             __________________________________________________________

                       The U.S. Department of Energy
                     Computer Incident Advisory Center
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                                ADVISORY NOTICE

          Multiple Vulnerabilities in Multiple Implementations of SNMP
                           [CERT Advisory CA-2002-03]

February 12, 2002 21:00 GMT                                       Number M-042
[Revised 13 February 2002]
[Revised 15 February 2002]
[Revised 19 February 2002]
[Revised 25 February 2002]
[Revised  7 March 2002]
[Revised  9 April 2002]
[Revised 25 April 2002]
______________________________________________________________________________
PROBLEM:       The messaging protocol used in the SNMPv1 protocol has been 
               found to be vulnerable to many types of remote attacks 
               including: denial-of-service, unauthorized privilege access, 
               and unstable behavior. 
PLATFORM:      A list of tested platforms is in the CERT bulletin. However, 
               essentially all platforms that use SNMP are vulnerable. Typical 
               platforms that use SNMP for management include routers, 
               switches, hubs, workstations, and servers. Of particular 
               importance are platforms where SNMP is installed by default. 
DAMAGE:        Remote users can crash systems, make systems unstable, and gain 
               privileged access to systems. 
SOLUTION:      Where possible, apply vendor patches. Until patches are 
               available, you should do the following: 1. Block SNMP traffic 
               at the border routers of your network. This includes blocking 
               traffic (TCP and UDP) going in both directions at the border 
               routers for ports 161, 162, 199, 391, 705, and 1993. Blocking 
               the outgoing traffic prevents a site from becoming a source of 
               an attack. 2. Remove or disable SNMP on all border devices. 3. 
               Remove or disable SNMP on any systems that do not need it. 4. 
               Where possible, manage systems with protocols other than SNMP. 
               5. Filter or segregate internal SNMP traffic to limit access to 
               the SNMP ports on managed systems. 6. Change the default 
               community strings. 
______________________________________________________________________________
VULNERABILITY  The risk is HIGH. The use of SNMP is widespread within the 
ASSESSMENT:    government, military, and public. Most implementations of SNMP 
               are vulnerable. The vulnerability has been made public. The 
               vulnerabilities can result in remote privileged access to 
               systems. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/m-042.shtml 
 ORIGINAL BULLETIN:  http://www.cert.org/advisories/CA-2002-03.html

VENDOR PATCHES OR WORKAROUNDS:

NOTE: PLEASE REVIEW CERT'S BULLETIN FOR VENDOR PRODUCT UPDATES AND
      REVISIONS.

COMPAQ, Tru64 update (4-9-02):
http://ftp.support.compaq.com/patches/.new/html/SSRT0799.shtml

SGI, IRIX update (4-9-02):
ftp://patches.sgi.com/support/free/security/advisories/20020201-01-P

SGI, IRIX hpsnmpd Vulnerability update (4-25-02):
ftp://patches.sgi.com/support/free/security/advisories/20020404-01-P
______________________________________________________________________________


CIAC wishes to acknowledge the contributions of CERT-CC and  the Oulu University 
Secure Programming Group for the information contained in this bulletin.

_______________________________________________________________________________

CIAC, the Computer Incident Advisory Center, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

M-032: HP-UX Security Vulnerability with wu-ftpd 2.6
M-033: Snort IDS Denial of Service Vulnerability
M-034: Window File Wiping Utilities Miss Alternate Data Streams
M-035: Red Hat Linux "rsync" Vulnerability
M-036: Microsoft Windows NT/2000 Trust Domain Vulnerability
M-037: Oracle 9iAS Multiple Buffer Overflows in the PL/SQL Module 
M-038: Cisco Secure Access Control Server NDS User Authentication Vulnerability
M-039: Microsoft Telnet Server Buffer Overflow Vulnerability
M-040: MS Exchange - Incorrectly Sets Remote Registry Permissions
M-041: Microsoft Internet Explorer Cumulative Patch