net.com Information for VU#854306

Multiple vulnerabilities in SNMPv1 request handling

Status

Affected

Vendor Statement

      Network Equipment Technologies, dba net.com
      Security Advisory:
      SNMPv1 Request and Trap Handling Vulnerabilities
      Release Date: 22 February 2002

      On February 12, 2002 the CERTŪ/CC released an advisory related to security vulnerabilities that may exist in network devices using SNMPv1 as the management protocol. In response to this advisory, CERTŪ Advisory CA-2002-03 Multiple Vulnerabilities in Many Implementations of the Simple Network Management Protocol (SNMP)", net.com began executing the tests that elicit these vulnerabilities for all net.com products that feature SNMPv1 capability.

      Preliminary analysis indicates that multiple net.com products may exhibit certain vulnerabilities to SNMP messages as described in this Advisory. net.com is currently applying the PROTOS c06-SNMPv1 test suite to all products that feature SNMPv1 capability.
      Until net.com has completed testing on all of its products and provided patches or fixes to eliminate these vulnerabilities, net.com recommends one or more of the following best practices, as identified in CERTŪ Advisory CA-2002-03, to minimize your network’s potential exposure to these vulnerabilities:
      · Disable SNMP on workstations or devices not being managed by SNMP managers.
      · Ingress filtering
      · Egress filtering
      · Filter SNMP traffic from non-authorized internal hosts
      · Segregate SNMP traffic onto a separate management network
      · Restrict SNMP traffic to Virtual Private Networks (VPNs)
      · Change default community strings

      For more information please see: www.net.com/service/

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.