Wind River Systems, Inc. Information for VU#854306
Multiple vulnerabilities in SNMPv1 request handling
Envoy SNMP Agent Source Code v9.0+:
After extensive testing against the PROTOS c06-snmpv1 test suite, we have
not been able to reproduce any of the SNMPv1 security problems VU#854306 and
VU#107186 in our current SNMP Source Code products: Envoy SNMP v9.0, v9.1,
v9.2, and v9.3 Beta. We ran the tests without seeing any impact on system
memory or any other unusual behavior. We encourage all customers to upgrade
to the current version of Envoy SNMP Source Code Agent.
WindNet SNMP Agent Binary Objects v2.0:
Testing against the PROTOS c06-snmpv1 test suite has revealed a
vulnerability in the current version of WindNet SNMP v2.0. The specific
impact is a memory leak caused by the exceptional element E-01. This
vulnerability can be demonstrated by test #1421 (among others) in the
req-enc test suite. A fix is currently available from Wind River support
and on WindSurf for customers with valid maintenance contracts. WindNet
SNMP Binary v2.0 customers under maintenance can also eliminate the
vulnerability by upgrading to Envoy SNMP Source v9.2. This vulnerability was previously
fixed as a "potential leak" in the Envoy v9.0 Agent Source Code release.
WindNet SNMP v2.0 is a binary distribution of Envoy v8.0, so it did not
include this fix. No current Envoy Source release (v9.0+) is effected by this
Note: As Wind River's Envoy SNMP is a source code product, customer's
modifying Envoy MAY introduce vulnerability to VU#854306 and VU#107186.
We are especially seeing problems with buffer overruns in customer community
string validation routines. Wind River recommends individual testing
against the test suite of any customer product incorporating a SNMP agent, particularly
MODIFIED Envoy SNMP source code.
Wind River customers under support and maintenance have received the current
product releases. Supported customers should Contact Wind River support at
email@example.com or call (800) 458-7767 with any test reports related
to VU#854306 and VU#107186, or for more information. Customers who need to
renew support or wish to upgrade to a supported version (Envoy v9.0+ and
WindNet SNMP v2.0) should contact their Wind River Account Manager, or
1-800-545-WIND (1-800-545-9463) if they do not have an Account Manager.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.