Dell Information for VU#854306

Multiple vulnerabilities in SNMPv1 request handling

Status

Affected

Vendor Statement

      Title
      Dell Response to CERT® Advisory CA-2002-03 Multiple Vulnerabilities in Many Implementations of the Simple Network Management Protocol (SNMP)

      Audience

      For worldwide distribution provided that the contents are not altered in any way.

      Released

      April 8, 2002

      Updated

      April 19, 2002 (Updated the Dell PowerVault section regarding PowerVault 701N and PowerVault 705N)

      Reference

      CERT Advisory CA-2002-03 - http://www.cert. org/advisories/CA-2002-03.html

      Overview

      The CERT/CC released an industry-wide SNMP advisory on February 12, 2002. An SNMPv1 test suite provided by the Oulu University Secure Programming Group (OUSPG) has been found to adversely affect many SNMPv1 implementations, causing the potential for “unauthorized privileged access”, “denial-of-service attacks” and general unstable behavior.

      Potential Impact

      Dell PowerEdge
      Dell OpenManage
      Dell PowerVault
      Dell PowerApp
      Dell PowerConnect


      Dell PowerEdge, Dell OpenManage
      Dell PowerEdge servers running Dell OpenManage software utilize SNMPv1, however this software makes use of the operating system’s master SNMP agent. After applying the appropriate update(s) from the operating system manufacturer, Dell SNMP agents are not affected.

      Solution
      : Apply the appropriate update(s) provided by the operating system vendor. For more information, click here.


      Dell PowerVault
      The following Dell PowerVault storage systems have been found vulnerable to the OUSPG SNMPv1 test suite:

      Dell PowerVault 701N
      Dell PowerVault 705N

      Solution
      : These devices require an update from Dell.

      The Dell PowerVault Assist utility that is required to update both PowerVault 701N and PowerVault 705N devices can be found here.
      The updated image for both the PowerVault 701N and PowerVault 705N devices can be found here.


      Dell PowerApp
      The following Dell PowerApp appliance has been found vulnerable to the OUSPG SNMPv1 test suite:

      Dell PowerApp 220 (Dell PowerApp.BIG-IP)

      Solution
      : This device requires an update from Dell.

      Information regarding the update for non-encrypted devices can be found here.
      Information regarding the update for encrypted devices can be found here.


      Dell PowerConnect
      All Dell PowerConnect devices successfully passed the test cases provided by the OUSPG SNMPv1 test suite.


      Operating System Vendor Information
      The following Dell supported operating system vendors have released information regarding their SNMPv1 vulnerabilities:

      Microsoft®

      http://www.microsoft.com/technet/security/bulletin/MS02-006.asp

      Novell®

      http://supp ort.novell.com/servlet/tidfinder/2961546

      Red Hat®

      http:// www.redhat.com/support/errata/RHSA-2001-163.html


      Dell Computer Corporation has provided this advisory bulletin in response to the concerns raised by OUSPG and to provide information to users of Dell systems regarding its SNMP implementation. Dell recommends that user's review this information and determine its applicability to their individual situations. In addition, Dell does not provide any warranty as to the accuracy or completeness of this information and will not be liable for damages that may result from usage or disregard of the information provided. The information provided is subject to change. For further information and related updates, please contact your standard Dell support channel. Dell retains ownership of its trademarks and service marks as well as the information contained in this advisory bulletin.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.