SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   SNMP Daemon Vendors:   [Multiple Authors/Vendors]
(Caldera Issues Fix for Open UNIX/UnixWare) Re: Many Simple Network Management Protocol (SNMP) Implementations Allow Remote Users to Deny Service or Obtain Access to the System
SecurityTracker Alert ID:  1003527
SecurityTracker URL:  http://securitytracker.com/id/1003527
CVE Reference:   CAN-2002-0012, CAN-2002-0013   (Links to External Site)
Date:  Feb 12 2002
Impact:   Denial of service via network, Execution of arbitrary code via network, Root access via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   CERT reported that the University of Oulu (Finland) has discovered vulnerabilities in many vendor implementations of the Simple Network Management Protocol (SNMP) version 1.

The Oulu University Secure Programming Group (OUSPG, http://www.ee.oulu.fi/research/ouspg/) reports that there are numerous vulnerabilities in SNMPv1 implementations from many different vendors. A remote user can reportedly cause denial of service attacks or gain elevated privileges on the system.

The extent of the vulnerabilities depends on the specific vendor implementation. Vulnerabilities apparently include denial-of-service conditions, format string vulnerabilities, and buffer overflows. Some vulnerabilities do not require the request message to use the correct SNMP community string, according to CERT.

OUSPG reportedly performed two sets of tests of SNMP request message handling: one test focused on ASN.1 decoding, and the second looked for exceptions in the processing of the decoded data. The testers used the PROTOS c06-snmpv1 test suite:

http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/0100.html

Some of the products implement defective SNMPv1 trap handling. A remote user can reportedly send a specially crafted SNMP trap message to an SNMP manager to trigger the vulnerability.

Some of the products implement defective SNMPv1 request handling. A remote user can reportedly send a specially crafted SNMP request message to an SNMP agent to trigger the vulnerability.

Specific technical results were not available at the time of this entry. However, CERT reports that the following vendors are affected to some degree:

3Com,
AdventNet,
CacheFlow,
Caldera,
Cisco,
Compaq,
Computer Associates,
COMTEK Services,
FreeBSD,
Hewlett Packard,
Hirschmann Electronics,
Innerdive Solutions,
Juniper Networks,
Lantronix,
Lotus,
Lucent,
Marconi,
Microsoft,
Multinet,
Netscape,
NET-SNMP,
Nokia,
Novell,
Red Hat,
Redback Networks,
SNMP Research

CERT has provided more information at the following URLs:

http://www.kb.cert.org/vuls/id/854306
http://www.kb.cert.org/vuls/id/107186

Impact:   A remote user may be able to cause denial of service conditions or may be able to obtain elevated privileges on the system.
Solution:   Caldera has issued a fix for Open UNIX/UnixWare.

For Open UNIX 8.0.0:

ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.4/

The verification checksums are:

MD5 (erg711937.Z) = 62f81d5f7e0c5e0f4a2704e015d37fc4

Upgrade the affected binaries with the following commands:

Download erg711937.Z to the /tmp directory

# uncompress /tmp/erg711937.Z
# pkgadd -d /tmp/erg711937


For UnixWare 7.1.1:

ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.4/

The verification checksums are:

MD5 (erg711937b.Z) = 09b8dbdb080e5588c6f61669ea914af7

Upgrade the affected binaries with the following commands:

Download erg711937b.Z to the /tmp directory

# uncompress /tmp/erg711937b.Z
# pkgadd -d /tmp/erg711937b


For UnixWare 7.1.0:

ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.4/

The verification checksums are:

MD5 (erg711937c.Z) = f15696cfc2b9f0afc1b0432bb311151a

Upgrade the affected binaries with the following commands:

Download erg711937c.Z to the /tmp directory

# uncompress /tmp/erg711937c.Z
# pkgadd -d /tmp/erg711937c

Caldera has also provided the following workaround:

If snmp is not a needed service:

add an 'exit 0' statement (without the single quotes) as the
first executable line of /etc/rc2.d/S73snmp,

-or-

remove the execute bits from the in.snmpd binary,

# chmod 0 /usr/sbin/in.snmpd

Cause:   Access control error, Boundary error, Input validation error
Underlying OS:   Linux (Caldera/SCO)

Message History:   This archive entry is a follow-up to the message listed below.
Feb 12 2002 Many Simple Network Management Protocol (SNMP) Implementations Allow Remote Users to Deny Service or Obtain Access to the System



 Source Message Contents

Date:  Tue, 12 Feb 2002 17:38:00 -0500
Subject:  Open UNIX, UnixWare 7: snmpd memory fault vulnerabilities


This is a multi-part message in MIME format.
--------------2D8E9C461E00C15F2CC1F8D5
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.4/CSSA-2002-SCO.4.txt
--------------2D8E9C461E00C15F2CC1F8D5
Content-Type: text/plain; charset=us-ascii;
 name="CSSA-2002-SCO.4.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="CSSA-2002-SCO.4.txt"

___________________________________________________________________________

	    Caldera International, Inc. Security Advisory

Subject:		Open UNIX, UnixWare 7: snmpd memory fault vulnerabilities
Advisory number: 	CSSA-2002-SCO.4
Issue date: 		2002 February 12
Cross reference:
___________________________________________________________________________


1. Problem Description
	
	The University of Oulu (Finland) wrote approximately 53000
	tests for snmpd error conditions.  For Open UNIX and UnixWare,
	94 of the tests caused snmpd to memory fault. This could lead
	to denial-of-service attacks, or possible local and remote
	root acquisition.


2. Vulnerable Supported Versions

	Operating System	Version		Affected Files
	------------------------------------------------------------------
	Open UNIX		8.0.0		/usr/lib/libsnmp.so
	UnixWare 7		7.1.1		/usr/lib/libsnmp.so
	UnixWare 7		7.1.0		/usr/lib/libsnmp.so


3. Workaround

	If snmp is not a needed service:

	add an 'exit 0' statement (without the single quotes) as the
	first executable line of /etc/rc2.d/S73snmp,

		-or-

	remove the execute bits from the in.snmpd binary,

		# chmod 0 /usr/sbin/in.snmpd


4. Open UNIX 8.0.0

  4.1 Location of Fixed Binaries

	ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.4/


  4.2 Verification

	MD5 (erg711937.Z) = 62f81d5f7e0c5e0f4a2704e015d37fc4


	md5 is available for download from
		ftp://stage.caldera.com/pub/security/tools/


  4.3 Installing Fixed Binaries

	Upgrade the affected binaries with the following commands:

	Download erg711937.Z to the /tmp directory

	# uncompress /tmp/erg711937.Z
	# pkgadd -d /tmp/erg711937


5. UnixWare 7.1.1

  5.1 Location of Fixed Binaries

	ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.4/


  5.2 Verification

	MD5 (erg711937b.Z) = 09b8dbdb080e5588c6f61669ea914af7


	md5 is available for download from
		ftp://stage.caldera.com/pub/security/tools/


  5.3 Installing Fixed Binaries

	Upgrade the affected binaries with the following commands:

	Download erg711937b.Z to the /tmp directory

	# uncompress /tmp/erg711937b.Z
	# pkgadd -d /tmp/erg711937b


6. UnixWare 7.1.0

  6.1 Location of Fixed Binaries

	ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.4/


  6.2 Verification

	MD5 (erg711937c.Z) = f15696cfc2b9f0afc1b0432bb311151a


	md5 is available for download from
		ftp://stage.caldera.com/pub/security/tools/


  6.3 Installing Fixed Binaries

	Upgrade the affected binaries with the following commands:

	Download erg711937c.Z to the /tmp directory

	# uncompress /tmp/erg711937c.Z
	# pkgadd -d /tmp/erg711937c


7. References

	http://www.cert.org/advisories/CA-2002-03.html


	This and other advisories are located at
		http://stage.caldera.com/support/security

	This advisory addresses Caldera Security internal incidents
	sr858479, fz519781, erg711937.


8. Disclaimer

	Caldera International, Inc. is not responsible for the misuse
	of any of the information we provide on our website and/or
	through our security advisories. Our advisories are a service
	to our customers intended to promote secure installation and
	use of Caldera International products.


9. Acknowledgements

	This vulnerability was discovered and researched by the
	University of Oulu (oulu.fi).


	 
___________________________________________________________________________

--------------2D8E9C461E00C15F2CC1F8D5--



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC