Vulnerability Note VU#107186

Multiple vulnerabilities in SNMPv1 trap handling

SNMPv1 supports five different types of messages: GetRequest, SetRequest, GetNextRequest, GetResponse, and Trap. A single SNMP message is referred to as a Protocol Data Unit (PDU). These messages are described using Abstract Syntax Notation One (ASN.1) and translated into binary format using Basic Encoding Rules (BER). SNMP trap messages are sent from agents to managers. Trap messages are unsolicited (the manager does not issue a request message) and may indicate a warning or error condition or otherwise notify the manager about the agent's state. SNMP managers should reliably decode trap messages and process the resulting application data. OUSPG performed two sets of tests of SNMP trap message handling: one test focused on ASN.1 decoding, the second looked for exceptions in the processing of the decoded data.

The results yielded multiple vulnerabilities in both the ASN.1 decoding and the subsequent processing of SNMP trap messages by many different SNMP managers. Vulnerabilities include denial-of-service conditions, format string vulnerabilities, and buffer overflows. Some vulnerabilities do not require the request message to use the correct SNMP community string.

Additional Background Information on the OUSPG

OUSPG is a academic research group located at Oulu University in Finland. The purpose of this research group is to test software for vulnerabilities.

History has shown that the techniques used by the OUSPG have discovered a large number of previously undetected problems in the products and protocols they have tested. In 2001, the OUSPG produced a comprehensive test suite for evaluating implementations of the Lightweight Directory Access Protocol (LDAP). This test suite was developed with the strategy of stressing protocol implementations in unsupported and unexpected ways, and it was very effective in uncovering a wide variety of vulnerabilities across several products. This approach can reveal vulnerabilities that would not manifest themselves under normal operating conditions.

After completing its work on LDAP, OUSPG moved its focus to SNMPv1. As with LDAP, they designed a custom test suite, began testing a selection of products, and found a number of vulnerabilities. Because OUSPG's work on LDAP was similar in procedure to its current work on SNMP, you may wish to review the LDAP Test Suite and CERT Advisory CA-2001-18, which outlined results of application of the test suite.

In order to test the security of protocols like SNMPv1, the PROTOS project presents a server with a wide variety of sample packets containing unexpected values or illegally formatted data. As a member of the PROTOS project consortium, the OUSPG used the PROTOS c06-snmpv1 test suite to study several implementations of the SNMPv1 protocol. Results of the test suites run against SNMP indicate that there are many different vulnerabilities on many different implementations of SNMP.

Background Information on the Simple Network Management Protocol

The Simple Network Management Protocol (SNMP) is the most popular protocol in use to manage networked devices. SNMP was designed in the late 80's to facilitate the exchange of management information between networked devices, operating at the application layer of the ISO/OSI model. The SNMP protocol enables network and system administrators to remotely monitor and configure devices on the network (devices such as switches and routers). Software and firmware products designed for networks often make use of the SNMP protocol. SNMP runs on a multitude of devices and operating systems, including, but not limited to,

Core Network Devices (Routers, Switches, Hubs, Bridges, and Wireless Network Access Points)
Consumer Broadband Network Devices (Cable Modems and DSL Modems)
Consumer Electronic Devices (Cameras and Image Scanners)
Networked Office Equipment (Printers, Copiers, and FAX Machines)
Network and Systems Management/Diagnostic Frameworks (Network Sniffers and Network Analyzers)
Networked Medical Equipment (Imaging Units and Oscilloscopes)
Manufacturing and Processing Equipment

Implicit in the SNMP architectural model is a collection of network management stations and network elements. Network management stations execute management applications which monitor and control network elements. Network elements are devices such as hosts, gateways, terminal servers, and the like, which have management agents responsible for performing the network management functions requested by the network management stations. The Simple Network Management Protocol (SNMP) is used to communicate management information between the network management stations and the agents in the network elements.

RFC 3000 Internet Official Protocol Standards
RFC 1212 Concise MIB Definitions
RFC 1213 Management Information Base for Network Management of TCP/IP-based Internets: MIB-II
RFC 1215 A Convention for Defining Traps for use with the SNMP
RFC 1270 SNMP Communications Services
RFC 2570 Introduction to Version 3 of the Internet-standard Network Management Framework
RFC 2571 An Architecture for Describing SNMP Management Frameworks
RFC 2572 Message Processing and Dispatching for the Simple Network Management Protocol (SNMP)
RFC 2573 SNMP Applications
RFC 2574 User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)
RFC 2575 View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP)
RFC 2576 Coexistence between Version 1, Version 2, and Version 3 of the Internet-standard Network Management Framework

Contact your vendor for patches.
Please see the Solution section of CA-2002-03 for additional countermeasures.

Systems Affected

http://www.cert.org/tech_tips/snmp_faq.html
http://www.kb.cert.org/vuls/id/854306
http://www.ee.oulu.fi/research/ouspg/protos/
http://www.cert.org/tech_tips/denial_of_service.html
http://www.ietf.org/rfc/rfc3000.txt
http://www.ietf.org/rfc/rfc1212.txt
http://www.ietf.org/rfc/rfc1213.txt
http://www.ietf.org/rfc/rfc1215.txt
http://www.ietf.org/rfc/rfc1270.txt
http://www.ietf.org/rfc/rfc2570.txt
http://www.ietf.org/rfc/rfc2571.txt
http://www.ietf.org/rfc/rfc2572.txt
http://www.ietf.org/rfc/rfc2573.txt
http://www.ietf.org/rfc/rfc2574.txt
http://www.ietf.org/rfc/rfc2575.txt
http://www.ietf.org/rfc/rfc2576.txt
http://www.securityfocus.com/bid/4088
http://online.securityfocus.com/bid/4132
http://online.securityfocus.com/bid/4732

Credit

The CERT Coordination Center thanks the Oulu University Secure Programming Group for reporting these vulnerabilities to us, for providing detailed technical analyses, and for assisting us in preparing this advisory. We also thank the many vendors who provided feedback regarding their respective vulnerabilities.

This document was written by Ian A. Finlay.

Other Information

If you have feedback, comments, or additional information about this vulnerability, please send us email.