Paradyne Networks Inc. Information for VU#854306

Multiple vulnerabilities in SNMPv1 request handling

Status

Unknown. If you are the vendor named above, please contact us to update your status.

Vendor Statement

      A recent alert issued by CERT states that any device connected to the Internet has potential security vulnerability. The specific root cause relates to SNMP v1, which is implemented in many Paradyne products.  This alert has caused a number of Paradyne customers to call and request an official statement and risk assessment associated with Paradyne's equipment. 

      The purpose of this document is to inform you that Paradyne engineering staff is currently assessing the situation to determine if any vulnerabilities exist.  The analysis will take into consideration product features, SNMP v1 issues and the typical usage of our products in DSL and Frame Relay network topologies. In typical configurations, direct connection to the Internet with Paradyne devices and/or management systems is extremely rare.

      Please note that while no device is completely secure, Paradyne has implemented several safeguards that protect against intrusion such as that identified by CERT Advisory CA-2002-03.  Prior to the time that Paradyne releases a more comprehensive statement, we recommend that you take the following actions as appropriate:

      ·  Change community string from public; choose obscure names
      ·  Use device SNMP access list capability
      ·  Use firewall at NOC if NOC has access to Internet, same for CEU central site products  (FrameSaver)
      ·  Utilize inband management (dedicated management PVC) when possible

      Taken together, these methods provide a robust security feature set which should minimize the impact of the concerns raised in the CERT alert.  With this said, Paradyne will release a more complete assessment as soon as possible.  This response will consist of an analysis of the overall security risks, recommendations to mitigate these risks and, if necessary, plans for the introduction of new code to close any identified security breaches.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.