CNT Information for VU#854306
Multiple vulnerabilities in SNMPv1 request handling
On February 12, 2002, the CERT® Coordination Center of Carnegie-Mellon University issued an advisory identifying possible security vulnerabilities of multiple vendor products that utilize the Simple Network Management Protocol (SNMP) for management of those products. This advisory was based on research done by the University of Oulu in Finland. The complete advisory may be found on the CERT web site at: http://www.cert.org/advisories/CA-2002-03.html. If your site uses SNMP-based CNT products in any capacity, we encourage you to read this advisory.
The Simple Network Management Protocol (SNMP) is a widely deployed protocol that is commonly used to monitor and manage network devices. Version 1 of the protocol (SNMPv1) defines several types of SNMP messages that are used to request information or configuration changes, respond to requests, enumerate SNMP objects, and send unsolicited alerts. The Oulu University Secure Programming Group (OUSPG, http://www.ee.oulu.fi/research/ouspg/) has reported vulnerabilities in SNMPv1 implementations from many different vendors. OUSPG's research focused on the manner in which SNMPv1 agents and managers handle request and trap messages. By applying the PROTOS c06-snmpv1 test suite (http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/0100.html) to a variety of popular SNMPv1-enabled products, the OUSPG revealed the following vulnerabilities:
VU#107186 - Multiple vulnerabilities in SNMPv1 trap handling
SNMP trap messages are sent from agents to managers. A trap message may indicate a warning or error condition or otherwise notify the manager about the agent's state. SNMP managers must properly decode trap messages and process the resulting data. In testing, OUSPG found multiple vulnerabilities in the way many SNMP managers decode and process SNMP trap messages.
VU#854306 - Multiple vulnerabilities in SNMPv1 request handling
SNMP request messages are sent from managers to agents. Request messages might be issued to obtain information from an agent or to instruct the agent to configure the host device. SNMP agents must properly decode request messages and process the resulting data. In testing, OUSPG found multiple vulnerabilities in the way many SNMP agents decode and process SNMP request messages.
Vulnerabilities in the decoding and subsequent processing of SNMP messages by both managers and agents may result in denial-of-service conditions, format string vulnerabilities, and buffer overflows. Some vulnerabilities do not require the SNMP message to use the correct SNMP community string.
II. CNT® Products
CNT has a number of products affected by the SNMP vulnerabilities described above. Each CNT product with SNMP functionality is described below along with the specific vulnerability, or lack thereof, of that product and the recommended procedures to follow with that product.
III. CNT Product Upgrades
- UltraNet® Storage Director
The UltraNet Storage Director (USD) was tested with the PROTOS test suite. Two tests caused snmpd on the USD to abort and restart; the snmpd responded to requests specifying a community string beginning with a null; several minor ASN.1 / BER handling discrepancies related to invalid encodings were noted. Corrective code for the snmpd aborts and the community string handling issue has been developed and successfully tested. This code will be made available in the USD 2.7 software release, currently scheduled for availability in April 2002. The ASN.1 / BER invalid encoding handling issues will be addressed in a future release. CNT recommends upgrading to the USD 2.7 software release as soon as it is available.
- UltraNet Edge Storage Router
The UltraNet Edge Storage Router (Edge) was tested with the PROTOS test suite. Three tests caused the Edge to hang or abort, requiring a reboot. Corrective code for these errors has been developed and successfully tested. The Edge responded to requests specifying a bad SNMP version number; several minor ASN.1 / BER handling discrepancies related to invalid encodings were noted. The responded to bad SNMP version number and the ASN.1 / BER invalid encoding handling issues will be addressed in a future release. This code will be made available in the Edge software release 1.4.1, currently scheduled for release in April 2002. CNT recommends upgrading the Edge to release 1.4.1 as soon as it is available.
The Channelink product was tested with the PROTOS test suite. All tests ran successfully. No failures occurred. No corrective action is required with the Channelink product.
The WebView SNMP-based element manager was tested with the PROTOS test suite. WebView is not affected by the recent SNMP vulnerabilities found by CERT. No corrective action is required with the WebView product.
- UltraNet CMF
The CastleRock software upon which CNT's UltraNet CMF SNMP-based management software is based was tested with the PROTOS test suite. CastleRock has reported two test failures. Corrective code for these errors has been developed and is now being tested within UltraNet CMF. This code will be made available in the CMF release 6.4, currently scheduled for release in early May 2002. CNT recommends upgrading CMF to release 6.4 as soon as it is available.
CNT will continue to test new releases of its products against the PROTOS test suite to ensure that additional vulnerabilities are not introduced as a result of any new releases.
To determine whether a new CNT product release is available and how to upgrade to that release when available, contact CNT Technical Support (800-752-8061 or 763-268-6600) or contact your company's CNT Technical Account Engineer (TAE).
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.