Fluke Corporation Information for VU#107186
Multiple vulnerabilities in SNMPv1 trap handling
Fluke Networks' response to CERT Advisory 2002-03
The CERTŪ Coordination Center recently announced that numerous
vulnerabilities have been reported in multiple vendors' SNMP
implementations. For your information, Fluke Networks has created
the following Q&A which includes a tutorial, Using Fluke Networks
products to manage SNMP risk on your network.
What is the actual risk?
The impact of the vulnerability is different for each vendor and
their own products. For SNMP agents and Trap listeners running on
network operating systems, some attacks could bypass system security
controls. Overall, most attacks resulted in a “denial-of-service” in
which the entire product or portions of the product stopped working
Which Fluke Networks products are affected?
Fluke Networks has tested its products that listen for SNMP Traps or
contain an internal SNMP agent. It has been discovered that some
circumstances exist that could potentially cause a
“denial-of-service” condition for a Fluke Networks product, forcing
the product to “hang” or reboot. However, this situation would only
affect Fluke Networks products and would not compromise our
Fluke Networks products that could be affected include the OptiView™
Integrated Network Analyzer, the OptiView™ Workgroup Analyzer and
the OptiView™ Link Analyzer.
As of this writing, there have been no known "denial-of-service"
incidents reported with Fluke Networks products. To reiterate,
should such an event occur involving a Fluke Networks product, this
would not affect the operation of customers' networks or any of
their network infrastructures. Nor would there be any risk of anyone
externally gaining access to customer data.
At this time, we plan to resolve all known vulnerabilities in the
next scheduled software update for the affected products. Customers
who participate in the Gold Priority Support program will be
eligible to receive these updates as part of their membership.
Customers who do not participate in this program should contact our
Technical Assistance Center (TAC) at 1-800-638-3497 (North America)
or +1-425-446-4519 (Outside North America).
We recommend the following "best practices" to reduce the potential
risk of SNMP related attacks:
1. Ensure that yourexternal firewalls deny all incoming SNMP traffic.
2. Change the default community strings for all SNMP devices. Audit
your network for devices using the community strings of "public"
and "private" as well as for those other community strings that
are set by default by equipment manufacturers.
3. Analyze SNMP traffic for patterns of attack.
Tutorial: Using Fluke Networks products to manage this risk on your
1. Identify SNMP agents on the network
The OptiView Integrated Network Analyzer and OptiView Workgroup
Analyzer have the capability of discovering all devices within a
broadcast domain that are SNMP enabled.
On the Setup/Security screen, configure all known and old community
strings making sure you include strings such as "public", "private"
Re-run the tests by selecting the "Rerun Test" tab.
Select the "Discovery" tab and then select the SNMP Agents category
in the left hand pane. The resulting display shows all SNMP agents
discovered by the test.
2. Test your firewall for filtering SNMP traffic
From a LAN segment outside your firewall, use the OptiView
Integrated Network Analyzer to query known SNMP agents on the
protected side of your network. After the "Network-Under-Test"
interface has a proper IP configuration, enter the IP address of a
known SNMP agent on the Tools screen.
Note: Using Fluke Networks’ Protocol Expert™ on the protected side
of your firewall, allows you to see if the firewall is denying any
and all SNMP traffic from flowing through the firewall as well as
preventing SNMP responses from leaving your network.
Using two OptiView Analyzers, one on either side of the firewall,
can be used to easily check this condition. Use the Packet Capture
and Statistics feature to ensure that no SNMP traffic is flowing in
from outside of the firewall.
3. Analyze network patterns for SNMP attacks
Using the OptiView Integrated Network Analyzer, the OptiView
Workgroup Analyzer or the OptiView Link Analyzer, a combination of
packet capture and protocol statistics can be used to gather
evidence of an SNMP attack.
Select the "Top Hosts" tab to look for nodes that should not be
sending SNMP queries. Select the "Top Conversations" to check for
unusual Conversation Pairs within the SNMP traffic.
Fluke Networks' Copper and Fiber taps can be used to access
switch-to-switch links and the Switch-TAP™ capability of the
OptiView™ Inspector Console can be used to program the mirror ports
of a variety of switches.
For more information
For questions, concerns or more information, please contact the
Fluke Networks TAC at 1-800-638-3497 (North America),
+1-425-446-4519 (outside North America) or email us at:
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.