Sonus Networks Information for VU#107186
Multiple vulnerabilities in SNMPv1 trap handling
Since the release of CERT Advisory CA-2002-03, Sonus Networks has
reviewed its product offering and determined a potential issue may exist within
its management offering.
The Sonus PSX6000, SGX2000, and Insight products utilize SNMP Research
software in the SONScia package that has been identified by its vendor
as possibly vulnerable to the exploit. Sonus product versions 3.2.x,
3.3.x, and 3.4.x all have the affected SONScia package. The issue has been
resolved in the upcoming 4.0 versions of the PSX6000, SGX2000, and
Insight products and concerned customers are advised to upgrade as the software
Sonus PSX6000, SGX2000, and Insight products run on top of Sun
Microsystems's Solaris operating environment (versions 2.6 and 2.8).
Sun Microsystems has identified these operating environments as vulnerable
to the exploit IF they are started or used. Given that Sonus Networks
software neither starts nor uses the process in question, snmpdx, Sonus products
are not vulnerable to the exploit through this Solaris process.
The Sonus GSX9000 does not use the same third party software as other
products from Sonus Networks and at this time we have not found any problems
relating to its SNMP operation. Negative testing is a routine portion of
GSX9000 SQA and to date has not shown any undesired results. We have recently
tested the GSX9000 with OUSPG's PROTOS c06-snmpv1 test suite and those tests
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.