Sniffer Technologies Information for VU#107186
Multiple vulnerabilities in SNMPv1 trap handling
SNMP Request and Trap Handling Security Advisory
Release Date: 03/01/02
Sniffer Technologies has prepared this advisory regarding SNMP in
Sniffer Technologies products. This advisory contains specific
instructions on how to disable these services where security may be an
An update regarding this issue will be sent to all Sniffer Technologies
customers on Wednesday, March 13, 2002. The Sniffer Technologies team
is working diligently to fully resolve this issue. If you have further
questions in the interim, please contact technical support.
What is the SNMP security risk?
On February 12, 2002, The CERT Coordination Center issued a warning that
a broad array of network equipment used on the Internet -- including
switches, routers, hubs, printers and operating systems -- may be
vulnerable to an SNMP-related attack that could cause equipment to fail
or allow an attacker to take control of it. Though not mentioned on
their list of vendors, our Sniffer Distributed product is another such
device that may have this inherent SNMP vulnerability because of its
There are two areas in our product that can be affected by this security
1. The RMON/SNMP features of our Sniffer Distributed Appliance
2. The Trap Capture application at our SniffView Console
In both cases, these SNMP commands can be disabled on our product if not
Can I avoid using these features in the Sniffer Distributed Product
without affecting the capabilities of the Sniffer Product?
Yes, you can disable the SNMP/RMON capabilities of the product and
utilize our proprietary method of logging network statistics and Expert
Symptom and Diagnosis to disk for reporting with Reporter and/or Sniffer
Watch. This method does not utilize SNMP and therefore is not
susceptible to the SNMP vulnerability. You will still have the same
statistics and reports that are available using the SNMP/RMON features
of the product, with the addition of the Expert Symptoms and Diagnosis
which are unique to our method of logging and reporting.
How do I turn off these SNMP capabilities in the product?
Turning off SNMP at the Sniffer Distributed Appliance:
By default, the SNMP and RMON features of the Sniffer Distributed
Appliance are enabled. To turn off these features, follow the
1. Either Start Probe Viewer at the Sniffer Distributed Appliance, or
"Configure" an Agent from your SniffView Console.
2. Select the SNMP tab.
3. Disable SNMP Trap
4. Disable SNMP/RMON.
5. Restart the Sniffer Distributed Appliance for changes to take effect.
Turning off the SNMP Trap Capture at the SniffView Console:
By default, when you install the SniffView Console a program called Trap
Capture automatically gets installed and runs in the background. This
program can accept SNMP Traps from Sniffer Distributed Appliances as
well as other SNMP devices. Follow the procedures below to turn it off:
1. Start the SniffView Alarm Manager.
2. Select Toggle Trap capture. The Trap capture program will be
disabled. However, if you reboot the PC the SniffView Console is running
on it will turn itself back on. Therefore you must remember to disable
Will these features be disabled in the future?
Yes, the SNMP/RMON features of the product will be disabled by default
starting with the Sniffer Distributed v4.1 (with Support for Web
What if I require these features?
If you require these features then there are a few steps that you can
take to protect yourself from this security concern.
1. Under the SNMP Tab (see above) Change Community name from "public" to
2. Using routers and/or firewalls, control SNMP access to the Sniffer
Distributed Appliances or SniffView Console to ensure the traffic
originates from known management systems and addresses.
3. Filter SNMP services at your network perimeter (ingress/egress
4. Segregate network management traffic onto a separate network. (i.e. a
VPN) Refer to CERT advisory CA-2002-03
(http://www.cert.org/advisories/CA-2002-03.html) for more details and
the most recent information regarding recommended solutions.
How will this security concern affect my network?
This issue has the potential to create a denial of service attack. An
attacker sending bogus SNMP requests and traps could flood the Sniffer
Distributed Appliance and/or SniffView console running the Trap Capture
application. This might cause the system to hang and may require a
An attacker should not be able to configure or take control of either
the Sniffer Distributed Appliance or the SniffView Console.
Has anyone reported an exploitation of this vulnerability on a Sniffer
Have we notified CERT of our concern?
Where can I find out more information regarding this security concern?
For more information regarding this vulnerability please refer to the
following URLs on CERT's web site:
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.