NCipher Corp. Information for VU#854306

Multiple vulnerabilities in SNMPv1 request handling

Status

Affected

Vendor Statement

      nCipher Corp. supplies two SNMP products:

      1) a SNMP agent bundled with the nForce/nShield and older nFast products
      (nFast 75, 150 and 300)
      2) The SNMP support software bundled with the newer nFast800 products.

      The first product (bundled with the nForce, nShield and nFast 75/150/300
      range) is a customised NET-SNMP agent version 4.2.1.  This is vulnerable
      to VU#854306 but not VU#107186.  nCipher has upgraded this software to
      the NET-SNMP release 4.2.3 and this is now available as a patch release
      (see below).

      The second product (bundled with the nFast800 product) has two operating
      modes, one for Linux (and, in the near future, Solaris) and one for
      Windows NT/2000.  In each case, the only agent used is the one currently
      installed on the OS (NET-SNMP for Linux/Solaris and the Microsoft SNMP
      agent for Windows); the nCipher-supplied software runs in a separate
      process.

      Customers using this product should therefore ensure that their
      operating system SNMP agent is patched against this vulnerability.

      On Linux or Solaris , this requires installation of the NET-SNMP version
      4.2.2 or greater.  Running 'snmpd -v' (make sure it is in your path) will
      tell you the version of the NET-SNMP agent you are currently running.

      On Windows, this will require installation of the forthcoming patch from
      Microsoft.  If you have not installed the patch from Microsoft and the
      'SNMP Service' is running then you are affected.

      Again, if upgrading is not currently possible customers are advised to
      disable the SNMP service if it might be exposed to hostile network
      traffic, or make use of other suggestions supplied elsewhere in CERT
      advisory CA-2002-03.

      nCipher has released a specific advisory, which may be obtained from
      http://www.ncipher.com/support/advisories/ - this includes a patch to
      download that upgrades the nCipher agent to version 4.2.3 of the
      NET-SNMP kit and fixes the issues listed above.  Installation instructions are
      contained within the patch file.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.