Fluke Corporation Information for VU#107186

Multiple vulnerabilities in SNMPv1 trap handling



Vendor Statement

      Fluke Networks' response to CERT Advisory 2002-03

                 The CERTŪ Coordination Center recently announced that numerous
                 vulnerabilities have been reported in multiple vendors' SNMP
                 implementations. For your information, Fluke Networks has created
                 the following Q&A which includes a tutorial, Using Fluke Networks
                 products to manage SNMP risk on your network.


                 What is the actual risk?

                 The impact of the vulnerability is different for each vendor and
                 their own products. For SNMP agents and Trap listeners running on
                 network operating systems, some attacks could bypass system security
                 controls. Overall, most attacks resulted in a “denial-of-service” in
                 which the entire product or portions of the product stopped working

                 Which Fluke Networks products are affected?

                 Fluke Networks has tested its products that listen for SNMP Traps or
                 contain an internal SNMP agent. It has been discovered that some
                 circumstances exist that could potentially cause a
                 “denial-of-service” condition for a Fluke Networks product, forcing
                 the product to “hang” or reboot. However, this situation would only
                 affect Fluke Networks products and would not compromise our
                 customers’ networks.

                 Fluke Networks products that could be affected include the OptiView™
                 Integrated Network Analyzer, the OptiView™ Workgroup Analyzer and
                 the OptiView™ Link Analyzer.

                 As of this writing, there have been no known "denial-of-service"
                 incidents reported with Fluke Networks products. To reiterate,
                 should such an event occur involving a Fluke Networks product, this
                 would not affect the operation of customers' networks or any of
                 their network infrastructures. Nor would there be any risk of anyone
                 externally gaining access to customer data.

                 Future action

                 At this time, we plan to resolve all known vulnerabilities in the
                 next scheduled software update for the affected products. Customers
                 who participate in the Gold Priority Support program will be
                 eligible to receive these updates as part of their membership.
                 Customers who do not participate in this program should contact our
                 Technical Assistance Center (TAC) at 1-800-638-3497 (North America)
                 or +1-425-446-4519 (Outside North America).


                 We recommend the following "best practices" to reduce the potential
                 risk of SNMP related attacks:   
                 1.   Ensure that yourexternal firewalls deny all incoming SNMP traffic.
                 2.   Change the default community strings for all SNMP devices. Audit
                      your network for devices using the community strings of "public"
                      and "private" as well as for those other community strings that
                      are set by default by equipment manufacturers.
                 3.   Analyze SNMP traffic for patterns of attack.

                 Tutorial: Using Fluke Networks products to manage this risk on your

                 1. Identify SNMP agents on the network
                 The OptiView Integrated Network Analyzer and OptiView Workgroup
                 Analyzer have the capability of discovering all devices within a
                 broadcast domain that are SNMP enabled.

                 On the Setup/Security screen, configure all known and old community
                 strings making sure you include strings such as "public", "private"
                 and "security".

                 Re-run the tests by selecting the "Rerun Test" tab.

                 Select the "Discovery" tab and then select the SNMP Agents category
                 in the left hand pane. The resulting display shows all SNMP agents
                 discovered by the test.

                 2. Test your firewall for filtering SNMP traffic
                 From a LAN segment outside your firewall, use the OptiView
                 Integrated Network Analyzer to query known SNMP agents on the
                 protected side of your network. After the "Network-Under-Test"
                 interface has a proper IP configuration, enter the IP address of a
                 known SNMP agent on the Tools screen.

                 Note: Using Fluke Networks’ Protocol Expert™ on the protected side
                 of your firewall, allows you to see if the firewall is denying any
                 and all SNMP traffic from flowing through the firewall as well as
                 preventing SNMP responses from leaving your network.

                 Using two OptiView Analyzers, one on either side of the firewall,
                 can be used to easily check this condition. Use the Packet Capture
                 and Statistics feature to ensure that no SNMP traffic is flowing in
                 from outside of the firewall.

                 3. Analyze network patterns for SNMP attacks
                 Using the OptiView Integrated Network Analyzer, the OptiView
                 Workgroup Analyzer or the OptiView Link Analyzer, a combination of
                 packet capture and protocol statistics can be used to gather
                 evidence of an SNMP attack.

                 Select the "Top Hosts" tab to look for nodes that should not be
                 sending SNMP queries. Select the "Top Conversations" to check for
                 unusual Conversation Pairs within the SNMP traffic.

                    Fluke Networks' Copper and Fiber taps can be used to access
                 switch-to-switch links and the Switch-TAP™ capability of the
                 OptiView™ Inspector Console can be used to program the mirror ports
                 of a variety of switches.

                 For more information

                 For questions, concerns or more information, please contact the
                 Fluke Networks TAC at 1-800-638-3497 (North America),
                 +1-425-446-4519 (outside North America) or email us at:

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References



The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.