issues are as
follows:

________________________________
Compaq NonStop Himalaya Servers:

The Compaq Himalaya NonStop Kernel prohibits execution of code on the
stack or heap by hardware TLB permissions (read/write only),
preventing Trojan horse attacks by embedding code within the buffer
overflow area. However, process ABENDs can occur.

The SNMP agent ABENDs in the c06-snmpv1 buffer-overflow tests.
This affects forwarding trap messages and/or sending info responses
to SNMP managers.

Sub-agents use IPCs to communicate with the SNMP agent, so they
cannot be directly attacked.  More importantly, sub-agents are
confined to information only requests, so they cannot be used to
configure/manage their sub-systems. Our investigation an analysis is
continuing and further updates will be provided.

IPMs to address the ABEND problem of the SNMP are in development and
will be released as soon as verification is complete. Availability of
these IPMs will be announced in future updates. The exposure to
SNMP agent ABENDs can be reduced by running the SNMP agent as a
process-pair or by configuring auto-restart in the Persistence
Manager.

__________________________________
Compaq TCP/IP Services for OpenVMS:

There is some impact to the SNMP agent provided with Compaq TCP/IP
Services for OpenVMS. This problem can cause the SNMP agent to ACCVIO
and terminate temporarily denying service to SNMP, but in most cases
after this occurs Compaq TCP/IP Services for OpenVMS will restart
the SNMP agent in response to the next SNMP request. There are no
known risks of compromising system security due to this problem.
The SNMP agent executes from a non-privileged process, which
prevents any compromise to system security.

Our investigation and analysis has determined the cause of the
problem. The updated images for Compaq TCP/IP Services for OpenVMS
are now in final test. Compaq will provide updates to Compaq TCP/IP
Services for OpenVMS in the next ECO and also in the next release,
Compaq TCP/IP Services for OpenVMS V5.3. Contact Compaq's Customer
Support Center if an earlier updated is required.

__________________
Compaq Tru64 UNIX:

UPDATE: 02 April, 2002

There is no known risk of compromising Tru64 UNIX system security
due to the recent SNMP attack.  The SNMP agent provided with
Tru64 UNIX is susceptible to a limited problem - the SNMP
agent may stop responding to SNMP requests, or it may incur a
segmentation fault, generate a core file, and exit. Either scenario
denies SNMP service to SNMP-based network management applications.
However,  we have not found the attack to cause the system to be
unstable, vulnerable to "unauthorized access",  or subject to any
denial of service other than to the SNMP service.

Impacted Tru64 UNIX operating system versions include:
Tru64 UNIX 4.0f, 4.0g, 5.0a, 5.1, 5.1a.

 SOLUTION:

  Until the Tru64 UNIX fixes are available in the mainstream release
  patch kits, Compaq is releasing the following Early Release Patch
  Kit(s) (ERPs) publicly for use by any customer.

  The Early Release Patch kits use dupatch to install and will not
  install over any Customer-Specific-Patches (CSPs) which have file
  intersections with the ERPs. Raise an IPMT case to UNIX Support
  Engineering if you need a CSP merged with one of the following
ERPs.

  The fixes contained in the Early Release Patch (ERP) kits will be
  available in the next mainstream patch kit(s) for:
        - Tru64 UNIX 4.0F PK8
        - Tru64 UNIX 4.0G PK4
        - Tru64 UNIX 5.0A PK4
        - Tru64 UNIX 5.1  PK5
        - Tru64 UNIX 5.1A PK2

  ---------------------
  Early Release Patches
  ---------------------

  Tru64 UNIX 4.0F
   PREREQUISITE:    Tru64 UNIX 4.0F with PK7 (BL18) installed
   ERP Kit Name:    DUV40FB18-C0071301-13866-ES-20020401
   Kit Location: http://ftp1.support.compaq.com/public/unix/v4.0f/


  Tru64 UNIX 4.0G
   PREREQUISITE:    Tru64 UNIX 4.0G with PK3 (BL17) installed
   ERP Kit Name:    T64V40GB17-C0012100-13640-ES-20020313
   Kit Location: http://ftp1.support.compaq.com/public/unix/v4.0g/


  Tru64 UNIX 5.0A
   PREREQUISITE:    Tru64 UNIX 5.0A with PK3 (BL17) installed
   ERP Kit Name:    T64V50AB17-C0019600-13593-ES-20020308
   Kit Location: http://ftp1.support.compaq.com/public/unix/v5.0a/


  Tru64 UNIX 5.1
   PREREQUISITE:    Tru64 UNIX 5.1 with PK4 (BL18) installed
   ERP Kit Name:    T64V51B18-C0109002-13712-ES-20020318
   Kit Location: http://ftp1.support.compaq.com/public/unix/v5.1/


  Tru64 UNIX 5.1A
   PREREQUISITE:    Tru64 UNIX 5.1A with PK1 (BL1) installed
   ERP Kit Name:    T64V51AB1-C0014802-13710-ES-20020318
   Kit Location: http://ftp1.support.compaq.com/public/unix/v5.1a/

  MD5 and SHA1 checksums are available in the public patch notice for
  the ERP kits. You can find information on how to verify MD5 and
  SHA1 checksums at:
        http://www.support.compaq.com/patches/whats-new.shtml

________________________________
Compaq Insight Management Suite:

(ProLiants running industry standard operating systems including
Windows 2000, NetWare, Linux, etc)

The Compaq Insight Management Suite utilizes SNMP as a primary
communications method.  Fixes to the operating systems affected will
be provided by the vendors involved.  Check
http://www.compaq.com/manage/security the most up-to-date
information.

_______________________________________________
Deskpro, Professional Workstation, Armada, Evo:

The Deskpro, Professional Workstation, Armada, Evo(Microsoft
operating systems including Windows XP, Windows 2000, Windows 98, and
Windows 95) Compaq Management Agents for Clients utilizes SNMP as an
optional communications method.

Fixes to the operating systems affected
will be provided by Microsoft.  Check
www.microsoft.com/technet/security/bulletin/MS02-006.asp for the most
up-to-date information.


_____________________________________
Compaq SANworks Management Appliance:

The SANworks management appliance is essentially a Compaq server and
our recommended configuration does not have it connected directly to
the internet.  Therefore, it is less exposed than other servers to
external SNMP security attacks.  However, the appliance is
susceptible to SNMP security attacks from inside the firewall that
could result in the graceful termination of some storage management
applications on the appliance.

Compaq will provide a patch to the appliance as soon as possible.

_____________________________
COMPAQ STORAGEWORKS PRODUCTS:

UPDATE: 08 MARCH, 2002

The following Compaq StorageWorks products have Ethernet
connections that may potentially be exposed to the SNMPv1
vulnerability:

Compaq StorageWorks SAN Switch 8, 8-EL, 16, 16-EL, 2/16, Integrated
32 or 64 Port
Compaq StorageWorks SAN Director 64
Compaq StorageWorks Modular Data Router
Compaq StorageWorks 12 Port Fibre Channel Managed Hub
Compaq StorageWorks 20/40 GB 8 Cassette AutoLoader


RESOLUTION:
Compaq StorageWorks SAN Switch 8, 8-EL,
16, 16-EL, 2/16, Integrated 32 or 64 Port:
There are currently no known issues related to vulnerability
notes VU#854306 or VU#107186 with these products.
They have passed all validation tests conducted to date.

Compaq StorageWorks SAN Director 64:
This product has been evaluated with a SNMP based test program that
attempts to overload the director with SNMP traffic such as GET, Set
and Get Next commands. No problems were found in this testing.
Additionally, Compaq is in the process of evaluating the details of
the SNMP implementation in this product. Any problems identified that
are determined to pose a risk to customer operations will be
documented and addressed in future maintenance releases. Note that
the advisory documented two areas of vulnerability. One area involves
Trap handling on the part of SNMP Management components, and the
other area involves the processing of GET, Set and Get Next commands
on the part of SNMP Agent components. The director implements only
the SNMP Agent components, so none of the problems related to Trap
handling apply. Also, the SNMP Agent on the director management
server is disabled by default.  No SNMP messages are processed by
the management server unless the systems administrator has explicitly
enabled the SNMP Agent.  On the director itself, the SNMP Agent is
enabled by default, but for read access only.

Compaq StorageWorks Modular Data Router:
The potential vulnerability has to do with SNMP Set commands.
The only Set command the MDR allows is to set the trap address.

Compaq StorageWorks 12 Port Fibre Channel Managed Hub:
Compaq is in the process of evaluating the SNMP implementation
in this product.

Compaq StorageWorks 20/40 GB 8 Cassette AutoLoader:
Compaq is in the process of evaluating the SNMP implementation
in this product.

________________________
COMPAQ/MICROCOM PRODUCTS:

UPDATE: MARCH 08, 2002
_________________________________________
Microcom Access Integrator (All Versions)
Compaq-Microcom 6000 Series Remote Access Concentrators(All Versions)

Both products use SNMPv1 protocol as the transport for system
management, either through expressWATCH, or third party SNMP clients.
These products are normally managed over the LAN by clients using IP
ports UDP 161 for SNMP and UDP 162 for SNMP Traps.  The SNMP agents
integrated in these products cannot be disabled. Access to the system
via the PRI, T1 or analog modules do not present a security risk
related to SNMPv1.

Incursions may result in instability of the system requiring a hard
reset of one or more of the systems modules, which will result in
temporary loss of connectivity to dial in clients. Users will be
able to reconnect after the systems has reset.

RECOMMENDATIONS:
Compaq recommends the following precautions in accordance with good
general networking administration practices.

1. Apply perimeter filtering to SNMP traffic. Upstream
internet routers, or Firewall should be configured to filter
UDP ports 161 and 162.

2. Compaq has always recommended that the associated
engines contained in the CM6000 Series reside on an internal
network using a non-routable private addressing scheme.

3. The system should not be managed over the internet or
an non secure LAN.

______________________________
Microcom ISPorte (All Versions)
Compaq Microcom 4000 concentrator

These products make very limited use of the SNMPv1 protocol on
the Ethernet portion of their PRI/T1 modules. In the limited
number of installations where digital calls are being tunneled
to NT servers on the connected LAN, there is a potential for
SNMP packets to reach the PRI/T1 card through it's Ethernet
port. Access to the system via the analog modem modules do
not present security risk related to SNMPv1.

Incursions may result in instability of the PRI/T1 card, resulting
in a loss of connectivity for dial in users. A hard reset is the
only way to correct these failure, but a hard reset will also
disconnect all remaining users. Users will be able to reconnect
after the system resets.

RECOMMENDATIONS:
Compaq recommends the following precautions in accordance with good
general networking administration practices.

1. Apply perimeter filtering to SNMP traffic. Upstream internet
routers should be configured to filter UDP ports 161 and 162.

2. If the system is being used for analog dial in access only,
it should not be connected to the LAN via the Ethernet port on
the PRI/T1 card.

___________________________
Microcom SNMP HDMS+ System (Version 1.3.1)

The great majority of HDMS+ systems installed do not have SNMP
capabilities and are therefore not at risk. These systems can be
identified by the absence of a 10baseT connector on the rear of the
controller card.

A limited number of SNMP HDMS+ systems were produced, this product
uses SNMPv1 protocol as the transport for system management.
Management clients can include either expressWATCH, or third party
SNMP clients.

The product can be managed over the LAN by clients using IP ports
UDP 161 for SNMP and UDP 162 for SNMP Traps, or through a serial
RS232 port using SLIP.  The SNMP agents integrated in these products
cannot be disabled. Access to the system via the analog modem modules
do not present security risk related to SNMPv1.

Incursions may result in instability of the systems management
controller, which may require a hard reset. The reset of this
controller may result in a temporary loss of connectivity for
dial in users. Dial in users will be able to reconnect after
the system has reset.

RECOMMENDATIONS:
Compaq recommends the following precautions in accordance with good
general networking administration practices.

1. Apply perimeter filtering to SNMP traffic. Upstream
internet routers or firewalls should be configured to filter
UDP ports 161 and 162.

2. The system should not be managed over the internet.

3. The system should not be managed over a non secure LAN.
Direct management via a serial RS232 SLIP connection would be
recommended.

For assistance or clarification on any of the recommendation for
Compaq/Microcom products, please call 01-800-652-6672 and from
the menu select 2,3,1 then enter routing code 1851

____________________________________________________________________




NOTE:

Many systems operate behind firewalls and would normally
implement SNMP blocking for SNMP as standard procedure. Based on SNMP
blocking and ingress/egress filtering, the potential Security
vulnerability may only be exploited by users who have access to your
local security domain, therefore the risk is diminished.


SUPPORT:

This advisory bulletin will be updated for the various
products requiring patches and individual patch notifications
will be done through standard "patch notification" procedures
for those products. For further information, contact your normal
Compaq Support channel.


SUBSCRIBE:

To subscribe to automatically receive future Security
Advisories from the Compaq's Software Security Response Team via
electronic mail:

http://www.support.compaq.com/patches/mailing-list.shtml

REPORT:

To report a potential security vulnerability with any Compaq
supported product, send email mailto:security-ssrt@compaq.com
or mailto:sec-alert@compaq.com

Compaq appreciates your cooperation and patience. As always,
Compaq urges you to periodically review your system management
and security procedures. Compaq will continue to review and
enhance the security features of its products and work with
our customers to maintain and improve the security and integrity
of their systems.

"Compaq is broadly distributing this Security Bulletin in order to
bring to the attention of users of the affected Compaq products the
important security information contained in this Bulletin.
Compaq recommends that all users determine the applicability of
this information to their individual situations and take appropriate
action.  Compaq does not warrant that this information is necessarily
accurate or complete for all user situations and, consequently,
Compaq will not be responsible for any damages resulting from
user's use or disregard of the information provided in this
Bulletin."

Copyright 2002 Compaq Information Technologies Group, L.P.
Compaq shall not be liable for technical or editorial errors
or omissions contained herein. The information in this document
is subject to change without notice. Compaq and the names of
Compaq products referenced herein are, either, trademarks
and/or service marks or registered trademarks and/or service
marks of Compaq Information Technologies Group, L.P. Other product
and company names mentioned herein may be trademarks and/or service
marks of their respective owners.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1

iQA/AwUBPKvKLjnTu2ckvbFuEQIvUgCg1CoJe3iEge4LRw1ZcViAV+jMJ1sAoMmX
ZplSH0HnvCqvr1h8aXJqqyj3
=PfBm
-----END PGP SIGNATURE-----


---
You are currently subscribed to security as: ***********************
To unsubscribe send a blank email to *********************@list.support.compaq.com


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC