Vulnerability Note VU#854306

Multiple vulnerabilities in SNMPv1 request handling

Original Release date: 12 Feb 2002 | Last revised: 07 Nov 2007

Overview

Multiple vendor SNMPv1 GetRequest, GetNextRequest, and SetRequest message handling implementations contain vulnerabilities that may allow unauthorized privileged access, denial-of-service conditions, or unstable behavior. If your site uses SNMP in any capacity, the CERT/CC encourages you to read the information provided below.

Description

The Oulu University Secure Programming Group (OUSPG) has reported numerous vulnerabilities in multiple vendor SNMPv1 implementations. By applying the PROTOS c06-SNMPv1 test suite to a variety of popular SNMPv1-enabled products, the OUSPG revealed a number of vulnerabilities across a wide range of products. This vulnerability note focuses on vulnerabilities occurring in code responsible for SNMPv1 request handling.

SNMPv1 supports five different types of messages: GetRequest, SetRequest, GetNextRequest, GetResponse, and Trap. A single SNMP message is referred to as a Protocol Data Unit (PDU). These messages are described using Abstract Syntax Notation One (ASN.1) and translated into binary format using Basic Encoding Rules (BER). SNMP request messages are sent from managers to agents. Request messages can poll the agent for current performance or configuration data, ask for the next SNMP object in a Management Information Base (MIB), or modify configuration settings. SNMP agents should reliably decode request messages and process the resulting application data. OUSPG performed two sets of tests of SNMP request message handling: one test focused on ASN.1 decoding, the second looked for exceptions in the processing of the decoded data.

The results yielded multiple vulnerabilities in both the ASN.1 decoding and the subsequent processing of SNMP request messages by many different SNMP agents. Vulnerabilities include denial-of-service conditions, format string vulnerabilities, and buffer overflows. Some vulnerabilities do not require the request message to use the correct SNMP community string.

Additional Background Information on the OUSPG

OUSPG is a academic research group located at Oulu University in Finland. The purpose of this research group is to test software for vulnerabilities.

History has shown that the techniques used by the OUSPG have discovered a large number of previously undetected problems in the products and protocols they have tested. In 2001, the OUSPG produced a comprehensive test suite for evaluating implementations of the Lightweight Directory Access Protocol (LDAP). This test suite was developed with the strategy of stressing protocol implementations in unsupported and unexpected ways, and it was very effective in uncovering a wide variety of vulnerabilities across several products. This approach can reveal vulnerabilities that would not manifest themselves under normal operating conditions.

After completing its work on LDAP, OUSPG moved its focus to SNMPv1. As with LDAP, they designed a custom test suite, began testing a selection of products, and found a number of vulnerabilities. Because OUSPG's work on LDAP was similar in procedure to its current work on SNMP, you may wish to review the LDAP Test Suite and CERT Advisory CA-2001-18, which outlined results of application of the test suite.

In order to test the security of protocols like SNMPv1, the PROTOS project presents a server with a wide variety of sample packets containing unexpected values or illegally formatted data. As a member of the PROTOS project consortium, the OUSPG used the PROTOS c06-snmpv1 test suite to study several implementations of the SNMPv1 protocol. Results of the test suites run against SNMP indicate that there are many different vulnerabilities on many different implementations of SNMP.

Background Information on the Simple Network Management Protocol

The Simple Network Management Protocol (SNMP) is the most popular protocol in use to manage networked devices. SNMP was designed in the late 80's to facilitate the exchange of management information between networked devices, operating at the application layer of the ISO/OSI model. The SNMP protocol enables network and system administrators to remotely monitor and configure devices on the network (devices such as switches and routers). Software and firmware products designed for networks often make use of the SNMP protocol. SNMP runs on a multitude of devices and operating systems, including, but not limited to,

    Core Network Devices (Routers, Switches, Hubs, Bridges, and Wireless Network Access Points)
    Consumer Broadband Network Devices (Cable Modems and DSL Modems)
    Consumer Electronic Devices (Cameras and Image Scanners)
    Networked Office Equipment (Printers, Copiers, and FAX Machines)
    Network and Systems Management/Diagnostic Frameworks (Network Sniffers and Network Analyzers)
    Networked Medical Equipment (Imaging Units and Oscilloscopes)
    Manufacturing and Processing Equipment

The SNMPv1 protocol is formally defined in RFC1157. Quoting from that RFC:
    Implicit in the SNMP architectural model is a collection of network management stations and network elements. Network management stations execute management applications which monitor and control network elements. Network elements are devices such as hosts, gateways, terminal servers, and the like, which have management agents responsible for performing the network management functions requested by the network management stations. The Simple Network Management Protocol (SNMP) is used to communicate management information between the network management stations and the agents in the network elements.

Additionally, SNMP is discussed in a number of other RFC documents:
    RFC 3000 Internet Official Protocol Standards
    RFC 1212 Concise MIB Definitions
    RFC 1213 Management Information Base for Network Management of TCP/IP-based Internets: MIB-II
    RFC 1215 A Convention for Defining Traps for use with the SNMP
    RFC 1270 SNMP Communications Services
    RFC 2570 Introduction to Version 3 of the Internet-standard Network Management Framework
    RFC 2571 An Architecture for Describing SNMP Management Frameworks
    RFC 2572 Message Processing and Dispatching for the Simple Network Management Protocol (SNMP)
    RFC 2573 SNMP Applications
    RFC 2574 User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)
    RFC 2575 View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP)
    RFC 2576 Coexistence between Version 1, Version 2, and Version 3 of the Internet-standard Network Management Framework

Impact

These vulnerabilities may cause denial-of-service conditions, service interruptions, and in some cases may allow an attacker to gain access to the affected device. Specific impacts will vary from product to product.

Solution

Note that many of the mitigation steps recommended below may have significant impact on your everyday network operations and/or network architecture. Care should therefore be taken to ensure that any changes made based on the following recommendations will not negatively impact your ongoing network operations capability.

Contact your vendor for patches.

Please see the Solution section of CA-2002-03 for additional countermeasures.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
3ComAffected20 Sep 200120 Feb 2002
ADTRAN Inc.Affected10 Jan 200221 Feb 2002
AdventNetAffected08 Jan 200207 Nov 2007
American Power Conversion CorporationAffected10 Jan 200209 Apr 2002
AprismaAffected09 Jan 200206 Mar 2002
AvayaAffected23 Jan 200207 Mar 2002
BEA Systems Inc.Affected09 Jan 200219 Jun 2002
BinTec Communications AGAffected-11 Jun 2002
BMC SoftwareAffected-11 Jun 2002
CacheFlow Inc.Affected09 Jan 200205 Feb 2002
Carrier AccessAffected-07 Mar 2002
Cisco Systems, Inc.Affected20 Sep 200113 Feb 2002
CNTAffected09 Jan 200208 Apr 2002
Compaq Computer CorporationAffected17 Oct 200110 Apr 2002
Computer AssociatesAffected11 Jan 200212 Feb 2002
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

The CERT Coordination Center thanks the Oulu University Secure Programming Group for reporting these vulnerabilities to us, for providing detailed technical analyses, and for assisting us in preparing this advisory. We also thank the many vendors who provided feedback regarding their respective vulnerabilities.

This document was written by Ian A. Finlay.

Other Information

  • CVE IDs: CVE-2002-0013
  • CERT Advisory: CA-2002-03
  • Date Public: 12 Feb 2002
  • Date First Published: 12 Feb 2002
  • Date Last Updated: 07 Nov 2007
  • Severity Metric: 42.64
  • Document Revision: 153

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.