F5 Networks, Inc. Information for VU#107186

Multiple vulnerabilities in SNMPv1 trap handling

Status

Affected

Vendor Statement

      All versions of BIG-IP, 3-DNS, GLOBAL-SITE and EDGE-FX are vulnerable if the SNMP agent is enabled. Most versions have the SNMP agent enabled by default. Patches are available for all affected versions.

      SEE-IT is not affected by this vulnerability.

      If a customer is unable to install the patch, the SNMP service may be disabled. Below are instructions for obtaining patches and for disabling the SNMP service for each vulnerable product.

      BIG-IP

      A patch exists to correct this problem. Please see http://tech.f5.com/home/bigip/solutions/security/sol1622.html .

      Alternatively, you can simply disable the SNMP service using the instructions below:

        1. Log in to the BIG-IP Configuration utility.

        2. Navigate to the SNMP section. For version 4.0 and above this is a tab under System Administration.

        3. De-select the Enable box at the top of the screen and click the Apply button.

      This will disable the SNMP service on BIG-IP.


      3-DNS

      A patch exists to correct this problem. Please see http://tech.f5.com/home/3dns/solutions/security/sol1624.html .

      Alternatively, you can simply disable the SNMP service using the instructions below:

        1. Log in to the 3-DNS Configuration utility.

        2. Navigate to the SNMP section. This is the tab under 3-DNS Sync .

        3. De-select the Enable box at the top of the screen and click the Apply button.

        4. Log in to the Command Line Interface of the 3-DNS.

        5. Run the following command:

          kill -9 `ps -ax | grep snmpd | awk '{print $1}'`
      This will disable the SNMP service on 3-DNS.


      GLOBAL-SITE

      A patch exists to correct this problem. Please see http://tech.f5.com/home/globalsite/solutions/security/sol1626.html.

      Alternatively, you can simply disable the SNMP service using the instructions below:

      GLOBAL-SITE version 2.2

      To disable the SNMP agent for GLOBAL-SITE version 2.2, type the following command from the command prompt:

      ITCMconsole service snmpd stop

      This command stops the snmpd agent.

      ITCMconsole service snmpd disable

      This command disables snmpd so it does not start again at the next boot.

      To verify the status of snmpd, enter the following command:

      ITCMconsole show snmpd status


      GLOBAL-SITE version 2.1PTF-01 and earlier:

      On versions 2.1 PTF-01 and earlier, snmpd is not running by default so the GLOBAL-SITE Controller should not be affected. However, if you have enabled snmpd manually, you should disable it.


      EDGE-FX

      A patch exists to correct this problem. Please see http://tech.f5.com/home/edgefx/solutions/security/sol1625.html .

      Alternatively, you can simply disable the SNMP service using the instructions below:

      There are three SNMP daemons running on the cache. By default, the EDGE-FX Cache runs the snmpd, the edgefxsnmpd, and Inktomi's snmpdm .
      Disabling snmpd and edgefxsnmpd

      To disable and stop the SNMP agents, you should use the ITCMconsole. Type the following commands from the command prompt:

      ITCMconsole service snmpd stop

      This command stops the snmpd agent.

      ITCMconsole service snmpd disable

      This command disables snmpd so it does not start again at the next boot.

      To verify the status of snmpd, enter the following command:

      ITCMconsole show snmpd status

      Once the snmpd and edgefxsnmpd daemons are disabled, no other snmp traffic will be accepted.


      Disabling snmpdm

      The snmpdm agent, is also enabled by default. This Inktomi specific agent can be disabled or killed. In order to avoid traffic server anomalies, you should not kill this this daemon.

      According to CERT Advisory CA-2002-03 :

      "Inktomi Corporation does not believe our [Inktomi] CDS product is vulnerable. Vulnerability would stem from the use of SNMP Research software in the CDS product. However, SNMP Research has stated that their product Emanate, versions 15.x and higher, is not vulnerable. As Inktomi's CDS uses Emanate 15.3, we [Inktomi] conclude that CDS is not vulnerable."

      Inktomi's CDS contains the same Traffic Server that EDGE-FX utilizes, which contains the Emanate 15.3 daemon (snmpdm).

      If you still want to kill this SNMP agent, you can use the Configuration utility or the command line.

      To disable the SNMP agent from the Configuration utility:

        1. From your browser, access the Configuration utility (refer to Accessing the Configuration utility).

        2. On the Configure tab, click the Server button.

        3. Scroll to the SNMP section of the Server Basics page.

        4. Click the SNMP Agent Off radio button.

        5. Click the Make These Changes button.

      To disable the SNMP agent manually:

        1. In a text editor, open the records.config file located in the EDGE-FX Cache’s /config/traffic_server/config directory.

        2. Edit the following variable:

          proxy.config.snmp.master_agent_enabled

          Set this variable to 0 to disable SNMP on the EDGE-FX Cache node.

        3. Save and close the records.config file.

        4. Make the /usr/local/cache/bin directory the working directory and run the following command to apply the configuration changes.

          ./traffic_line -x

          Note: you can also use the following command to restart the traffic_server: start_traffic_server.


      SEE-IT

      It has been determined that SEE-IT is not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.