Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Unix :: General :: ca200203.txt

Multiple Vulnerabilities in Many Implementations of the Simple Network Management Protocol (SNMP)




CERTŪ Advisory CA-2002-03 Multiple Vulnerabilities in Many Implementations of the Simple Network Management Protocol
(SNMP)

Original release date: February 12, 2002
Last revised: Wed Feb 20 13:10:51 EST 2002
Source: CERT/CC

A complete revision history can be found at the end of this file.

Systems Affected

Products from a very wide variety of vendors may be affected. See Vendor Information for details from vendors who have
provided feedback for this advisory.

In addition to the vendors who provided feedback for this advisory, a list of vendors whom CERT/CC contacted regarding
these problems is available from

     http://www.kb.cert.org/vuls/id/854306
     http://www.kb.cert.org/vuls/id/107186

Many other systems making use of SNMP may also be vulnerable but were not specifically tested.

Overview

Numerous vulnerabilities have been reported in multiple vendors' SNMP implementations. These vulnerabilities may allow
unauthorized privileged access, denial-of-service attacks, or cause unstable behavior. If your site uses SNMP in any
capacity, the CERT/CC encourages you to read this advisory and follow the advice provided in the Solution section
below.

In addition to this advisory, we also have a FAQ available at

     http://www.cert.org/tech_tips/snmp_faq.html

I. Description

The Simple Network Management Protocol (SNMP) is a widely deployed protocol that is commonly used to monitor and
manage network devices. Version 1 of the protocol (SNMPv1) defines several types of SNMP messages that are used to
request information or configuration changes, respond to requests, enumerate SNMP objects, and send unsolicited

alerts. The Oulu University Secure Programming Group (OUSPG, http://www.ee.oulu.fi/research/ouspg/) has reported
numerous vulnerabilities in SNMPv1 implementations from many different vendors. More information about SNMP and OUSPG
can be found in Appendix C

OUSPG's research focused on the manner in which SNMPv1 agents and managers handle request and trap messages. By
applying the PROTOS c06-snmpv1 test suite (http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/0100.html)
to a variety of popular SNMPv1-enabled products, the OUSPG revealed the following vulnerabilities:

VU#107186 - Multiple vulnerabilities in SNMPv1 trap handling

     SNMP trap messages are sent from agents to managers. A trap message may indicate a warning or error
     condition or otherwise notify the manager about the agent's state. SNMP managers must properly decode trap
     messages and process the resulting data. In testing, OUSPG found multiple vulnerabilities in the way many
     SNMP managers decode and process SNMP trap messages.

VU#854306 - Multiple vulnerabilities in SNMPv1 request handling

     SNMP request messages are sent from managers to agents. Request messages might be issued to obtain
     information from an agent or to instruct the agent to configure the host device. SNMP agents must properly
     decode request messages and process the resulting data. In testing, OUSPG found multiple vulnerabilities in
     the way many SNMP agents decode and process SNMP request messages.

Vulnerabilities in the decoding and subsequent processing of SNMP messages by both managers and agents may result in
denial-of-service conditions, format string vulnerabilities, and buffer overflows. Some vulnerabilities do not require
the SNMP message to use the correct SNMP community string.

These vulnerabilities have been assigned the CVE identifiers CAN-2002-0012 and CAN-2002-0013, respectively.

II. Impact

These vulnerabilities may cause denial-of-service conditions, service interruptions, and in some cases may allow an
attacker to gain access to the affected device. Specific impacts will vary from product to product.

III. Solution

Note that many of the mitigation steps recommended below may have significant impact on your everyday network
operations and/or network architecture. Ensure that any changes made based on the following recommendations will not
unacceptably affect your ongoing network operations capability.

Apply a patch from your vendor

Appendix A contains information provided by vendors for this advisory. Please consult this appendix to determine if
you need to contact your vendor directly.

Disable the SNMP service

As a general rule, the CERT/CC recommends disabling any service or capability that is not explicitly required,
including SNMP. Unfortunately, some of the affected products exhibited unexpected behavior or denial of service
conditions when exposed to the OUSPG test suite even if SNMP was not enabled. In these cases, disabling SNMP should be
used in conjunction with the filtering practices listed below to provide additional protection.

Ingress filtering

As a temporary measure, it may be possible to limit the scope of these vulnerabilities by blocking access to SNMP
services at the network perimeter.

Ingress filtering manages the flow of traffic as it enters a network under your administrative control. Servers are
typically the only machines that need to accept inbound traffic from the public Internet. In the network usage policy
of many sites, there are few reasons for external hosts to initiate inbound traffic to machines that provide no public
services. Thus, ingress filtering should be performed at the border to prohibit externally initiated inbound traffic
to non-authorized services. For SNMP, ingress filtering of the following ports can prevent attackers outside of your
network from impacting vulnerable devices in the local network that are not explicitly authorized to provide public
SNMP services.

snmp     161/udp     # Simple Network Management Protocol (SNMP)
snmp     162/udp     # SNMP system management messages

The following services are less common, but may be used on some affected products

snmp               161/tcp     # Simple Network Management Protocol (SNMP)
snmp               162/tcp     # SNMP system management messages
smux               199/tcp     # SNMP Unix Multiplexer
smux               199/udp     # SNMP Unix Multiplexer
synoptics-relay    391/tcp     # SynOptics SNMP Relay Port
synoptics-relay    391/udp     # SynOptics SNMP Relay Port
agentx             705/tcp     # AgentX
snmp-tcp-port     1993/tcp     # cisco SNMP TCP port
snmp-tcp-port     1993/udp     # cisco SNMP TCP port

As noted above, you should carefully consider the impact of blocking services that you may be using.

It is important to note that in many SNMP implementations, the SNMP daemon may bind to all IP interfaces on the
device. This has important consequences when considering appropriate packet filtering measures required to protect an
SNMP-enabled device. For example, even if a device disallows SNMP packets directed to the IP addresses of its normal
network interfaces, it may still be possible to exploit these vulnerabilities on that device through the use of
packets directed at the following IP addresses:

   * "all-ones" broadcast address
   * subnet broadcast address
   * any internal loopback addresses (commonly used in routers for management purposes, not to be confused with the IP
     stack loopback address 127.0.0.1)

Careful consideration should be given to addresses of the types mentioned above by sites planning for packet filtering
as part of their mitigation strategy for these vulnerabilities.

Finally, sites may wish to block access to the following RPC services related to SNMP (listed as name, program ID,
alternate names)

snmp               100122  na.snmp snmp-cmc snmp-synoptics snmp-unisys snmp-utk
snmpv2             100138  na.snmpv2     # SNM Version 2.2.2
snmpXdmid          100249

Please note that this workaround may not protect vulnerable devices from internal attacks.

Filter SNMP traffic from non-authorized internal hosts

In many networks, only a limited number of network management systems need to originate SNMP request messages.
Therefore, it may be possible to configure the SNMP agent systems (or the network devices in between the management
and agent systems) to disallow request messages from non-authorized systems. This can reduce, but not wholly
eliminate, the risk from internal attacks. However, it may have detrimental effects on network performance due to the
increased load imposed by the filtering, so careful consideration is required before implementation. Similar caveats
to the previous workaround regarding broadcast and loopback addresses apply.

Change default community strings

Most SNMP-enabled products ship with default community strings of "public" for read-only access and "private" for
read-write access. As with any known default access control mechanism, the CERT/CC recommends that network
administrators change these community strings to something of their own choosing. However, even when community strings
are changed from their defaults, they will still be passed in plaintext and are therefore subject to packet sniffing
attacks. SNMPv3 offers additional capabilities to ensure authentication and privacy as described in RFC2574.

Because many of the vulnerabilities identified in this advisory occur before the community strings are evaluated, it
is important to note that performing this step alone is not sufficient to mitigate the impact of these
vulnerabilities. Nonetheless, it should be performed as part of good security practice.

Segregate SNMP traffic onto a separate management network

In situations where blocking or disabling SNMP is not possible, exposure to these vulnerabilities may be limited by
restricting all SNMP access to separate, isolated management networks that are not publicly accessible. Although this
would ideally involve physically separate networks, that kind of separation is probably not feasible in most
environments. Mechanisms such as virtual LANs (VLANs) may be used to help segregate traffic on the same physical
network. Note that VLANs may not strictly prevent an attacker from exploiting these vulnerabilities, but they may make
it more difficult to initiate the attacks.

Another option is for sites to restrict SNMP traffic to separate virtual private networks (VPNs), which employ
cryptographically strong authentication.

Note that these solutions may require extensive changes to a site's network architecture.

Egress filtering

Egress filtering manages the flow of traffic as it leaves a network under your administrative control. There is
typically limited need for machines providing public services to initiate outbound traffic to the Internet. In the
case of SNMP vulnerabilities, employing egress filtering on the ports listed above at your network border can prevent
your network from being used as a source for attacks on other sites.

Disable stack execution

Disabling executable stacks (on systems where this is configurable) can reduce the risk of "stack smashing" attacks
based on these vulnerabilities. Although this does not provide 100 percent protection against exploitation of these
vulnerabilities, it makes the likelihood of a successful exploit much smaller. On many UNIX systems, executable stacks
can be disabled by adding the following lines to /etc/system:

     set noexec_user_stack = 1
     set noexec_user_stack_log = 1

Note that this may go against the SPARC and Intel ABIs and can be bypassed as required in programs with mprotect(2).
For the changes to take effect you will then need to reboot.

Other operating systems and architectures also support the disabling of executable stacks either through native
configuration parameters or via third-party software. Consult your vendor(s) for additional information.

Share tools and techniques

Because dealing with these vulnerabilities to systems and networks is so complex, the CERT/CC will provide a forum
where administrators can share ideas and techniques that can be used to develop proper defenses. We have created an
unmoderated mailing list for system and network administrators to discuss helpful techniques and tools.

You can subscribe to the mailing list by sending an email message to majordomo@cert.org. In the body of the message,
type

     subscribe snmp-forum

After you receive the confirmation message, follow the instructions in the message to complete the subscription
process.

Appendix A. - Vendor Information

This appendix contains information provided by vendors for this advisory. As vendors report new information to the
CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not
listed below, we have not received their comments.

AdventNet

     This is in reference to your notification regarding [VU#107186 and VU#854306] and OUSPG#0100. AdventNet Inc.
     has reproduced this behavior in their products and coded a Service Pack fix which is currently in regression
     testing in AdventNet Inc.'s Q.A. organization. The release of AdventNet Inc's. Service Pack correcting the
     behavior outlined in [... OUSPG#0100] is scheduled to be generally available to all of AdventNet Inc.'s
     customers by February 20, 2002.

Alcatel

     The security of our customers' networks is of highest priority for Alcatel.
     Alcatel is aware of this industry-wide SNMP security issue and has
     put measures in place to assess which of its products might be
     affected. Within this activity, Alcatel is closely working with its
     customers and CERT to address and fix potential security problems as
     identified by CERT.

Aprisma

     Aprisma is currently performing tests on the SPECTRUM
     product suite to reveal any applicable issues.  Our findings
     to date regarding the recent CERT advisory are as follows:

     CERT Advisory CA-2002-03
     VU#854306 - Multiple Vulnerabilities in SNMPv1 Request Handling –
     This advisory is not applicable to SPECTRUM as it is a management
     system and not an agent.  As a management system, SPECTRUM
     does not accept SNMP requests rather; SPECTRUM sends SNMP
     requests and processes subsequent SNMP responses.

     CERT Advisory CA-2002-03
     VU#107186 - Multiple Vulnerabilities in SNMPv1 Trap Handling –
     Although relevant to SPECTRUM, Aprisma’s preliminary testing has
     revealed no issues.  We are currently conducting more in-depth tests
     and will shortly convey our results.

     Upon completion of the testing process Aprisma will post
     additional information to this site.

Avaya

     Avaya Inc. acknowledges the potential of SNMP vulnerabilities and is currently investigating whether these
     vulnerabilities impact Avaya's products or solutions. No further information is available at this time.

BMC Software

     BMC Software has reviewed the information about SNMP vulnerabilities and is
     fully investigating these issues across our products.  While we have seen no
     evidence of exploitable problems at this time, we are continuing to
     investigate and will issue a bulletin regarding this advisory once we have
     completed a thorough investigation.

CacheFlow

     The purpose of this email is to advise you that CacheFlow Inc. has provided a software update. Please be
     advised that updated versions of the software are now available for all supported CacheFlow hardware
     platforms, and may be obtained by CacheFlow customers at the following URL:

          http://download.cacheflow.com/

     The specific reference to the software update is contained within the Release Notes for CacheOS Versions
     3.1.22 Release ID 17146, 4.0.15 Release ID 17148, 4.1.02 Release ID 17144 and 4.0.15 Release ID 17149.

     RELEASE NOTES FOR CACHEFLOW SERVER ACCELERATOR PRODUCTS:

        * http://download.cacheflow.com/release/SA/4.0.15/relnotes.htm

     RELEASE NOTES FOR CACHEFLOW CONTENT ACCELERATOR PRODUCTS:

        * http://download.cacheflow.com/release/CA/3.1.22/relnotes.htm
        * http://download.cacheflow.com/release/CA/4.0.15/relnotes.htm
        * http://download.cacheflow.com/release/CA/4.1.02/relnotes.htm

     * SR 1-1647517, VI 13045: This update modified a potential vulnerability by using an SNMP test tools
     exploit.

3Com Corporation

     A vulnerability to an SNMP packet with an invalid length community string has been resolved in the following
     products. Customers concerned about this weakness should ensure that they upgrade to the following agent
     versions:

     PS Hub 40
     2.16 is due Feb 2002

     PS Hub 50
     2.16 is due Feb 2002

     Dual Speed Hub
     2.16 is due Jan 2002

     Switch 1100/3300
     2.68 is available now

     Switch 4400
     2.02 is available now

     Switch 4900
     2.04 is available now

     WebCache1000/3000
     2.00 is due Jan 2002

     For updated information on CommWorks Corporation, a 3Com company,
     visit http://www.commworks.com/Press/Archive/2002/February/CERT_Advisory.asp

     In addition, CommWorks' customers should monitor http://totalservice.commworks.com/cert_update.cfm
     for updated information addressing the CERT advisory, as well as information on available patches for
     CommWorks' products.

Caldera

     Caldera International, Inc. has reproduced faulty behavior in Caldera SCO OpenServer 5, Caldera UnixWare 7,
     and Caldera Open UNIX 8. We have coded a software fix for supported versions of Caldera UnixWare 7 and
     Caldera Open UNIX 8 that will be available from our support site at
     http://stage.caldera.com/support/security immediately following the publication of this CERT announcement. A
     fix for supported versions of OpenServer 5 will be available at a later date.

Check Point Software Technologies Inc.

     Check Point Statement on SNMP Vulnerability Test Suite (CERT Advisory CA-2002-03)

     Recently, an automated suite was released which tests products for known SNMP vulnerabilities.

     Check Point knows of no SNMP-related security issues in any of its products, and is conducting an extensive
     review to ensure that none exist.  SNMP communication is not required for correct functionality of any Check
     Point products.

     FireWall-1, by default, blocks all SNMP communication to, from, or across a FireWall-1 gateway.  The SNMP
     service is disabled by default, and SNMP communication is enabled only if the administrator writes a
     specific rule which allows the communication.

     If SNMP monitoring of Check Point firewalls or internal networks is needed, Check Point recommends that the
     FireWall-1 rule base tightly restrict SNMP communication.

Cisco Systems

     Cisco Systems is addressing the vulnerabilities identified by VU#854306 and VU#107186 across its entire
     product line. Cisco has released an advisory:

          http://www.cisco.com/warp/public/707/cisco-malformed-snmp-msgs-pub.shtml

Compaq Computer Corporation

     -----BEGIN PGP SIGNED MESSAGE-----
     Hash: SHA1

     TITLE: (SSRT0799) Potential Security Vulnerabilities in SNMP
     Posted at http://ftp.support.compaq.com/patches/.new/security.shtml

     NOTICE: There are no restrictions for distribution of this
     Bulletin provided that it remains complete and intact.

     RELEASE DATE:   18 FEBRUARY, 2002

     SEVERITY: MEDIUM

     SOURCE:  Compaq Computer Corporation
             Compaq Global Services
             Software Security Response Team

     CROSS REFERENCE:   (SSRT0799, CAN-2002-0012,
                        CAN-2002-0013, CERT CA-2002-03)

     PROBLEM SUMMARY:

     The Computer Emergency Response Team (CERT/cc) has recently issued an
     advisory regarding numerous potential vulnerabilities in SNMPv1
     implementations. These potential vulnerabilities are applicable to
     SNMPv1 trap handling and SNMPv1 Request handling. The CERT article
     outlines vulnerabilities that can cause SNMP services to stop
     functioning and in some cases may enable "unauthorized access,"
     "denial of service attacks" or may cause system instability.

     IMPACT:
     Compaq NonStop Himalaya Servers:
     Compaq TCP/IP Services for OpenVMS:
     Compaq Tru64 UNIX:
     Compaq Insight Management Suite:
     Compaq Deskpro, Professional Workstation, Armada, Evo:
     Compaq SANworks:

     Compaq's findings to date regarding the SNMPv1 issues are as
     follows:

     ________________________________
     Compaq NonStop Himalaya Servers:
     The Compaq Himalaya NonStop Kernel prohibits execution of code on the
     stack or heap by hardware TLB permissions (read/write only),
     preventing Trojan horse attacks by embedding code within the buffer
     overflow area. However, process ABENDs can occur.

     The SNMP agent ABENDs in the c06-snmpv1 buffer-overflow tests.
     This affects forwarding trap messages and/or sending info responses
     to SNMP managers.

     Sub-agents use IPCs to communicate with the SNMP agent, so they
     cannot be directly attacked.  More importantly, sub-agents are
     confined to information only requests, so they cannot be used to
     configure/manage their sub-systems. Our investigation an analysis is
     continuing and further updates will be provided.

     RESOLUTION:
     IPMs to address the ABEND problem of the SNMP are in development
     and will be released as soon as verification is complete. Updates
     to include availability of these IPMs will be included in future
     updates.

     __________________________________
     Compaq TCP/IP Services for OpenVMS:
     There is some impact to the SNMP agent provided with Compaq TCP/IP
     Services for OpenVMS. This problem can cause the SNMP agent to ACCVIO
     and terminate temporarily denying service to SNMP, but in most cases
     after this occurs Compaq TCP/IP Services for OpenVMS will restart
     the SNMP agent in response to the next SNMP request. There are no
     known risks of compromising system security due to this problem.
     The SNMP agent executes from a non-privileged process, which
     prevents any compromise to system security.

     RESOLUTION:
     Our investigation and analysis has determined the cause of the
     problem. The updated images for Compaq TCP/IP Services for OpenVMS
     are now in final test. Compaq will provide updates to Compaq TCP/IP
     Services for OpenVMS in the next ECO and also in the next release,
     Compaq TCP/IP Services for OpenVMS V5.3. Contact Compaq's Customer
     Support Center if an earlier updated is required.

     __________________
     Compaq Tru64 UNIX:
     There is some impact to the SNMP agent provided with Tru64 UNIX. This
     problem can cause the SNMP agent to suffer a segmentation fault,
     generate a core file and exit, denying SNMP service to SNMP-based
     network management applications.  There are no known risks of
     compromising system security due to this problem.  We do not believe
     this can cause the system to be unstable, vulnerable to 'unauthorized
     access" nor be the cause of any other denial of service (except of
     course to the SNMP service).

     RESOLUTION:
     Until a fix is implemented, users will have to manually restart
     snmpd. Our investigation and analysis has determined the cause of the
     problem. The updated images are now in final test.  When completed,
     Compaq will provide patches to all impacted versions of Tru64 UNIX
     4.0f, 4.0g, 5.0a, 5.1, 5.1a.

     ________________________________
     Compaq Insight Management Suite:
     (ProLiants running industry standard operating systems including
     Windows 2000, NetWare, Linux, etc)

     The Compaq Insight Management Suite utilizes SNMP as a primary
     communications method.  Fixes to the operating systems affected will
     be provided by the vendors involved.  Check
     http://www.compaq.com/manage/security the most up-to-date
     information.

     _______________________________________________
     Deskpro, Professional Workstation, Armada, Evo:
     The Deskpro, Professional Workstation, Armada, Evo(Microsoft
     operating
     systems including Windows XP, Windows 2000, Windows 98, and Windows
     95) Compaq Management Agents for Clients utilizes SNMP as an optional
     communications method. Fixes to the operating systems affected will
     be provided by Microsoft.  Check
     www.microsoft.com/technet/security/bulletin/MS02-006.asp for the most
     up-to-date information.

     _____________________________________
     Compaq SANworks Management Appliance:
     The SANworks management appliance is essentially a Compaq server and
     our recommended configuration does not have it connected directly to
     the internet.  Therefore, it is less exposed than other servers to
     external SNMP security attacks.  However, the appliance is
     susceptible to SNMP security attacks from inside the firewall that
     could result in the graceful termination of some storage management
     applications on the appliance.

     Compaq will provide a patch to the appliance as soon as possible.
     ____________________________________________________________________

     NOTE:

     Many systems operate behind firewalls and would normally
     implement SNMP blocking for SNMP as standard procedure. Based on SNMP
     blocking and ingress/egress filtering, the potential Security
     vulnerability may only be exploited by users who have access to your
     local security domain, therefore the risk is diminished.

     SUPPORT:

     This advisory bulletin will be updated for the various
     products requiring patches and individual patch notifications
     will be done through standard "patch notification" procedures
     for those products. For further information, contact your normal
     Compaq Support channel.

     SUBSCRIBE:

     To subscribe to automatically receive future Security
     Advisories from the Compaq's Software Security Response Team via
     electronic mail:

     http://www.support.compaq.com/patches/mailing-list.shtml

     REPORT:

     To report a potential security vulnerability with any Compaq
     supported product, send email to: security-ssrt@compaq.com

     Compaq appreciates your cooperation and patience. As always,
     Compaq urges you to periodically review your system management
     and security procedures. Compaq will continue to review and
     enhance the security features of its products and work with
     our customers to maintain and improve the security and integrity
     of their systems.

     "Compaq is broadly distributing this Security Bulletin in order to
     bring to the attention of users of the affected Compaq products the
     important security information contained in this Bulletin.
     Compaq recommends that all users determine the applicability of
     this information to their individual situations and take appropriate
     action.  Compaq does not warrant that this information is necessarily
     accurate or complete for all user situations and, consequently,
     Compaq will not be responsible for any damages resulting from
     user's use or disregard of the information provided in this
     Bulletin."

     Copyright 2002 Compaq Information Technologies Group, L.P.
     Compaq shall not be liable for technical or editorial errors
     or omissions contained herein. The information in this document
     is subject to change without notice. Compaq and the names of
     Compaq products referenced herein are, either, trademarks
     and/or service marks or registered trademarks and/or service
     marks of Compaq Information Technologies Group, L.P. Other product
     and company names mentioned herein may be trademarks and/or service
     marks of their respective owners.

     -----BEGIN PGP SIGNATURE-----
     Version: PGP 7.0.1

     iQA/AwUBPHJVdjnTu2ckvbFuEQJSzACgkeJmchHLSlYMdH19gwc6cySgzUoAnjol
     vfjGzJqaiVrX0OgMgv21LoGd
     =/srv
     -----END PGP SIGNATURE-----

Computer Associates

     Computer Associates has confirmed Unicenter vulnerability to the SNMP advisory identified by CERT
     notification reference [VU#107186 & VU#854306] and OUSPG#0100. We have produced corrective maintenance to
     address these vulnerabilities, which is in the process of publication for all applicable releases /
     platforms and will be offered through the CA Support site. Please contact our Technical Support organization
     for information regarding availability / applicability for your specific configuration(s).

COMTEK Services, Inc.

     NMServer for AS/400 is not an SNMP master and is therefore not vulnerable. However this product requires the
     use of the AS/400 SNMP master agent supplied by IBM. Please refer to IBM for statements of vulnerabilities
     for the AS/400 SNMP master agent.

     NMServer for OpenVMS has been tested and has shown to be vulnerable. COMTEK Services is preparing a new
     release of this product (version 3.5) which will contain a fix for this problem. This new release is
     scheduled to be available in February 2002. Contact COMTEK Services for further information.

     NMServer for VOS has not as yet been tested; vulnerability of this agent is unknown. Contact for further
     information on the testing schedule of the VOS product.

Concord Communications, Inc.

     Concord's eHealth Console product has some vulnerabilities to the OUSPG test
     suite. Patches are being developed and tested.

     Concord's SystemEDGE agent has been tested and is not vulnerable on Unix
     platforms. Under Windows, it is a sub-agent of the Windows SNNMP agent, and
     therefore the Windows hot fixes should be applied. SystemEDGE is not
     vulnerable on Win2K and XP with Microsoft's hot fixes.

     Please see this page on Concord's web site for more detail and for patch
     availability: http://www.concord.com/certadvisory.shtml

Covalent Technologies

     Covalent Technologies has tested the Enterprise Ready Server, Managed Server, and Covalent Conductor SNMP
     module according to recommendations issued by CERT, and has found no security vulnerabilities associated
     with Advisory CA-2002-03.

Dartware, LLC

     Dartware, LLC (www.dartware.com) supplies two products that use SNMPv1 in a manager role, InterMapper and
     SNMP Watcher. These products are not vulnerable to the SNMP vulnerability described in [VU#854306 and
     VU#107186]. This statement applies to all present and past versions of these two software packages.

Dell

     Dell (www.dell.com) is currently investigating the impact CERT Advisory CA-2002-03 (VU#854306 and VU#107186)
     may have against any products which make use of the SNMP protocol. Provided that products are found
     vulnerable, patches will be made available via normal support channels including support.dell.com.

DMH Software

     DMH Software is in the process of evaluating and attempting to reproduce this behavior.

     It is unclear at this point if our snmp-agent is sensitive to the tests described above.

     If any problems will be discovered, DMH Software will code a software fix.

     The release of DMH Software OS correcting the behavior outlined in VU#854306, VU#107186, and OUSPG#0100 will
     be generally available to all of DMH Software's customers as soon as possible.

EnGarde Secure Linux

     EnGarde Secure Linux did not ship any SNMP packages in version 1.0.1 of our distribution, so we are not
     vulnerable to either bug.

Enterasys

     On 12-February-2002, CERT (http://www.cert.org) announced serious vulnerabilities in the SNMP
     implementations of virtually every networking vendor's equipment. These vulnerabilities were discovered by a
     Finnish research group known as OUSPG, associated with Oulu University, and are documented in advisory
     CA-2002-03.

     These vulnerabilities exist in all versions of SNMP (v1/v2c/v3) and can be used to cause SNMP
     implementations to behave in an unpredictable manner, resulting in denials of service or system failures.

     Given the serious nature of these vulnerabilities, Enterasys is testing our product line to determine which
     products are affected. Patches for affected products will be made available to our customers. Please check
     the Enterasys Support web site periodically for further details and patch information.

     Until these patches become available, Enterasys recommends that the following steps be taken to help reduce
     exposure to these vulnerabilities.

        * Disable SNMP from interfaces through which SNMP commands should not be received, such as those
          providing connection from the Internet or Extranets.
        * Use Access Control Lists at the access edge to prevent SNMP traffic from unauthorized internal hosts
          from entering the network.
        * Use management VLANs or out-of-band management to contain SNMP traffic and multicasts. These do not
          prevent an attacker from exploiting these vulnerabilities, but they may make it more difficult to
          initiate the attacks.
        * Enable 802.1X port-locking and RADIUS to prevent unauthenticated users from attaching to the network.
        * Use NetSight Policy Manager to automatically restrict the use of SNMP to authenticated, SNMP-authorized
          personnel.
        * Update Dragon IDS signatures to help identify when these attacks are being used.

F5 Networks

     All versions of BIG-IP, 3-DNS, GLOBAL-SITE and EDGE-FX are vulnerable if the SNMP agent is enabled. Most
     versions have the SNMP agent enabled by default. Patches are available for all affected versions.

     SEE-IT is not affected by this vulnerability.

     If a customer is unable to install the patch, the SNMP service may be disabled. Below are instructions for
     obtaining patches and for disabling the SNMP service for each vulnerable product.

     BIG-IP

     A patch exists to correct this problem. Please see
     http://tech.f5.com/home/solutions/bigip/security/sol1622.html.

     Alternatively, you can simply disable the SNMP service using the instructions below:

       1. Log in to the BIG-IP Configuration utility.

       2. Navigate to the SNMP section. For version 4.0 and above this is a tab under System Administration.

       3. De-select the Enable box at the top of the screen and click the Apply button.

     This will disable the SNMP service on BIG-IP.

     3-DNS

     A patch exists to correct this problem. Please see
     http://tech.f5.com/home/solutions/3dns/security/sol1624.html.

     Alternatively, you can simply disable the SNMP service using the instructions below:

       1. Log in to the 3-DNS Configuration utility.

       2. Navigate to the SNMP section. This is the tab under 3-DNS Sync .

       3. De-select the Enable box at the top of the screen and click the Apply button.

       4. Log in to the Command Line Interface of the 3-DNS.

       5. Run the following command:

          kill -9 `ps -ax | grep snmpd | awk '{print $1}'`

     This will disable the SNMP service on 3-DNS.

     GLOBAL-SITE

     A patch exists to correct this problem. Please see
     http://tech.f5.com/home/solutions/globalsite/security/sol1626.html.

     Alternatively, you can simply disable the SNMP service using the instructions below:

     GLOBAL-SITE version 2.2

     To disable the SNMP agent for GLOBAL-SITE version 2.2, type the following command from the command prompt:

     ITCMconsole service snmpd stop

     This command stops the snmpd agent.

     ITCMconsole service snmpd disable

     This command disables snmpd so it does not start again at the next boot.

     To verify the status of snmpd, enter the following command:

     ITCMconsole show snmpd status

     GLOBAL-SITE version 2.1PTF-01 and earlier:

     On versions 2.1 PTF-01 and earlier, snmpd is not running by default so the GLOBAL-SITE Controller should not
     be affected. However, if you have enabled snmpd manually, you should disable it.

     EDGE-FX

     A patch exists to correct this problem. Please see
     http://tech.f5.com/home/solutions/edgefx/security/sol1625.html.

     Alternatively, you can simply disable the SNMP service using the instructions below:

     There are three SNMP daemons running on the cache. By default, the EDGE-FX Cache runs the snmpd, the
     edgefxsnmpd, and Inktomi's snmpdm .

     Disabling snmpd and edgefxsnmpd

     To disable and stop the SNMP agents, you should use the ITCMconsole. Type the following commands from the
     command prompt:

     ITCMconsole service snmpd stop

     This command stops the snmpd agent.

     ITCMconsole service snmpd disable

     This command disables snmpd so it does not start again at the next boot.

     To verify the status of snmpd, enter the following command:

     ITCMconsole show snmpd status

     Once the snmpd and edgefxsnmpd daemons are disabled, no other snmp traffic will be accepted.

     Disabling snmpdm

     The snmpdm agent, is also enabled by default. This Inktomi specific agent can be disabled or killed. In
     order to avoid traffic server anomalies, you should not kill this this daemon.

     According to CERTŪ Advisory CA-2002-03 :

     "Inktomi Corporation does not believe our [Inktomi] CDS product is vulnerable. Vulnerability would stem from
     the use of SNMP Research software in the CDS product. However, SNMP Research has stated that their product
     Emanate, versions 15.x and higher, is not vulnerable. As Inktomi's CDS uses Emanate 15.3, we [Inktomi]
     conclude that CDS is not vulnerable."

     Inktomi's CDS contains the same Traffic Server that EDGE-FX utilizes, which contains the Emanate 15.3 daemon
     (snmpdm).

     If you still want to kill this SNMP agent, you can use the Configuration utility or the command line.

     To disable the SNMP agent from the Configuration utility:

       1. From your browser, access the Configuration utility (refer to Accessing the Configuration utility).

       2. On the Configure tab, click the Server button.

       3. Scroll to the SNMP section of the Server Basics page.

       4. Click the SNMP Agent Off radio button.

       5. Click the Make These Changes button.

     To disable the SNMP agent manually:

       1. In a text editor, open the records.config file located in the EDGE-FX Caches
          /config/traffic_server/config directory.

       2. Edit the following variable:

          proxy.config.snmp.master_agent_enabled

          Set this variable to 0 to disable SNMP on the EDGE-FX Cache node.

       3. Save and close the records.config file.

       4. Make the /usr/local/cache/bin directory the working directory and run the following command to apply
          the configuration changes.

          ./traffic_line -x

          Note: you can also use the following command to restart the traffic_server: start_traffic_server.

     SEE-IT

     It has been determined that SEE-IT is not vulnerable.

Foundry Networks, Inc.

     According to testing completed by Foundry engineering using
     the stress tools recommended by CERT, we determined that NO Foundry
     devices are affected by any known SNMP security issue. All of Foundry's
     products use the same SNMP engine with varying SNMP versions (v1, v2c,
     and v3), and all SNMP versions have been tested.

     We are extremely appreciative to CERT's help during our testing period,
     and would like to wholeheartedly thank everyone involved.

FreeBSD

     FreeBSD does not include any SNMP software by default, and so is not vulnerable. However, the FreeBSD Ports
     Collection contains the UCD-SNMP / NET-SNMP package. Package versions prior to ucd-snmp-4.2.3 are
     vulnerable. The upcoming FreeBSD 4.5 release will ship the corrected version of the UCD-SNMP / NET-SNMP
     package. In addition, the corrected version of the packages is available from the FreeBSD mirrors.

     FreeBSD has issued the following FreeBSD Security Advisory regarding the UCD-SNMP / NET-SNMP package:

          ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:11.snmp.asc.

Hewlett-Packard Company

     HP Support Information Digests

     o  Security Bulletin Digest Split
       ------------------------------

       The security bulletins digest has been split into multiple digests
       based on the operating system (HP-UX, MPE/iX, and HP Secure OS
       Software for Linux).  You will continue to receive all security
       bulletin digests unless you choose to update your subscriptions.

       To update your subscriptions, use your browser to access the
       IT Resource Center on the World Wide Web at:

         http://www.itresourcecenter.hp.com/

       Under the Maintenance and Support Menu, click on the "more..."
     link.
       Then use the 'login' link at the left side of the screen to login
       using your IT Resource Center User ID and Password.

       Under the notifications section (near the bottom of the page),
     select
       Support Information Digests.

       To subscribe or unsubscribe to a specific security bulletin digest,

       select or unselect the checkbox beside it. Then click the
       "Update Subscriptions" button at the bottom of the page.

     o  IT Resource Center World Wide Web Service
       ---------------------------------------------------

       If you subscribed through the IT Resource Center and would
       like to be REMOVED from this mailing list, access the
       IT Resource Center on the World Wide Web at:

         http://www.itresourcecenter.hp.com/

       Login using your IT Resource Center User ID and Password.
       Then select Support Information Digests (located under
       Maintenance and Support).  You may then unsubscribe from the
       appropriate digest.

     ========================================================================
     =======

     Digest Name:  daily HP-UX security bulletins digest
        Created:  Thu Feb 14 13:00:06 PST 2002

     Table of Contents:

     Document ID      Title
     ---------------  -----------
     HPSBUX0202-184   Sec. Vulnerability in SNMP (rev. 1)

     The documents are listed below.

     ------------------------------------------------------------------------
     -------

     Document ID:  HPSBUX0202-184
     Date Loaded:  20020214
          Title:  Sec. Vulnerability in SNMP (rev. 1)

     TEXT

     -----------------------------------------------------------------
     **REVISED 01**  HEWLETT-PACKARD COMPANY SECURITY BULLETIN: #0184,
       Originally issued: 12 Feb. 2002
       Last revised:  13 Feb. 2002
     -----------------------------------------------------------------

     The information in the following Security Bulletin should be acted
     upon as soon as possible.  Hewlett-Packard Company will not be
     liable for any consequences to any customer resulting from customer's
     failure to fully implement instructions in this Security Bulletin as
     soon as possible.

     ------------------------------------------------------------------
     PROBLEM:  Vulnerabilities in SNMP request and trap handling.

     PLATFORM: HP 9000 Series 700 and Series 800 running HP-UX
              releases 10.X and 11.X
     ** Revised 01**
              HP Procurve switches

              JetDirect Firmware (older versions only)

     DAMAGE:   Possible denial-of-service, service interruptions,
              unauthorized access.

     SOLUTION: Apply patches or implement workarounds.
             For HP-UX releases:
            PHSS_26137    s700_800  HP-UX 10.20 OV EMANATE14.2 Agent
            PHSS_26138    s700_800  HP-UX 11.X  OV EMANATE14.2 Agent
            PSOV_03087    Solaris 2.X      EMANATE Release 14.2

     MANUAL ACTIONS: Upgrade or workaround action per below.

     AVAILABILITY:  Patches for some affected systems are available now.
     CHANGE SUMMARY: Rev.01 affected HP Procurve scope expanded,
                           plus Procurve patch availability added.
                           NNM ovtrapd patch availability added.
     ------------------------------------------------------------------

     A. Background
        CERT has issued an advisory:
        CERT Advisory CA-2002-03 Multiple Vulnerabilities in Many
        Implementations of the Simple Network Management Protocol
        (SNMPv1) containing information about the vulnerabilities.

        Hewlett-Packard Company will revise this bulletin as new
        information becomes available.

        ---------------------------------------------------------
        hp Procurve switches
        ---------------------------------------------------------
     **REVISED 01**

        We are still in the process of determining which other HP
        Procurve products are subject to these vulnerabilities.
        We have created fixes for products below which will resolve
        these issues.  See Section C below.

        Customers can download these patches in the form of software
        upgrades at:
                  http://www.hp.com/rnd/software/switches.htm

                           Product                   Fix revision number
           ----------------------------------       --------------------
           HP Procurve Switch 2524   (J4813A)        F.04.08 or greater
           HP Procurve Switch 2512   (J4812A)        F.04.08 or greater
           HP Procurve Switch 4108GL (J4865A)        G.04.05 or greater
           HP Procurve Switch 4108GL-bundle (J4861A) G.04.05 or greater

        Not all HP Procurve products have completed testing, nor are
        they listed here, and may or may not have these vulnerabilities.
        This bulletin will again be updated as new information becomes
        available.

        ---------------------------------------------------------
        NNM  (Network Node Manager)
        ---------------------------------------------------------
     **REVISED 01**
        Some problems found in NNM product were related to trap
        handling.  Patches are available.  See Section C below.

        ---------------------------------------------------------
        JetDirect Firmware (older versions only)
        ---------------------------------------------------------
        ONLY some older versions of JetDirect Firmware are
        vulnerable to some of the issues.  The older firmware
        can be upgraded in most cases, see list below.

        JetDirect Firmware Version      State
         ==========================     =====

                X.08.32 and higher      NOT Vulnerable
                X.21.00 and higher      NOT Vulnerable
            where X represents an alpha character for your device.

        JetDirect Product Numbers that can be freely upgraded
        to X.08.32 or X.21.00 or higher firmware.

        EIO (Peripherals Laserjet 4000, 5000, 8000, etc...)
        J3110A 10T
        J3111A 10T/10B2/LocalTalk
        J3112A Token Ring (discontinued)
        J3113A 10/100 (discontinued)
        J4169A 10/100
        J4167A Token Ring

        MIO (Peripherals LaserJet 4, 4si, 5si, etc...)
        J2550A/B 10T (discontinued)
        J2552A/B 10T/10Base2/LocalTalk (discontinued)
        J2555A/B Token Ring (discontinued)
        J4100A 10/100
        J4105A Token Ring
        J4106A 10T

        External Print Servers
        J2591A EX+ (discontinued)
        J2593A EX+3 10T/10B2 (discontinued)
        J2594A EX+3 Token Ring (discontinued)
        J3263A 300X 10/100
        J3264A 500X Token Ring
        J3265A 500X 10/100

         ----------------------------------------------------------
         HP-UX Systems running snmpd or OPENVIEW
         ----------------------------------------------------------
         Any HP-UX 10.X or 11.X system running snmpd or snmpdm is
         vulnerable.  To determine if your HP-UX system has snmpd
         or snmpdm installed:

           swlist -l file | grep snmpd

     B. Fixing the problem
       Install the appropriate patch or firmware revision or work
       around problem as detailed below.

     C. Recommended solution
        ---------------------------------------------------------
        hp Procurve switches
        ---------------------------------------------------------
     **REVISED 01**
        Customers can download these patches in the form of firmware
        upgrades at:
                  http://www.hp.com/rnd/software/switches.htm

                 Product                         Fix revision number
        -----------------------------------     -------------------
        HP Procurve Switch 2524    (J4813A)       F.04.08 or greater
        HP Procurve Switch 2512    (J4812A)       F.04.08 or greater
        HP Procurve Switch 4108GL  (J4865A)       G.04.05 or greater
        HP Procurve Switch 4108GL-bundle (J4861A) G.04.05 or greater

        ---------------------------------------------------------
        NNM  (Network Node Manager)
        ---------------------------------------------------------
     **REVISED 01**
         Problems found in the NNM product (related only to trap
         handling) are addressed in patches available at:

     http://support.openview.hp.com/cpe/patches/nnm/6.2/s700_800_11.X.jsp

         PHSS_26286    s700_800  HP-UX  10.20  ovtrapd large trap fix
         PHSS_26287    s700_800  HP-UX  11.X   ovtrapd large trap fix
         PSOV_03100    Solaris 2.X             ovtrapd large trap fix
         NNM_00857     NT 4.X/Windows 2000     ovtrapd large trap fix

        ---------------------------------------------------------
        MC/ServiceGuard
        ---------------------------------------------------------
        Concerning the impact of disabling the SNMP agent on nodes
        in MC/ServiceGuard or ServiceGuard OPS Edition clusters:

        If SNMP is disabled on nodes running in MC/ServiceGuard
        or ServiceGuard OPS Edition clusters, it will no longer be
        possible for cluster monitoring applications that use the
        cluster SNMP MIB to obtain the correct status for the cluster.

        Examples of such applications are ClusterView, ClusterView Plus
        or EMS High Availability Monitors, which all receive
        cluster-related SNMP information from the cluster nodes.

        This means that these applications will no longer display the
        correct status for the cluster, including the cluster starting
        or halting, nodes leaving or joining the cluster, and application
        packages starting up or halting in the cluster.

          NOTE:  All supported versions of MC/ServiceGuard as well as
                 ServiceGuard OPS Edition are affected by this issue.

                 The ServiceGuard Manager product does not use the cluster
                 SNMP MIB, and therefore is _NOT_ affected by the
                 disabling of SNMP on cluster nodes.

        ---------------------------------------------------------
        Event Monitoring System  (EMS)
        ---------------------------------------------------------
        It should also be noted that if an MC/ServiceGuard or ServiceGuard
        OPS Edition application package has package resources defined
        that use EMS High Availability Monitors, then those package
        resources will no longer contain the current status for the
        cluster.  It may be necessary to remove the definition for these
        package resources in order to allow continued operation of the
        package after SNMP has been disabled.

        ---------------------------------------------------------
        JetDirect Firmware (older versions only)
        ---------------------------------------------------------
        Update firmware to X.08.32(or higher) or  X.21.00(or higher)
        as applicable.

        ----------------------------------------------------------
        HP-UX Systems running snmpd or OPENVIEW
        ----------------------------------------------------------
        The following patches are available now:

         PHSS_26137    s700_800  HP-UX 10.20 OV EMANATE14.2 Agent$
         PHSS_26138    s700_800  HP-UX 11.X  OV EMANATE14.2 Agent$
         PSOV_03087    Solaris 2.X      EMANATE Release 14.2 $

        All three patches are available from:

         http://support.openview.hp.com/cpe/patches/

     **Revised 01**
     -->> In addition PHSS_26137 and PHSS_26138 are now available
         from:
               http://itrc.hp.com

       ============================================================
       NOTE: The patches are labeled OV (Open View).  However, the
       patches are also applicable to systems that are _NOT_
       running Open View.
       ============================================================

        Workaround for HP-UX Systems:

        If a patch is not available for your platform or you cannot
        install an available patch, snmpd and snmpdm can be disabled
        by removing their entries from /etc/services and removing the
        execute permissions from /usr/sbin/snmpd and /usr/sbin/snmpdm.

     D. To subscribe to automatically receive future NEW HP Security
       Bulletins from the HP IT Resource Center via electronic
       mail, do the following:

       Use your browser to get to the HP IT Resource Center page
       at:

           http://itrc.hp.com

       Use the 'Login' tab at the left side of the screen to login
       using your ID and password.  Use your existing login or the
       "Register" button at the left to create a login, in order to
       gain access to many areas of the ITRC.  Remember to save the
       User ID assigned to you, and your password.

       In the left most frame select "Maintenance and Support".

       Under the "Notifications" section (near the bottom of
       the page), select "Support Information Digests".

       To -subscribe- to future HP Security Bulletins or other
       Technical Digests, click the check box (in the left column)
       for the appropriate digest and then click the "Update
       Subscriptions" button at the bottom of the page.

        or

        To -review- bulletins already released, select the link
        (in the middle column) "Search Technical Knowledge
        Database".

        To -gain access- to the Security Patch Matrix, or the
        "The Security Bulletins Archive" select the link for
        "The Security Bulletins Archive" (near the bottom of
        the page).  Once in the archive the third link is
        to the current Security Patch Matrix. Updated daily, this
        matrix categorizes security patches by platform/OS release,
        and by bulletin topic.  Security Patch Check completely
        automates the process of reviewing the patch matrix for
        11.XX systems.

        For information on the Security Patch Check tool, see:
        http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/
        displayProductInfo.pl?productNumber=B6834AA"

        The security patch matrix is also available via anonymous
        ftp:

        ftp.itrc.hp.com:~ftp/export/patches/hp-ux_patch_matrix

        On the "Support Information Digest Main" page:
        click on the "HP Security Bulletin Archive".

     E. To report new security vulnerabilities, send email to

        security-alert@hp.com

       Please encrypt any exploit information using the
       security-alert PGP key, available from your local key
       server, or by sending a message with a -subject- (not body)
       of 'get key' (no quotes) to security-alert@hp.com.

       Permission is granted for copying and circulating this
       Bulletin to Hewlett-Packard (HP) customers (or the Internet
       community) for the purpose of alerting them to problems,
       if and only if, the Bulletin is not edited or changed in
       any way, is attributed to HP, and provided such reproduction
       and/or distribution is performed for non-commercial purposes.

       Any other use of this information is prohibited. HP is not
       liable for any misuse of this information by any third party.

Hirschmann Electronics GmbH & Co. KG

     Hirschmann Electronics GmbH & Co. KG supplies a broad range of networking products, some of which are
     affected by the SNMP vulnerabilities identified by CERT Coordination Center. The manner in which they are
     affected and the actions required to avoid being impacted by exploitation of these vulnerabilities, vary
     from product to product. Hirschmann customers may contact our Competence Center (phone +49-7127-14-1538,
     email: ans-support@nt.hirschmann.de) for additional information, especially regarding availability of latest
     firmware releases addressing the SNMP vulnerabilities.

IBM Corporation

     Based upon the results of running the test suites we have determined
     that our version of SNMP shipped with AIX is NOT vulnerable.
     The AIX version of SNMP was patched under APAR # IY17630
     for AIX 4.3.3 and under APAR # IY20943 for AIX 5.1.
     Customers should apply the appropriate APAR to their systems
     if they have not already done so. To remain consistent with IBM's
     standing agreement with our customers who use zOS and OS/400,
     IBM asks that these customers contact IBM Service for information
     regarding this vulnerability.

Inktomi Corporation

     Inktomi Corporation does not believe our CDS product is vulnerable. Vulnerability would stem from the use of
     SNMP Research software in the CDS product. However, SNMP Research has stated that their product Emanate,
     versions 15.x and higher, is not vulnerable. As Inktomi's CDS uses Emanate 15.3, we conclude that CDS is not
     vulnerable.

Innerdive Solutions, LLC

     Innerdive Solutions, LLC has two SNMP based products:

     1. The "SNMP MIB Scout" (http://www.innerdive.com/products/mibscout/)
     2. The "Router IP Console" (http://www.innerdive.com/products/ric/)

     The "SNMP MIB Scout" is not vulnerable to either bug.

     The "Router IP Console" releases prior to 3.3.0.407 are vulnerable. The release of "Router IP Console"
     correcting the behavior outlined in OUSPG#0100 is 3.3.0.407 and is already available on our site. Also, we
     will notify all our customers about this new release no later than March 5, 2002.

iTouch Communications

     iTouch Communications has confirmed that the following tests failed
     (software crash) in the run-time image NEMC_IR.SYS version 3.0 and earlier:
     1. APP tests, 10545 and 10549
     2. ENC tests 878,7643,7686,7687,7688,13358 & 13486

     These issues were fixed in 3.0s1 of  NEMC_IR.SYS and it is now fully
     compliant with the SNMP vulnerability CERT tests.

     Customers requesting software updates or more information may
     contact iTouch Communications at 800-435-7997 (domestic) and
     978-952-4888 (International) and select the Customer Service option.

Juniper Networks

     This is in reference to your notification regarding CAN-2002-0012 and CAN-2002-0013. Juniper Networks has
     reproduced this behavior and coded a software fix. The fix will be included in all releases of JUNOS
     Internet software built after January 5, 2002. Customers with current support contracts can download new
     software with the fix from Juniper's web site at http://www.juniper.net

     Note: The behavior described in CAN-2002-0012 and CAN-2002-0013 can only be reproduced in JUNOS Internet
     software if "snmp traceoptions flag pdu" is enabled. Tracing of SNMP PDUs is generally not enabled in
     production routers.

Lantronix, Inc.

     Lantronix is committed to resolving security issues with our products. The SNMP security bug you reported
     has been fixed in LRS firmware version B1.3/611(020123).

Lexmark International, Inc.

     Lexmark International has tested the current MarkNet network adapters
     and current Lexmark Utilities (MarkVision Professional) according to
     recommendations issued by CERT.   Lexmark Utilities are not
     vulnerable.  Below is a list of tested MarkNet devices and
     information on obtaining updated network firmware when necessary:

     Printer/Network Adapter type            Fix Revision (if applicable)

     Lexmark E322n Laser Printer            4.20.14 or greater
     Lexmark T520n Laser Printer            Not vulnerable
     Lexmark T522n Laser Printer            Not vulnerable
     Lexmark T620n Laser Printer            Not vulnerable
     Lexmark T622n Laser Printer            Not vulnerable
     Lexmark Optra W810n Laser Printer        3.20.14 or greater
     Lexmark W820n Laser Printer            Not vulnerable
     Lexmark Optra C710nSBE Laser Printer        3.20.14 or greater
     Lexmark Optra C710n Laser Printer        3.20.14 or greater
     Lexmark C720n Color Laser Printer        3.20.14 or greater
     Lexmark C720dn Color Laser Printer        3.20.14 or greater
     Lexmark C750n Color Printer            Not vulnerable
     Lexmark C750dn Color Printer            Not vulnerable
     Lexmark C910n Color Printer            Not vulnerable
     Lexmark C910dn Color Printer            Not vulnerable
     Lexmark Optra Color 45n            3.20.14 or greater
     Lexmark Optra T610n Laser Printer        3.20.14 or greater

     MarkNet N2001e                 3.20.14 or greater
     MarkNet N2000t                   3.20.14 or greater
     MarkNet N2002e                 3.20.14 or greater
     MarkNet N2003fx-MTRJ             3.20.14 or greater
     MarkNet N2003fx-SC                  3.20.14 or greater

     MarkNet N2401e                 5.20.14 or greater
     MarkNet N2501e                 5.20.14 or greater

     MarkNet X2011e                 4.20.14 or greater
     MarkNet X2012e                 4.20.14 or greater
     MarkNet X2030t                 4.20.14 or greater
     MarkNet X2031e                 4.20.14 or greater
     MarkNet XI                    4.20.14 or greater
     MarkNet XP                    4.20.14 or greater

     MarkNet Pro network family            2.10.193 or greater
     MarkNet S network family            1.10.193 or greater

     Lexmark X820e MFP                Not vulnerable
     Lexmark X7500 MFP                   Not vulnerable

     None of the Lexmark network adapters are vulnerable once the
     community name is changed.  If unable to update to one of the above
     firmware levels, Lexmark recommends changing the community name.

     Firmware updates are available at:
     http://support.lexmark.com/en/cert_ca-2002-03.html

     For questions related to these or other Lexmark devices please
     contact 1-800-LEXMARK.

Lotus Development Corporation

     Lotus Software evaluated the Lotus Domino Server for vulnerabilities using the test suite materials provided
     by OUSPG.

     This problem does not affect default installations of the Domino Server. However, SNMP agents can be
     installed from the CD to provide SNMP services for the Domino Server (these are located in the
     /apps/sysmgmt/agents directory). The optional platform specific master and encapsulator agents included with
     the Lotus Domino SNMP Agents for HP-UX and Solaris have been found to be vulnerable. For those platforms,
     customers should upgrade to version R5.0.1 a of the Lotus Domino SNMP Agents, available for download from
     the Lotus Knowledge Base on the IBM Support Web Site (http://www.ibm.com/software/lotus/support/). Please
     refer to Document #191059, "Lotus Domino SNMP Agents R5.0.1a", also in the Lotus Knowledge Base, for more
     details.

LOGEC Systems Inc

     The products from LOGEC Systems are exposed to SNMP only via HP OpenView. We do not have an implementation
     of SNMP ourselves. As such, there is nothing in our products that would be an issue with this alert.

Lucent

     Lucent is aware of reports that there is a vulnerability in certain implementations of the SNMP (Simple
     Network Management Protocol) code that is used in data switches and other hardware throughout the telecom
     industry.

     As soon as we were notified by CERT, we began assessing our product portfolio and notifying customers with
     products that might be affected.

     Our 5ESS switch and most of our optical portfolio were not affected. Our core and edge ATM switches and most
     of our edge access products are affected, but we have developed, tested, and deployed fixes for many of
     those products to our customers. Fixes for the rest of the affected product portfolio will be available
     shortly.

     We consider the security and reliability of our customers' networks to be one of our critical measures of
     success. We take every reasonable measure to ensure their satisfaction.

     In addition, we are working with customers on ways to further enhance the security they have in place today.

Marconi

     Marconi supplies a broad range of telecommunications and related products, some of which are affected by the
     SNMP vulnerabilities identified here. The manner in which they are affected and the actions required (if
     any) to avoid being impacted by exploitation of these vulnerabilities, vary from product to product. Those
     Marconi customers with support entitlement may contact the appropriate Technical Assistance Center (TAC) for
     additional information. Those not under support entitlement may contact their sales representative.

MG-SOFT Corporation

     MG-SOFT is currently performing detailed verification of the SNMP (SNMPv1, SNMPv2c and SNMPv3) engine
     implementation.

     So far we have noticed that our WinSNMP implementation, the core of all our SNMP products, is vulnerable
     only in one case. We will post fixed versions of all affected MG-SOFT's SNMP products in few days, on our
     web site at http://www.mg-soft.com/.

Micromuse

     Micromuse has published the following response to this advisory :

            http://www.micromuse.com/supportgate/certadvisoryca2002-03.html

     This will be continually updated.

Microsoft Corporation

     The following documents regarding this vulnerability are available from Microsoft:

          http://www.microsoft.com/technet/security/bulletin/MS02-006.asp

Multinet

     MultiNet and TCPware customers should contact Process Software to check for the availability of patches for
     this issue. A couple of minor problems were found and fixed, but there is no security risk related to the
     SNMP code included with either product.

NET-SNMP

     All ucd-snmp version prior to 4.2.2 are susceptible to this vulnerability and users of versions prior to
     version 4.2.2 are encouraged to upgrade their software as soon as possible
     (http://www.net-snmp.org/download/). Version 4.2.2 and higher are not susceptible.

Netaphor

     NETAPHOR SOFTWARE INC. is the creator of Cyberons for Java -- SNMP Manager Toolkit and Cyberons for Java --
     NMS Application Toolkit, two Java based products that may be affected by the SNMP vulnerabilities identified
     here. The manner in which they are affected and the actions required (if any) to avoid being impacted by
     exploitation of these vulnerabilities, may be obtained by contacting Netaphor via email at info@netaphor.com
     Customers with annual support may contact support@netaphor.com directly. Those not under support entitlement
     may contact Netaphor sales: sales@netaphor.com or (949) 470 7955 in USA.

NetBSD

     NetBSD does not ship with any SNMP tools in our 'base' releases. We do provide optional packages which
     provide various support for SNMP. These packages are not installed by default, nor are they currently
     provided as an install option by the operating system installation tools. A system administrator/end-user
     has to manually install this with our package management tools. These SNMP packages include:

        * netsaint-plugin-snmp-1.2.8.4 (SNMP monitoring plug-in for netsaint)
        * p5-Net-SNMP-3.60 (perl5 module for SNMP queries)
        * p5-SNMP-3.1.0 (Perl5 module for interfacing to the UCD SNMP library
        * p5-SNMP_Session-0.83 (perl5 module providing rudimentary access to remote SNMP agents)
        * ucd-snmp-4.2.1 (Extensible SNMP implementation) (conflicts with ucd-snmp-4.1.2)
        * ucd-snmp-4.1.2 (Extensible SNMP implementation) (conflicts with ucd-snmp-4.2.1)

     We do provide a software monitoring mechanism called 'audit-packages', which allows us to highlight if a
     package with a range of versions has a potential vulnerability, and recommends that the end-user upgrade the
     packages in question.

Netscape Communications Corporation

     Netscape continues to be committed to maintaining a high level of quality in our software and service
     offerings. Part of this commitment includes prompt response to security issues discovered by organizations
     such as the CERTŪ Coordination Center.

     According to a recent CERT/CC advisory, The Oulu University Secure Programming Group (OUSPG) has reported
     numerous vulnerabilities in multiple vendor SNMPv1 implementations. These vulnerabilities may allow
     unauthorized privileged access, denial of service attacks, or unstable behavior.

     We have carefully examined the reported findings, performing the tests suggested by the OUSPG to determine
     whether Netscape server products were subject to these vulnerabilities. It was determined that several
     products fell into this category. As a result, we have created fixes which will resolve the issues, and
     these fixes will appear in future releases of our product line. To Netscape's knowledge, there are no known
     instances of these vulnerabilities being exploited and no customers have been affected to date.

     When such security warnings are issued, Netscape has committed to - and will continue to commit to -
     resolving these issues in a prompt and timely fashion, ensuring that our customers receive products of the
     highest quality and security.

NetScreen

     In response to CERT Advisory CA-2002-03 "Multiple Vulnerabilities in Many Implementations of the Simple
     Network Management Protocol (SNMP)" NetScreen began reproducing the tests and evaluating our vulnerability
     to the various problems reported by CERT and OUSPG.

     NetScreen's Global PRO and Global PRO Express do not have an SNMP agent or manager and are not sensitive to
     the issues raised in VU#107186 (CAN-2002-0012), "Multiple vulnerabilities in SNMP v1 trap handling". No
     change in behavior or operation is required.

     NetScreen has tested selected security appliances and ScreenOS software versions for the issues raised in
     VU#854306 (CAN-2002-0013) "Multiple vulnerabilities in SNMP v1 request handling", and has determined that
     the SNMP agent within all versions of ScreenOS is sensitive to certain of the tests described by CERT and
     OUSPG. NetScreen is continuing to test to confirm the full extent of platform and ScreenOS versions
     affected. These vulnerabilities can in certain circumstances be exploited to produce a denial of service.
     These vulnerabilities cannot be used to gain management control of the device.

     NetScreen is working as quickly as possible to develop and test maintenance releases of ScreenOS software
     that address these vulnerabilities. All NetScreen security appliances and systems shipped from NetScreen
     after Wednesday 13 February 2002 have software pre-installed at the factory that addresses these
     vulnerabilities.

     For more information please see

          http://www.netscreen.com/support/snmp.html

Network Associates

     PGP is not affected, impacted, or otherwise related to this VU#.

Network Computing Technologies

     Network Computing Technologies has reviewed the information regarding SNMP vulnerabilities and is currently
     investigating the impact to our products.

Nokia

     This vulnerability is known to affect IPSO versions 3.1.3, 3.3, 3.3.1, 3.4, and 3.4.1. Patches are currently
     available for versions 3.3, 3.3.1, 3.4 and 3.4.1 for download from the Nokia website. In addition, version
     3.4.2 shipped with the patch incorporated, and the necessary fix will be included in all future releases of
     IPSO.

     We recommend customers install the patch immediately or follow the recommended precautions below to avoid
     any potential exploit.

     If you are not using SNMP services, including Traps, simply disable the SNMP daemon to completely eliminate
     the potential vulnerability.

     If you are using only SNMP Traps and running Check Point FireWall-1, create a firewall policy to disallow
     incoming SNMP messages on all appropriate interfaces. Traps will continue to work normally.

Nortel Networks

     Nortel Networks products not affected by the CERT SNMP Advisory
     February 18, 2002

     Enclosed is a current listing of Nortel Networks products not
     impacted by the potential vulnerabilities in the Simple Network
     Management Protocol (SNMP) as outlined by the CERT advisory
     (CA-2002-003).  We are continuing to test and evaluate our remaining
     products and will be providing updates to this document. Additional
     products may be added to this list as further product testing is
     completed.

     ATM/IP PRODUCTS

     Intelligent Internet  (reduce font size to be a subheading)

     Alteon Content Manager (ACM)
     DPN-100 Portfolio
     NetID 4.X
     Optivity Policy Services 1.1
     Preside Magellan Data Provider (MDP)
     Java Device Manager (JDM)
     Optivity Network Configuration System CS 3.x (NCS)
     Optivity Switch Manager (OSM)
     Alteon iSD Secure Socket Layer Accelerator (SSL)
     Alteon 180 and ACE Director Web Switches (WebOS) Releases 8.x and 9.0

     Carrier Voice over Packet

     Succession Multi-Service Gateway 4000 (MG4K)

     ENTERPRISE

     Meridian Integrated Applications (MIxxx)
     Meridian Integrated Call Assistant (MICA)
     Meridian Integrated Conference Bridge (MICB)
     Meridian Integrated Voice Services (MIVS)
     Meridian Integrated Personal Call Director (MIPCD)

     DMS (Enhanced) Intelligent Peripheral Equipment (IPE/EIPE)

     DMS Link Peripheral Processor/Ethernet Interface Unit (LPP/EIU)

     Digital Telephones
            M3900 Series
            M2000 Series
            M3000 Executive Telephone


     Analog Telephones
            M8000/M9000 series
            500/2500 type

     Fibre Remote products

     LONG HAUL OPTICAL

     OPTera Connect DX Connection Manager
     OPTera Connect HDX Connection Manager
     OPTera Connect PX Connection Manager

     S/DMS TransportNode OC-192
     S/DMS TransportNode OC-48
     S/DMS TransportNode OC-12 TBM
     S/DMS TransportNode TN-16X
     S/DMS TransportNode TN-64X

     Long Haul Optical Management Products

     These software products either do not use an SNMP agent or have
     passed the CERT recommended test suite. The third party compute
     platforms on which these products run may be equipped with an SNMP
     agent software, but the server platform environment is controlled by
     the customer.  Nortel Networks recommends customers contact their
     compute platform vendors for recommended corrective action.

     Preside Site Manager
     Preside Application Platform
     Preside Trail Manager
     Preside Multiterabit Element Manager
     Preside Optical Applications
     Preside Configurable Surveillance Adapter
     Preside Configurable Trail Adapter
     Preside IP Device Adapter

     Metro Optical

     OPTera Metro 3300/3400/3500 Next Generation SONET Multiservice
     Platform (all versions)

     S/DMS TransportNode OC-48
     S/DMS TransportNode OC-48 OPTera Packet Edge (OPE)

     OPTera Connect DX Connection Manager
     S/DMS TransportNode OC-12 TBM
     OPTera Metro 4200
     OPTera Metro 4100 without OPE 100 card
     S/DMS TransportNode TN-1X
     S/DMS TransportNode TN-1C
     S/DMS TransportNode TN-1P
     S/DMS TransportNode TN-4T

     (See Long Haul Optical Management Products comment above for the
     following Metro Optical Preside products.)

     Preside Site Manager
     Preside Application Platform
     Preside Trail Manager
     Preside Manager for OPTera Metro
     Preside Optical Applications
     Preside Configurable Surveillance Adapter
     Preside Configurable Trail Adapter

     Circuit Switching

     DMS  Enhanced Network (ENET)
     DMS Message Switch (MS)
     DMS-10
     DMS Series 60/70 Core
     NT40
     DMS XA-Core
     DMS TOPS
     DMS-100
     DMS 100i
     DMS-200
     DMS-250
     DMS-300
     DMS-500
     DMS Custom Specific Variants
     DMS MMP/GSP
     DMS LPP/EIU
     DMS Input Output Module (IOM)
     NETOnline
     Spectrum Peripheral Module (SPM)
     Real Time 1000 (RT-1000)
     Extended Peripheral Module (XPM)

     WIRELESS

     TDMA Access
     Intelligent Cellular Peripheral (ICP)  - all versions and all
     subsystems
     Intelligent Cellular Radio Module (ICRM) - all versions and
     subsystems

     CDMA Access
     Legacy Base Transceiver Station (BTS)--all versions and all
     subsystems
     Metro Cell all versions and all subsystems Base Station Controller
     (BSC) - except Passport versions

     GSM/GPRS/UMTS Access
     GSM:  Base Transceiver Station S8000 (S8000 BTS)-all versions
     GSM:  Base Station Controllers 12000, 6000 (BSC12000, BSC6000) -all
     versions GSM:  e-cell Base Transceiver Station (e-cell BTS)-all
     versions
     GSM:  S2000 Base Transceiver Station (S2000 BTS)-all versions
     GSM:  Base Station Controller e3 (BSCe3) -all versions
     UMTS Node B (all versions)
     UMTS iRNC (excluding MDP/MDM OA&M device for Passport)

     Wireless Core
     Wireless Prepaid - (Nortel Intelligent Network-based prepaid product
     for CDMA/TDMA/AMPS)
     MDS
     Adept

Novell

     Novell ships SNMP.NLM and SNMPLOG.NLM with NetWare 4.x, NetWare 5.x and 6.0 systems. The SNMP and SNMPLOG
     vulnerabilities detected on NetWare are fixed and will be available through NetWare 6 Support Pack 1 &
     NetWare 5.1 Support Pack 4. Support packs are available at http://support.novell.com/tools/csp/.

OpenBSD

     OpenBSD does not ship SNMP code.

Qualcomm

     WorldMail does not support SNMP by default, so customers who run unmodified installations are not
     vulnerable.

Radware

     Radware has assessed its SNMP based products against the
     vulnerabilities identified in CERT Advisory CA-2002-03.  Product
     specific software maintenance releases are being developed and will
     be available in the near future.  Please consult our web site
     (www.radware.com) for additional information.

     Until the releases addressing the SNMP vulnerabilities are available,
     Radware recommends taking the following standard security
     precautions:

     * Disable all remote management access through all unecessary
     interfaces using the SNMP or Management Ports Table feature,
     depending on the specific software release in use.

     * If possible, limit all remote management access to a physically
     separate port that is connected to a secure management segment.

Redback Networks, Inc.

     Redback Networks, Inc. has identified that the vulnerability in question affects certain versions of AOS
     software on the SMS 500, SMS 1800, and SMS 10000 platforms, and is taking the appropriate steps necessary to
     correct the issue.

Red Hat

     RedHat has released a security advisory at

     http://www.redhat.com/support/errata/RHSA-2001-163.html

     with updated versions of the ucd-snmp package for all supported releases and architectures. For more
     information or to download the update please visit this page.

Sierra Wireless

     We are not vulnerable.

SGI

     SGI acknowledges the SNMP vulnerabilities reported by CERT and is currently investigating. No further
     information is available at this time.

     For the protection of all our customers, SGI does not disclose, discuss or confirm vulnerabilities until a
     full investigation has occurred and any necessary patch(es) or release streams are available for all
     vulnerable and supported IRIX operating systems. Until SGI has more definitive information to provide,
     customers are encouraged to assume all security vulnerabilities as exploitable and take appropriate steps
     according to local site security policies and requirements. As further information becomes available,
     additional advisories will be issued via the normal SGI security information distribution methods including
     the wiretap mailing list on http://www.sgi.com/support/security/.

SNMP Research International

     The most recent releases (15.3.1.7 and above) of all SNMP Research products address the vulnerabilities
     identified in the following CERT vulnerability advisories:

          VU#854306 (Multiple vulnerabilities in SNMPv1 request handling)
          VU#107186 (Multiple vulnerabilities in SNMPv1 trap handling)

     A few of the malformed packets sent in these tests result in out of bound array references in allocated
     memory and minor memory leaks. No consequences, other than potential denial of service on some platforms,
     are known.

     All customers who maintain a support contract have received either the new release or the appropriate patch
     sets to their 15.3.1.1 and later source code releases addressing these vulnerabilities. Users maintaining
     earlier releases should update to the current release if they have not already done so. Up-to-date
     information is available from support@snmp.com.

Stonesoft

     Stonesoft's StoneGate product does not include an SNMP agent, and is therefore not vulnerable to this. Other
     Stonesoft's products are still under investigation. As further information becomes available, additional
     advisories will be available at

     http://www.stonesoft.com/support/techcenter/

Sun Microsystems, Inc.

     Sun's SNMP product, Solstice Enterprise Agents (SEA), described here:

          http://www.sun.com/solstice/products/ent.agents/

     is affected by VU#854306 but not VU#107186. More specifically the main agent of SEA, snmpdx(1M), is affected
     on Solaris 2.6, 7, 8. Sun has released Security Bulletin #00215.

     Sun Security Bulletins are available from:

          http://sunsolve.sun.com/security

     Sun patches are available from:

          http://sunsolve.sun.com/securitypatch

Symantec Corporation

     Symantec Corporation has investigated the SNMP issues identified by the OUSPG test suite and determined that
     Symantec products are not susceptible to these issues.

TANDBERG

     Tandberg have run all the testcases found the PROTOS test-suite, c06snmpv1:

     1. c06-snmpv1-req-app-pr1.jar
     2. c06-snmpv1-req-enc-pr1.jar
     3. c06-snmpv1-trap-app-pr1.jar
     4. c06-snmpv1-trap-enc-pr1.jar

     The tests were run with standard delay time between the requests (100ms), but also with a delay of 1ms. The
     tests applies to all TANDBERG products (T500, T880, T1000, T2500, T6000 and T8000). The software tested on
     these products were B4.0 (our latest software) and no problems were found when running the test suite.

Tivoli Systems

     IBM Tivoli has identified that, in the absence of properly configured perimeter firewall protection, the
     following Tivoli products are potentially vulnerable with respect to the CERT Advisory CA-2002-03.

     ·    Tivoli NetView for OS/390 Version 1 Release 2, 3 and 4
     ·    Tivoli NetView for Unix Version 7.1and earlier
     ·    Tivoli NetView for Windows Version 7.1 and earlier
     ·    Tivoli Enterprise Console (SNMP adapter only)
     ·    Tivoli Storage Network Manager

     IBM is not aware of other affected Tivoli products at this time. IBM is investigating this vulnerability on
     an ongoing basis and will update vulnerability information on its IBM Tivoli website if new information
     becomes available.

     ·    Tivoli NetView for OS/390

     Evaluation is underway to assess any vulnerability. If exposures are found due to the advisory, PTFs will be
     provided.

     ·    Tivoli NetView for Unix, Tivoli NetView for Windows

     The “trap handling” subsystems are vulnerable to a service interruption related to VU#107186.
     The Mid-Level Manager agents on some platforms are vulnerable to a service interruption related to
     VU#854306.  These conditions are present in Tivoli NetView V7.1 and earlier.  Solutions are currently being
     tested and will be available in an upcoming service release.

     ·    Tivoli Enterprise Console (SNMP adapter only)

     Evaluation is underway to determine whether the SNMP adapter is vulnerable to a service interruption. If
     exposures are found due to the advisory, fixes will be provided.

     ·    Tivoli Storage Network Manager

     Evaluation is underway to assess any vulnerability. If exposures are found due to the advisory, fixes will
     be provided.

     Please contact Tivoli support either via our web site at
     (http://www.tivoli.com/secure/support/documents/security/index.html) or refer to PMR number (41203,000,866)
     for patch availability and the most current information.

     IBM Tivoli is expanding its usage of the Oulu University Secure Programming Group’s PROTOS c06-snmpv1
     test suite to provide an expanded set of test scenarios.

Wind River Systems, Inc.

     Current SNMP products from Wind River Systems:  Envoy SNMP v9.3 Beta, Envoy
     v9.2, Envoy v9.1, and WindNet SNMP v2.0, are not susceptible to VU#854306
     and VU#107186 in our internal testing.  We are continuing regression testing
     on previous versions of Wind River SNMP products, and working with our
     customers on more test cases.  We will update this vendor statement as new
     information becomes available.

     Note: As Wind River's Envoy SNMP is a source code product, customer's
     modifying of Envoy and implementation of proprietary MIB access methods MAY
     introduce vulnerability to VU#854306 and VU#107186.  Wind River recommends
     individual testing of customer product's incorporating MODIFIED Envoy SNMP
     source code.

     Wind River customers under support and maintenance have received the current
     product releases.

     Please contact Wind River support at support@windriver.com or call (800)
     458-7767 with any test reports related to VU#854306 and VU#107186.

Appendix B. - References

  1. http://www.ee.oulu.fi/research/ouspg/protos/
  2. http://www.kb.cert.org/vuls/id/854306
  3. http://www.kb.cert.org/vuls/id/107186
  4. http://www.cert.org/tech_tips/denial_of_service.html
  5. http://www.ietf.org/rfc/rfc1067.txt
  6. http://www.ietf.org/rfc/rfc1089.txt
  7. http://www.ietf.org/rfc/rfc1140.txt
  8. http://www.ietf.org/rfc/rfc1155.txt
  9. http://www.ietf.org/rfc/rfc1156.txt
 10. http://www.ietf.org/rfc/rfc1215.txt
 11. http://www.ietf.org/rfc/rfc1270.txt
 12. http://www.ietf.org/rfc/rfc1352.txt

Appendix C. - Background Information

Background Information on the OUSPG

OUSPG is an academic research group located at Oulu University in Finland. The purpose of this research group is to
test software for vulnerabilities.

History has shown that the techniques used by the OUSPG have discovered a large number of previously undetected
problems in the products and protocols they have tested. In 2001, the OUSPG produced a comprehensive test suite for
evaluating implementations of the Lightweight Directory Access Protocol (LDAP). This test suite was developed with the
strategy of abusing the protocol in unsupported and unexpected ways, and it was very effective in uncovering a wide
variety of vulnerabilities across several products. This approach can reveal vulnerabilities that would not manifest
themselves under normal conditions.

After completing its work on LDAP, OUSPG moved its focus to SNMPv1. As with LDAP, they designed a custom test suite,
began testing a selection of products, and found a number of vulnerabilities. Because OUSPG's work on LDAP was similar
in procedure to its current work on SNMP, you may wish to review the LDAP Test Suite and CERT Advisory CA-2001-18,
which outlined results of application of the test suite.

In order to test the security of protocols like SNMPv1, the PROTOS project presents a server with a wide variety of
sample packets containing unexpected values or illegally formatted data. As a member of the PROTOS project consortium,
the OUSPG used the PROTOS c06-snmpv1 test suite to study several implementations of the SNMPv1 protocol. Results of
the test suites run against SNMP indicate that there are many different vulnerabilities on many different
implementations of SNMP.

Background Information on the Simple Network Management Protocol

The Simple Network Management Protocol (SNMP) is the most popular protocol in use to manage networked devices. SNMP
was designed in the late 80's to facilitate the exchange of management information between networked devices,
operating at the application layer of the ISO/OSI model. The SNMP protocol enables network and system administrators
to remotely monitor and configure devices on the network (devices such as switches and routers). Software and firmware
products designed for networks often make use of the SNMP protocol. SNMP runs on a multitude of devices and operating
systems, including, but not limited to,

   * Core Network Devices (Routers, Switches, Hubs, Bridges, and Wireless Network Access Points)
   * Operating Systems
   * Consumer Broadband Network Devices (Cable Modems and DSL Modems)
   * Consumer Electronic Devices (Cameras and Image Scanners)
   * Networked Office Equipment (Printers, Copiers, and FAX Machines)
   * Network and Systems Management/Diagnostic Frameworks (Network Sniffers and Network Analyzers)
   * Uninterruptible Power Supplies (UPS)
   * Networked Medical Equipment (Imaging Units and Oscilloscopes)
   * Manufacturing and Processing Equipment

The SNMP protocol is formally defined in RFC1157. Quoting from that RFC:

     Implicit in the SNMP architectural model is a collection of network management stations and network elements.
     Network management stations execute management applications which monitor and control network elements. Network
     elements are devices such as hosts, gateways, terminal servers, and the like, which have management agents
     responsible for performing the network management functions requested by the network management stations. The
     Simple Network Management Protocol (SNMP) is used to communicate management information between the network
     management stations and the agents in the network elements.

Additionally, SNMP is discussed in a number of other RFC documents:

   * RFC 3000 Internet Official Protocol Standards
   * RFC 1212 Concise MIB Definitions
   * RFC 1213 Management Information Base for Network Management of TCP/IP-based Internets: MIB-II
   * RFC 1215 A Convention for Defining Traps for use with the SNMP
   * RFC 1270 SNMP Communications Services
   * RFC 2570 Introduction to Version 3 of the Internet-standard Network Management Framework
   * RFC 2571 An Architecture for Describing SNMP Management Frameworks
   * RFC 2572 Message Processing and Dispatching for the Simple Network Management Protocol (SNMP)
   * RFC 2573 SNMP Applications
   * RFC 2574 User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)
   * RFC 2575 View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP)
   * RFC 2576 Coexistence between Version 1, Version 2, and Version 3 of the Internet-standard Network Management
     Framework

---------------------------------------
The CERT Coordination Center thanks the Oulu University Secure Programming Group for reporting these vulnerabilities
to us, for providing detailed technical analyses, and for assisting us in preparing this advisory.

We also thank Steven M. Bellovin (AT&T Labs -- Research), Wes Hardaker (Net-SNMP), Steve Moulton (SNMP Research), Tom
Reddington (Bell Labs), Mike Duckett (Bell South), Rob Thomas, Blue Boar (Thievco), Sunil Chitnis (Foundry Networks),
the Cisco Systems Product Security Incident Response Team (psirt@cisco.com) and the many others who contributed to
this document.
---------------------------------------

Feedback on this document can be directed to the authors, Ian A. Finlay, Shawn V. Hernan, Jason A. Rafail, Chad
Dougherty, Allen D. Householder, Marty Lindner, and Art Manion.

---------------------------------------
This document is available from: http://www.cert.org/advisories/CA-2002-03.html
---------------------------------------

CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
     CERT Coordination Center
     Software Engineering Institute
     Carnegie Mellon University
     Pittsburgh PA 15213-3890
     U.S.A.

CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for
emergencies during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from

     http://www.cert.org/CERT_PGP.key

If you prefer to use DES, please call the CERT hotline for more information.

Getting security information

CERT publications and other security information are available from our web site

     http://www.cert.org/

To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include
in the body of your message

subscribe cert-advisory

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.

---------------------------------------
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is"
basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter
including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results
obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to
freedom from patent, trademark, or copyright infringement.
---------------------------------------
Conditions for use, disclaimers, and sponsorship information

Copyright 2002 Carnegie Mellon University.

Revision History

Feb 12, 2002: Initial release
Feb 12, 2002: Corrected vendor appendix formatting issues
Feb 12, 2002: Added vendor statement for Inktomi
Feb 12, 2002: Fixed formatting problem in "Disable stack execution" section
Feb 12, 2002: Updated vendor statement for Juniper
Feb 12, 2002: Fixed broken link in Juniper statement
Feb 12, 2002: Updated Public Thanks section
Feb 12, 2002: Updated Covalent statement
Feb 12, 2002: Updated SNMP Research statement
Feb 12, 2002: Updated CVE and Comtek services links
Feb 13, 2002: Updated Cisco, Enterasys, FreeBSD, HP, Microsoft, Sun, and Tandberg statements, removed Tivoli statement
Feb 14, 2002: Added vendor statement for Aprisma
Feb 14, 2002: Added vendor statements for MG-Soft and NetScreen
Feb 14, 2002: Added vendor statement for iTouch Communications
Feb 14, 2002: Added vendor statement for F5 Networks
Feb 14, 2002: Added vendor statement for Sierra Wireless
Feb 15, 2002: Added vendor statement for MICROMUSE
Feb 15, 2002: Updated HP statement
Feb 16, 2002: Updated Nortel Networks statement
Feb 16, 2002: Added vendor statement for Foundry Networks
Feb 18, 2002: Added vendor statement for Tivoli
Feb 18, 2002: Added vendor statement for Radware
Feb 18, 2002: Updated Nortel Networks statement
Feb 19, 2002: Updated Nortel Networks statement
Feb 19, 2002: Updated F5 Networks statement
Feb 19, 2002: Updated Compaq statement
Feb 19, 2002: Updated IBM statement
Feb 19, 2002: Added vendor statement for Dell
Feb 19, 2002: Fixed bad link in Enterasys statement
Feb 19, 2002: Updated IBM statement
Feb 19, 2002: Added vendor statement for BMC Software
Feb 20, 2002: Added vendor statement for Wind River Systems
Feb 20, 2002: Added vendor statement for Concord Communications
Feb 20, 2002: Added vendor statement for CommWorks Corporation (a 3Com company)
Feb 20, 2002: Added vendor statement for Lexmark International
Feb 20, 2002: Added vendor statement for Check Point Software Technologies Inc.
Feb 20, 2002: Added vendor statement for Alcatel


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH