SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   SNMP Daemon Vendors:   Sun
(Sun Issues Alert) Re: Sun Solstice Enterprise Master Agent (SEA) and Sun SNMP Agent Have Bugs That Let Remote Users Gain Root Privileges
SecurityTracker Alert ID:  1004497
SecurityTracker URL:  http://securitytracker.com/id/1004497
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 10 2002
Impact:   Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   Vulnerabilities were reported in Sun's Solstice Enterprise Master Agent (snmpdx) and SNMP Agent (mibiisa). A remote user can execute arbitrary code with root privileges to gain full control of the system.

Sun and Entercept Security Technologies' Ricochet Team report that a format string vulnerability resides in the logging component of 'snmpdx'. In addition, Sun reports that there is a buffer overflow in the MIB parsing component 'mibiisa'. Both of these flaws allow a remote user to cause arbitrary code to be executed on the system.

A remote user can send a specially crafted packet to either daemon to trigger the overflow. Because these daemons run with root level privileges, any user-supplied arbitrary code will be run with root privileges.

Both the snmpdx daemon and the mibiisa daemon are reportedly started by default via the /etc/rc3.d/S76snmpdx startup script.

Entercept's Ricochet Security Advisory Advisory is available at:

http://www.entercept.com/dr/snmp/

Impact:   A remote user can execute arbitrary code on the system. The code will run with root privileges, giving the remote user full control of the system.
Solution:   In addtion to Security Bulletin #00219, Sun has issued Sun Alert 43986.

Sun has released patches to correct the problem.

SPARC

Solaris 2.6 with patch 106787-18 or later
Solaris 7 with patch 107709-19 or later
Solaris 8 with patch 108869-16 or later

Intel

Solaris 2.6 with patch 106872-18 or later
Solaris 7 with patch 107710-19 or later
Solaris 8 with patch 108870-16 or later

Sun indicates that users of Solaris 2.5.1 systems will need to upgrade to a later release of Solaris.

Also, the Solaris 2.6 patches for this bug applies to SEA 1.0.3. Solaris 2.6 users who are still using SEA 1.0.1 (the default version shipped with Solaris 2.6) will need to first upgrade to SEA 1.0.3 before applying the patches.

Sun warns that when upgrading SEA 1.0.1 to 1.0.3, it is important to adhere to the following Release Notes instructions:

http://wwws.sun.com/software/entagents/docs/releasehtml/release_notes103.doc.html

It is necessary to pkgrm(1M) the existing packages and then pkgadd(1M) the new ones.

To determine which version of SEA is installed, use the following command:

$ pkginfo SUNWmibii

If the output does not list 1.0.3 it is an earlier version of SEA.

Sun notes that the snmpdx(1M) and mibiisa(1M) daemons are started by default when the system boots up.

Sun has provided the following workaround:

If the sndmpx(1M) and the mibiisa(1M) daemons are not being utilized they can be disabled using the procedure below. This would prevent unauthorized root access due to a buffer overflow. The following workaround requires both of the actions below:

Stop the execution of the snmpdx daemon:

# /etc/init.d/init.snmpdx stop

Disable the snmpdx daemon from being restarted on system reboot:

# mv /etc/rc3.d/S76snmpdx /etc/rc3.d/_S76snmpdx

Vendor URL:  sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/219&type=0&nav=sec.sba (Links to External Site)
Cause:   Boundary error, Input validation error
Underlying OS:  UNIX (Solaris - SunOS)
Underlying OS Comments:  2.6, 7, 8; SPARC and Intel

Message History:   This archive entry is a follow-up to the message listed below.
Jun 4 2002 Sun Solstice Enterprise Master Agent (SEA) and Sun SNMP Agent Have Bugs That Let Remote Users Gain Root Privileges



 Source Message Contents

Subject:  Security Issues with Solstice Enterprise Agents (SEA) snmpdx(1M) and



DOCUMENT ID: 43986 
SYNOPSIS: Security Issues with Solstice Enterprise Agents (SEA)
snmpdx(1M) and mibiisa(1M) 
DETAIL DESCRIPTION: 
Sun(sm) Alert Notification 
Sun Alert ID: 43986 

Synopsis: Security Issues with Solstice Enterprise Agents (SEA)
snmpdx(1M) and mibiisa(1M) 

Category: Security 

Product: Solaris 
BugIDs: 4640230, 4640211, 4639581, 4639285, 4639509, 4639515 
Avoidance: Patch, Upgrade 

State: Resolved 
Date Released: 05-Jun-2002 
Date Closed: 05-Jun-2002 
Date Modified: 
1. Impact 
Unprivileged local or remote users may be able to kill the snmpdx(1M) or
mibiisa(1M) daemons due to the mishandling of SNMP requests. This would
cause a denial of service for utilities or users attempting to access
these daemons. 

Also, unprivileged local or remote users may be able to gain
unauthorized root access due to a buffer overflow in snmpdx(1M) and
mibiisa(1M). 


2. Contributing Factors 
This issue can occur in the following releases: 

SPARC 

Solaris 2.5.1 
Solaris 2.6 without patch 106787-18 
Solaris 7 without patch 107709-19 
Solaris 8 without patch 108869-16 
Intel 

Solaris 2.5.1 
Solaris 2.6 without patch 106872-18 
Solaris 7 without patch 107710-19 
Solaris 8 without patch 108870-16 
Note 1: Solaris 2.5.1 is affected by this issue, however Solstice
Enterprise Agent (SEA) is no longer supported on Solaris 2.5.1. Solaris
2.5.1 users will need to upgrade to a later release of Solaris. 

Note 2a: The Solaris 2.6 patches for these issues apply to SEA 1.0.3.
Solaris 2.6 users who are still using SEA 1.0.1 (the default version
shipped with Solaris 2.6) will need to first upgrade to SEA 1.0.3 before
applying the patches. 

Note 2b: When upgrading SEA 1.0.1 to 1.0.3, it is important to follow
the Release Notes instructions: 

http://wwws.sun.com/software/entagents/docs/releasehtml/release_notes103.doc.html 
It is necessary to pkgrm(1M) the existing packages and then pkgadd(1M)
the new ones. 

Note 2c: In order to determine which version of SEA is installed please
use the following command: 

	$ pkginfo SUNWmibii
	system      SUNWmibii      Solstice Enterprise Agents 1.0.3 SNMP
daemon        
If the output does not list 1.0.3 it is an earlier version of SEA. 

Note 3: The snmpdx(1M) and mibiisa(1M) daemons are started by default
when the system boots up. 


3. Symptoms 
The snmpdx(1M) daemon may exit resulting in a file named "core" in the
root ('/') directory. The mibiisa(1M) daemon may exit resulting in a
file named "core" only when running in standalone mode i.e without
snmpdx. 

Running file(1) on the '/core' file will reference snmpdx(1M) or
mibiisa(1M), similar to the following example: 

	# file /core 
	/core:    ELF 32-bit MSB core file SPARC Version 1, from 'snmpdx'
                                 or
        /core:    ELF 32-bit MSB core file SPARC Version 1, from
'mibiisa'       


SOLUTION SUMMARY: 
4. Relief/Workaround 
If the sndmpx(1M) and the mibiisa(1M) daemons are not being utilized
they can be disabled using the procedure below. This would prevent
unauthorized root access due to a buffer overflow. The following
workaround requires both of the actions below: 

Stop the execution of the snmpdx daemon: 

	# /etc/init.d/init.snmpdx stop                            
Disable the snmpdx daemon from being restarted on system reboot: 

	# mv /etc/rc3.d/S76snmpdx /etc/rc3.d/_S76snmpdx       

5. Resolution 
This issue is addressed in the following releases: 

SPARC 

Solaris 2.6 with patch 106787-18 or later 
Solaris 7 with patch 107709-19 or later 
Solaris 8 with patch 108869-16 or later 
Intel 

Solaris 2.6 with patch 106872-18 or later 
Solaris 7 with patch 107710-19 or later 
Solaris 8 with patch 108870-16 or later 

Note: Solaris 2.5.1 systems will need to upgrade to a later release of
Solaris. 


This Sun Alert notification is being provided to you on an "AS IS"
basis. Sun makes no representations, warranties, or guaranties as to the
quality, suitability, truth, accuracy or completeness of any of the
information contained herein. This Sun Alert notification may contain
information provided by third parties. ANY AND ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY
DISCLAIMED. The issues described in this Sun Alert notification may or
may not impact your system(s). 

BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL
DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION
CONTAINED HEREIN. 

This Sun Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your Confidential Disclosure Agreement or the confidentiality provisions
of your agreement to purchase services from Sun. In the event that you
do not have one of the above-referenced agreements with Sun, this
information is provided pursuant to the confidentiality provisions of
the Sun.com Terms of Use. This Sun Alert notification may only be used
for the purposes contemplated by these agreements. 

Copyright 2001, 2002 Sun Microsystems, Inc., 901 San Antonio Road, Palo
Alto, CA 94303 U.S.A. All rights reserved.



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC