Vulnerability Note VU#107186
Multiple vulnerabilities in SNMPv1 trap handling
Multiple vendor SNMPv1 Trap handling implementations contain vulnerabilities that may allow unauthorized privileged access, denial-of-service conditions, or unstable behavior . If your site uses SNMP in any capacity, the CERT/CC encourages you to read the information provided below.
The Oulu University Secure Programming Group (OUSPG) has reported numerous vulnerabilities in multiple vendor SNMPv1 implementations. By applying the PROTOS c06-SNMPv1 test suite to a variety of popular SNMPv1-enabled products, the OUSPG revealed a number of vulnerabilities across a wide range of products. This vulnerability note focuses on vulnerabilities occurring in code responsible for SNMPv1 trap handling.
SNMPv1 supports five different types of messages: GetRequest, SetRequest, GetNextRequest, GetResponse, and Trap. A single SNMP message is referred to as a Protocol Data Unit (PDU). These messages are described using Abstract Syntax Notation One (ASN.1) and translated into binary format using Basic Encoding Rules (BER). SNMP trap messages are sent from agents to managers. Trap messages are unsolicited (the manager does not issue a request message) and may indicate a warning or error condition or otherwise notify the manager about the agent's state. SNMP managers should reliably decode trap messages and process the resulting application data. OUSPG performed two sets of tests of SNMP trap message handling: one test focused on ASN.1 decoding, the second looked for exceptions in the processing of the decoded data.
History has shown that the techniques used by the OUSPG have discovered a large number of previously undetected problems in the products and protocols they have tested. In 2001, the OUSPG produced a comprehensive test suite for evaluating implementations of the Lightweight Directory Access Protocol (LDAP). This test suite was developed with the strategy of stressing protocol implementations in unsupported and unexpected ways, and it was very effective in uncovering a wide variety of vulnerabilities across several products. This approach can reveal vulnerabilities that would not manifest themselves under normal operating conditions.
After completing its work on LDAP, OUSPG moved its focus to SNMPv1. As with LDAP, they designed a custom test suite, began testing a selection of products, and found a number of vulnerabilities. Because OUSPG's work on LDAP was similar in procedure to its current work on SNMP, you may wish to review the LDAP Test Suite and CERT Advisory CA-2001-18, which outlined results of application of the test suite.
In order to test the security of protocols like SNMPv1, the PROTOS project presents a server with a wide variety of sample packets containing unexpected values or illegally formatted data. As a member of the PROTOS project consortium, the OUSPG used the PROTOS c06-snmpv1 test suite to study several implementations of the SNMPv1 protocol. Results of the test suites run against SNMP indicate that there are many different vulnerabilities on many different implementations of SNMP.
The Simple Network Management Protocol (SNMP) is the most popular protocol in use to manage networked devices. SNMP was designed in the late 80's to facilitate the exchange of management information between networked devices, operating at the application layer of the ISO/OSI model. The SNMP protocol enables network and system administrators to remotely monitor and configure devices on the network (devices such as switches and routers). Software and firmware products designed for networks often make use of the SNMP protocol. SNMP runs on a multitude of devices and operating systems, including, but not limited to,
Core Network Devices (Routers, Switches, Hubs, Bridges, and Wireless Network Access Points)
Consumer Broadband Network Devices (Cable Modems and DSL Modems)
Consumer Electronic Devices (Cameras and Image Scanners)
Networked Office Equipment (Printers, Copiers, and FAX Machines)
Network and Systems Management/Diagnostic Frameworks (Network Sniffers and Network Analyzers)
Networked Medical Equipment (Imaging Units and Oscilloscopes)
Manufacturing and Processing Equipment
The SNMPv1 protocol is formally defined in RFC1157. Quoting from that RFC:
Additionally, SNMP is discussed in a number of other RFC documents:
RFC 3000 Internet Official Protocol Standards
RFC 1212 Concise MIB Definitions
RFC 1213 Management Information Base for Network Management of TCP/IP-based Internets: MIB-II
RFC 1215 A Convention for Defining Traps for use with the SNMP
RFC 1270 SNMP Communications Services
RFC 2570 Introduction to Version 3 of the Internet-standard Network Management Framework
RFC 2571 An Architecture for Describing SNMP Management Frameworks
RFC 2572 Message Processing and Dispatching for the Simple Network Management Protocol (SNMP)
RFC 2573 SNMP Applications
RFC 2574 User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)
RFC 2575 View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP)
RFC 2576 Coexistence between Version 1, Version 2, and Version 3 of the Internet-standard Network Management Framework
These vulnerabilities may cause denial-of-service conditions, service interruptions, and in some cases may allow an attacker to gain access to the affected device. Specific impacts will vary from product to product.
Note that many of the mitigation steps recommended below may have significant impact on your everyday network operations and/or network architecture. Care should therefore be taken to ensure that any changes made based on the following recommendations will not negatively impact your ongoing network operations capability.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|3Com||Affected||20 Sep 2001||20 Feb 2002|
|ADTRAN Inc.||Affected||10 Jan 2002||21 Feb 2002|
|AdventNet||Affected||08 Jan 2002||07 Nov 2007|
|American Power Conversion Corporation||Affected||10 Jan 2002||09 Apr 2002|
|Aprisma||Affected||09 Jan 2002||06 Mar 2002|
|Avaya||Affected||23 Jan 2002||07 Mar 2002|
|BEA Systems Inc.||Affected||09 Jan 2002||19 Jun 2002|
|BMC Software||Affected||-||11 Jun 2002|
|CacheFlow Inc.||Affected||09 Jan 2002||05 Feb 2002|
|Carrier Access||Affected||-||07 Mar 2002|
|Cisco Systems, Inc.||Affected||20 Sep 2001||13 Feb 2002|
|CNT||Affected||09 Jan 2002||08 Apr 2002|
|Compaq Computer Corporation||Affected||17 Oct 2001||10 Apr 2002|
|Computer Associates||Affected||11 Jan 2002||12 Feb 2002|
|COMTEK Services Inc||Affected||09 Jan 2002||22 Mar 2002|
CVSS Metrics (Learn More)
The CERT Coordination Center thanks the Oulu University Secure Programming Group for reporting these vulnerabilities to us, for providing detailed technical analyses, and for assisting us in preparing this advisory. We also thank the many vendors who provided feedback regarding their respective vulnerabilities.
This document was written by Ian A. Finlay.
- CVE IDs: CAN-2002-0012
- CERT Advisory: CA-2002-03
- Date Public: 12 Feb 2002
- Date First Published: 12 Feb 2002
- Date Last Updated: 07 Nov 2007
- Severity Metric: 69.25
- Document Revision: 48
If you have feedback, comments, or additional information about this vulnerability, please send us email.