Sonus Networks Information for VU#854306

Multiple vulnerabilities in SNMPv1 request handling

Status

Affected

Vendor Statement

      Since the release of CERT Advisory CA-2002-03, Sonus Networks has
      reviewed its product offering and determined a potential issue may exist within
      its management offering.

      The Sonus PSX6000, SGX2000, and Insight products utilize SNMP Research
      software in the SONScia package that has been identified by its vendor
      as possibly vulnerable to the exploit.  Sonus product versions 3.2.x,
      3.3.x, and 3.4.x all have the affected SONScia package.  The issue has been
      resolved in the upcoming 4.0 versions of the PSX6000, SGX2000, and
      Insight products and concerned customers are advised to upgrade as the software
      becomes available. 

      Sonus PSX6000, SGX2000, and Insight products run on top of Sun
      Microsystems's Solaris operating environment (versions 2.6 and 2.8). 
      Sun Microsystems has identified these operating environments as vulnerable
      to the exploit IF they are started or used. Given that Sonus Networks
      software neither starts nor uses the process in question, snmpdx, Sonus products
      are not vulnerable to the exploit through this Solaris process.

      The Sonus GSX9000 does not use the same third party software as other
      products from Sonus Networks and at this time we have not found any problems
      relating to its SNMP operation.  Negative testing is a routine portion of
      GSX9000 SQA and to date has not shown any undesired results.  We have recently
      tested the GSX9000 with OUSPG's PROTOS c06-snmpv1 test suite and those tests
      passed successfully. 

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.