Network Appliance Information for VU#854306
Multiple vulnerabilities in SNMPv1 request handling
Information about the vulnerability of our systems has been posted on our
primary support site: NOW (http://now.netapp.com ). The following field alert
has also been issued to our customers:
Field Alert # 120: CERT Advisory CA-2002-03: SNMP Vulnerabilities
Testing shows some NetApp products will be affected by some of the issues
listed in the CERT Advisory.
Please note that NetCache appliances are only vulnerable if the attack comes
from a trusted host.
The following appliances will PANIC when under attack: F85, F87, F820, F840,
F880, C1100 series, C3100, C6100. The following appliances were not observed
to panic, but they may still be vulnerable to attack: F720, F740, F760,
C720, C760. Information about the bug associated with this vulnerability can
be found in Bugs Online area of NOW (http://now.netapp.com ).
What happens when a filer/cache is hit by these cases?
The NetApp system will PANIC with a PANIC string similar to the following:
PANIC: Protection Fault accessing address 0x00000001 from EIP 0x5f02c9 in
process snmpd on release NetApp Release Rxxxxxxxx on Wed Feb 13 02:19:14
What releases have the fix for this issue?
Patches have been built for the following OS levels:
Data ONTAP 5.3.7R3 - Patch is 5.3.7R3D12
Data ONTAP 6.1.1R2 - Patch is 6.1.1R2D16
Data ONTAP 6.1.2R1 - Patch is 6.1.2R1D4
NetCache 5.1 - Patch is 5.1R2D22
NetCache 5.2.1 - Patch is 5.2.1R1D2
The patches for both Data ONTAP and NetCache are available on the NOW site.
What will I see if someone attempts to attack my machine and I have
installed an OS with the fix?
You will see a message similar to the following in the messages log and the
filer or NetCache will continue to function normally.
Wed Feb 13 21:57:56 GMT [snmpd:warning]: SNMP detected possible buffer
overflow attempt, skipping request
For more information visit http://now.netapp.com
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.