Original release date: February 12, 2002<BR>
Last revised: <b>February 13, 2008</b><br>
Source: CERT/CC<BR>
<P>A complete revision history can be found at the end of this file.
<A NAME="affected"></a>
<H3>Systems Affected</H3>
<p>Products from a very wide variety of vendors may be affected. See
<a href="#vendors">Vendor Information</a> for details from vendors who
have provided feedback for this advisory.</p>
<p>In addition to the vendors who provided feedback for this advisory,
a list of vendors whom CERT/CC contacted regarding these problems is
available from
<br>
<blockquote>
<A HREF="http://www.kb.cert.org/vuls/id/854306">http://www.kb.cert.org/vuls/id/854306</a><br>
<A HREF="http://www.kb.cert.org/vuls/id/107186">http://www.kb.cert.org/vuls/id/107186</a>
</blockquote>
<b><p>Many other systems making use of SNMP may also be vulnerable but
were not specifically tested.</b>
<A NAME="overview"></a>
<H2>Overview</H2>
<P>Numerous vulnerabilities have been reported in multiple vendors'
SNMP implementations. These vulnerabilities may allow unauthorized
privileged access, <A
HREF="http://www.cert.org/tech_tips/denial_of_service.html">denial-of-service
attacks</A>, or cause unstable behavior. If your site uses SNMP in
any capacity, the CERT/CC encourages you to read this advisory and
follow the advice provided in the <A HREF="#solution">Solution</A>
section below.
<p>In addition to this advisory, we also have a FAQ available at
<ul>
<a HREF="http://www.cert.org/tech_tips/snmp_faq.html">http://www.cert.org/tech_tips/snmp_faq.html</a>
</ul>
<A NAME="description"></a>
<H2>I. Description</H2>
<p>
The Simple Network Management Protocol (SNMP) is a widely deployed
protocol that is commonly used to monitor and manage network devices.
Version 1 of the protocol (SNMPv1) defines several types of SNMP
messages that are used to request information or configuration
changes, respond to requests, enumerate SNMP objects, and send
unsolicited alerts. The <A
HREF="http://www.ee.oulu.fi/research/ouspg/">Oulu University Secure
Programming Group</A> (OUSPG, <A
HREF="http://www.ee.oulu.fi/research/ouspg/">http://www.ee.oulu.fi/research/ouspg/</A>)
has reported numerous vulnerabilities in SNMPv1 implementations from
many different vendors. More information about SNMP and OUSPG can be
found in <a href="#background">Appendix C</a>
</p>
<p>
OUSPG's research focused on the manner in which SNMPv1 agents and
managers handle request and trap messages. By applying the <A
HREF="http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/0100.html">PROTOS
c06-snmpv1 test suite</A> (<A
HREF="http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/0100.html">http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/0100.html</A>) to a variety of popular SNMPv1-enabled
products, the OUSPG revealed the following vulnerabilities:
</p>
<p><b><A HREF="http://www.kb.cert.org/vuls/id/107186">VU#107186</A> -
Multiple vulnerabilities in SNMPv1 trap handling
</B>
</p>
<p><blockquote> SNMP trap messages are sent from agents to managers.
A trap message may indicate a warning or error condition or otherwise
notify the manager about the agent's state. SNMP managers must
properly decode trap messages and process the resulting data. In
testing, OUSPG found multiple vulnerabilities in the way many SNMP
managers decode and process SNMP trap messages. </blockquote></p>
<p><b><A HREF="http://www.kb.cert.org/vuls/id/854306">VU#854306</A> -
Multiple vulnerabilities in SNMPv1 request handling </b></p>
<p>
<blockquote>
SNMP request messages are sent from managers to agents. Request messages might be issued to obtain information from an agent or to instruct the agent to configure the host device. SNMP agents must properly decode request messages and process the resulting data. In testing, OUSPG found multiple vulnerabilities in the way many SNMP agents decode and process SNMP request messages.
</blockquote></p>
<p>
Vulnerabilities in the decoding and subsequent processing of SNMP messages by both managers and agents may result in denial-of-service conditions, format string vulnerabilities, and buffer overflows. Some vulnerabilities do not require the SNMP message to use the correct SNMP community string.
</p>
<p>These vulnerabilities have been assigned the <A
HREF="http://cve.mitre.org">CVE</a> identifiers <A
HREF="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0012">CAN-2002-0012</a>
and <A
HREF="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0013">CAN-2002-0013</a>,
respectively.
<A NAME="impact"></a>
<H2>II. Impact</H2>
These vulnerabilities may cause denial-of-service conditions, service
interruptions, and in some cases may allow an attacker to gain access
to the affected device. Specific impacts will vary from product to
product.
<A NAME="solution"></a>
<H2>III. Solution</H2>
<p>Note that many of the mitigation steps recommended below may have
significant impact on your everyday network operations and/or network
architecture. Ensure that any changes made based on the following
recommendations will not unacceptably affect your ongoing network
operations capability.</p>
<H4>Apply a patch from your vendor</H4>
<P><A HREF="#vendors">Appendix A</A> contains information provided by
vendors for this advisory. Please consult this appendix to determine
if you need to contact your vendor directly.
<h4>Disable the SNMP service</h4>
As a general rule, the CERT/CC recommends disabling any service or
capability that is not explicitly required, including SNMP.
Unfortunately, some of the affected products exhibited unexpected
behavior or denial of service conditions when exposed to the OUSPG
test suite <i>even if SNMP was not enabled</i>. In these cases,
disabling SNMP should be used in conjunction with the filtering
practices listed below to provide additional protection.
<p>
<h4>Ingress filtering</h4>
As a temporary measure, it may be possible to limit the scope of these
vulnerabilities by blocking access to SNMP services at the network
perimeter.
<p>
Ingress filtering manages the flow of traffic as it enters a network
under your administrative control. Servers are typically the only
machines that need to accept inbound traffic from the public
Internet. In the network usage policy of many sites, there are few
reasons for external hosts to initiate inbound traffic to machines
that provide no public services. Thus, ingress filtering should be
performed at the border to prohibit externally initiated inbound
traffic to non-authorized services. For SNMP, ingress filtering
of the following ports can prevent attackers outside of your network
from impacting vulnerable devices in the local network that are not
explicitly authorized to provide public SNMP services.
<p>
<font face="courier"><small>
snmp 161/udp #
Simple Network Management Protocol (SNMP)<br>
snmp 162/udp #
SNMP system management messages<br>
</small></font>
<p>
The following services are less common, but may be used on some
affected products
<font face="courier"><small>
<p>
snmp 161/tcp #
Simple Network Management Protocol (SNMP)<br>
snmp 162/tcp #
SNMP system management messages<br>
smux 199/tcp #
SNMP Unix Multiplexer<br>
smux 199/udp #
SNMP Unix Multiplexer<br>
synoptics-relay 391/tcp #
SynOptics SNMP Relay Port<br>
synoptics-relay 391/udp #
SynOptics SNMP Relay Port<br>
agentx
705/tcp # AgentX<br>
snmp-tcp-port 1993/tcp #
cisco SNMP TCP port<br>
snmp-tcp-port 1993/udp #
cisco SNMP TCP port<br>
</small></font>
<p>As noted above, you should carefully consider the impact of
blocking services that you may be using.
</p>
<p>It is important to note that in many SNMP implementations, the SNMP
daemon may bind to all IP interfaces on the device. This has
important consequences when considering appropriate packet filtering
measures required to protect an SNMP-enabled device. For example,
even if a device disallows SNMP packets directed to the IP addresses
of its normal network interfaces, it may still be possible to exploit
these vulnerabilities on that device through the use of packets
directed at the following IP addresses:
<ul>
<li>"all-ones" broadcast address</li>
<li>subnet broadcast address</li>
<li>any internal loopback addresses (commonly used in routers for
management purposes, not to be confused with the IP stack loopback
address 127.0.0.1)</li>
</ul>
</p>
<p>Careful consideration should be given to addresses of the types
mentioned above by sites planning for packet filtering as part of
their mitigation strategy for these vulnerabilities.</p>
<P>
Finally, sites may wish to block access to the following RPC services
related to SNMP (listed as name, program ID, alternate names)
<p>
<font face="courier"><small>
snmp 100122 na.snmp snmp-cmc snmp-synoptics snmp-unisys snmp-utk<br>
snmpv2 100138 na.snmpv2 # SNM Version 2.2.2<br>
snmpXdmid 100249<br>
</small></font>
<p>
Please note that this workaround may not protect vulnerable devices
from internal attacks.
<h4>Filter SNMP traffic from non-authorized internal hosts</h4>
In many networks, only a limited number of network management systems
need to originate SNMP request messages. Therefore, it may be
possible to configure the SNMP agent systems (or the network devices
in between the management and agent systems) to disallow request
messages from non-authorized systems. This can reduce, but not wholly
eliminate, the risk from internal attacks. However, it may have
detrimental effects on network performance due to the increased load
imposed by the filtering, so careful consideration is required before
implementation. Similar caveats to the previous workaround regarding
broadcast and loopback addresses apply.
<h4>Change default community strings</h4>
Most SNMP-enabled products ship with default community strings of
"public" for read-only access and "private" for read-write access. As
with any known default access control mechanism, the CERT/CC
recommends that network administrators change these community strings
to something of their own choosing. However, even when community
strings are changed from their defaults, they will still be passed in
plaintext and are therefore subject to packet sniffing attacks.
SNMPv3 offers additional capabilities to ensure authentication and
privacy as described in <A
HREF="http://www.ietf.org/rfc/rfc2574.txt">RFC2574</A>.
<p>Because many of the vulnerabilities identified in this advisory occur
before the community strings are evaluated, it is important to note
that performing this step alone is <b>not</b> sufficient to mitigate
the impact of these vulnerabilities. Nonetheless, it should be
performed as part of good security practice.
<h4>Segregate SNMP traffic onto a separate management network</h4>
In situations where blocking or disabling SNMP is not possible,
exposure to these vulnerabilities may be limited by restricting all
SNMP access to separate, isolated management networks that are not
publicly accessible. Although this would ideally involve physically
separate networks, that kind of separation is probably not feasible in
most environments. Mechanisms such as virtual LANs (VLANs) may be used
to help segregate traffic on the same physical network. Note that
VLANs may not strictly prevent an attacker from exploiting these
vulnerabilities, but they may make it more difficult to initiate the
attacks.
<p>
Another option is for sites to restrict SNMP traffic to separate
virtual private networks (VPNs), which employ cryptographically strong
authentication.
<p>
Note that these solutions may require extensive changes to a site's
network architecture.
<h4>Egress filtering</h4>
Egress filtering manages the flow of traffic as it leaves a network
under your administrative control. There is typically limited need for
machines providing public services to initiate outbound traffic to
the Internet. In the case of SNMP vulnerabilities, employing egress
filtering on the ports listed above at your network border can prevent
your network from being used as a source for attacks on other sites.
<h4>Share tools and techniques</h4>
Because dealing with these vulnerabilities to systems and networks is so complex,
the CERT/CC will provide a forum where administrators can share ideas and techniques
that can be used to develop proper defenses. We have created an unmoderated mailing
list for system and network administrators to discuss helpful techniques and tools.
<p>
You can subscribe to the mailing list by sending an email message to
<a href="mailto:majordomo@cert.org">majordomo@cert.org</a>. In the body of the message, type
<p>
<ul>
subscribe snmp-forum
</ul>
<p>
After you receive the confirmation message, follow the instructions in the message to complete
the subscription process.
<A NAME="vendors"></a>
<H2>Appendix A. - Vendor Information</H2>
<P>This appendix contains information provided by vendors for this
advisory. As vendors report new information to the CERT/CC, we will
update this section and note the changes in our revision history. If a
particular vendor is not listed below, we have not received their
comments.</P>
<!-- begin vendor -->
<A NAME="adtran">
<H4><a href="http://www.adtran.com/">ADTRAN, Inc.</a></H4>
<p>
<blockquote>
ADTRAN Advisory:<br>
SNMPv1 Request and Trap Handling Vulnerabilities<br>
Revision 1.0<br>
Release Date: 19 February 2002<br>
<br>
I. Summary<br>
On February 12, 2002 the CERT®/CC released an advisory related to security
vulnerabilities that may exist in network devices using SNMPv1 as the management
protocol. In response to this advisory, CERT® Advisory CA-2002-03 Multiple
Vulnerabilities in Many Implementations of the Simple Network Management
Protocol (SNMP)", ADTRAN began executing the tests that elicit these vulnerabilities
for all ADTRAN products that feature SNMPv1 capability.<br>
<br>
II. Impact<br>
Preliminary test results have indicated multiple ADTRAN products exhibit
certain vulnerabilities to SNMP messages. Some of these vulnerabilities can
be exploited, resulting in a denial of service or service interruption. These
results have not indicated any vulnerability that will allow an attacker
to gain access to the affected device.<br>
<br>
III. Solution<br>
ADTRAN is currently applying the PROTOS c06-SNMPv1 test suite to all products
that feature SNMPv1 capability. Until ADTRAN has completed testing on all
of its products and provided patches or fixes to eliminate these vulnerabilities,
ADTRAN recommends considering one or more of the following solutions, as
identified in CERT® Advisory CA-2002-03, to minimize your network’s
potential exposure to these vulnerabilities:<br>
· Disable the SNMP Service<br>
· Ingress filtering<br>
· Egress filtering<br>
· Filter SNMP traffic from non-authorized internal hosts<br>
· Segregate SNMP traffic onto a separate management network<br>
· Restrict SNMP traffic to Virtual Private Networks (VPNs)<br>
· Change default community strings<br>
ADTRAN’s NetVanta Solutions<br>
ADTRAN’s NetVanta 2000 Series of products can be used to provide most
of the solutions identified above, including ingress and egress filtering,
filtering SNMP traffic from non-authorized internal hosts, and restricting
SNMP traffic to Virtual Private Networks (VPNs). For further information
on how NetVanta’s VPN and Firewall solutions can secure your network,
please see http://www.adtran.com/netvanta2000.<br>
<br>
IV. For Further Information<br>
For more information please see <a href="http://www.adtran.com/support/snmp">
http://www.adtran.com/support/snmp</a>.
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="adventnet">
<H4><a href="http://www.adventnet.com/">AdventNet</a></H4>
<p>
<blockquote>
This is in reference to your notification regarding [VU#107186 and
VU#854306] and OUSPG#0100. AdventNet Inc. has reproduced this behavior in
their products and coded a Service Pack fix which is currently in
regression testing in AdventNet Inc.'s Q.A. organization. The
release of AdventNet Inc's. Service Pack correcting the behavior outlined
in [... OUSPG#0100] is scheduled to be generally available to all
of AdventNet Inc.'s customers by February 20, 2002.
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="adva">
<H4><a href="http://www.advaoptical.com/">ADVA AG Optical Networking</a></H4>
<p>
<blockquote>
ADVA Optical Networking is addressing the SNMP vulnerabilities identified
in the advisory CA-2002-03 across the entire product line. <br>
<br>
ADVA is currently applying the test suite provided by OUSPG (PROTOS c06-snmpv1
test suite) to all of its products.<br>
<br>
Following products are tested against possible effects of the vulnerability
report VU#854306 - Multiple vulnerabilities in SNMPv1 request:<br>
<br>
FSP 3000<br>
FSP 2000<br>
FSP II<br>
FSP I<br>
FSP 1000<br>
FSP 500<br>
CELL-ACE<br>
CELL-ACE-PLUS<br>
<br>
The ADVA Network Management products:<br>
<br>
FSP Element Manager<br>
FSP Network Manager<br>
CELL-SCOPE<br>
<br>
are tested against vulnerabilities of the report VU#107186 - Multiple vulnerabilities
in SNMPv1 trap handling.<br>
<br>
The ongoing tests have not unveiled vulnerabilities so far.<br>
<br>
Test results and information about product updates will be published on the
ADVA Optical Networking web site: <a href="http://www.advaoptical.com">http://www.advaoptical.com</a>
.
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="alcatel">
<H4><a href="http://www.alcatel.com/">Alcatel</a></H4>
<p>
<blockquote>
The security of our customers' networks is of highest priority for
Alcatel. Alcatel is aware of this industry-wide SNMP security issue and
has put measures in place to assess which of its products might be
affected. Within this activity, Alcatel is closely working with its
customers and CERT to address and fix potential security problems as
identified by CERT.
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="AlliedTelesynInternational">
<H4><a href="http://www.alliedtelesyn.com/allied/new_index.asp">Allied Telesyn International</a></H4>
<p>
<blockquote>
Please see <a href="http://www.kb.cert.org/vuls/id/IAFY-56DKQY">http://www.kb.cert.org/vuls/id/IAFY-56DKQY</a>.
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="alvarion">
<H4><a href="http://www.alvarion.com/">Alvarion Ltd.</a></H4>
<p>
<blockquote>
In response to CERT® Advisory CA-2002-03 regarding multiple vulnerabilities
in many implementations of the Simple Network Management Protocol (SNMP),
Alvarion performed a varied and thorough set of tests on its BreezeACCESS
and WALKair products. The tests performed are the ones recommended by the
PROTOS project paper.<br>
<br>
Following these tests, Alvarion found no denial of service, memory
corruption, stack corruption or other fatal error conditions in its
BreezeACCESS and WALKair products.<br>
<br>
In addition, Alvarion's BreezeACCESS and WALKair products implement the
following additional security measures which are recommended by the PROTOS
project report:<br>
<br>
1. Perimeter filtering to SNMP traffic.<br>
2. SNMP device based network access control to filter the traffic.<br>
3. Isolation of SNMP traffic into a separate management VLAN (applicable
for
BreezeACCESS II, XL and MMDS).
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="apc">
<H4><a href="http://www.apc.com/">American Power Conversion</a></H4>
<p>
<blockquote>
American Power Conversion has conducted extensive testing in order to<br>
determine the impact any vulnerabilities within SNMP pose to our customers.<br>
We have determined that exploiting these vulnerabilities in some versions<br>
of our firmware can interfere with the normal operation of APC's<br>
SNMP-enabled products.<br>
<br>
Upgrades are available that repair these vulnerabilities.<br>
<br>
For details, refer to the APC Knowlege Base document titled "<a href="http://answers.apc.com/support_scripts/apcc.cfg/php.exe/enduser/std_adp.php?p_sid=q6hRVccg&p_lva=020219-000262&p_refno=020402-000249&p_created=1017773931&p_sp=cF9ncmlkc29ydD0mcF9yb3dfY250PTEwMzcmcF9wYWdlPTE*&p_li">
American Power<br>
Conversion Security Bulletin</a>" available at www.apc.com.
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="apple">
<H4><a href="http://www.apple.com/">Apple Computer, Inc.</a></H4>
<p>
<blockquote>
The only product currently shipping with SNMP software is the
AirPort Base Station. The AirPort Base Station has been tested and
no
security vulnerabilities associated with advisory CA-2002-03 have been
found.
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="aprisma">
<H4><a href="http://www.aprisma.com/">Aprisma</a></H4>
<p>
<blockquote>
As mentioned within Aprisma’s February 2002 CERT advisory statement,
we have performed the necessary SPECTRUM (6.0 rev3 and 6.5) tests required
to address CERT Advisory CA-2002-03, VU#107186 - PROTOS Test-Suite: c06-SNMPv1.<br>
<br>
Aprisma’s comprehensive testing has revealed less than ten SNMP message
tests - out of thousands of individual tests conducted - exhibited irregular
system behavior. As a result of these findings, Aprisma is issuing the following
patches to protect our customers against known SNMPv1 vulnerabilities:<br>
<br>
CERT Advisory CA-2002-03<br>
VU#107186 - Multiple Vulnerabilities in SNMPv1 Trap Handling:<br>
· Patch 71 for SPECTRUM 6.0 rev3<br>
· Patch 22 for SPECTRUM 6.5 (SPECTRUM infinitya, SPECTRUM
integritya, and SPECTRUM xsighta)<br>
<br>
For customer convenience, Aprisma has combined previously released patches
(Patches 9 and 21 for SPECTRUM 6.5), that help prevent a SNMPv1 trap-related
vulnerability, into the aforementioned Patch 22 for SPECTRUM 6.5. <br>
<br>
It is recommended that all SPECTRUM customers, who have not taken alternative
measures to secure their SPECTRUM servers from SNMPv1 vulnerabilities, install
the appropriate patch immediately when available. Patches will be made
available over the next several weeks.
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="asante">
<H4><a href="http://www.asante.com/">Asante Technologies, Inc.</a></H4>
<p>
<blockquote>
Asante manaufactures and supplies a large range of SNMP
managed enterprise LAN switches and related products. The
following products have been fully tested and are found NOT to be
affected by the SNMP vunerabilities outlined in VU#854306 and
VU#107186.<br>
<br>
6524 - 24 port 10/100 switch with 2 GBIC's<br>
3524 - 24 port 10/100 stackable switch with 2 GBE slots<br>
8000 - 24 port 10/100 modular stackable switch with 3 GBE slots<br>
6014 - 12 port 10/100 IntraStack Switch<br>
2072 - Chassis based modular solution<br>
Netstacker II - 24 port 10/100 stackable hub with MII slot<br>
FriendlyNET range of products.<br>
<br>
Asante is continuing to address possible vulnerabilities across its
entire FriendlyNET, IntraCore and all other product lines.
Please contact support@asante.com for further
information.
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="astracon">
<H4><a href="http://www.astracon.com/">Astracon, Inc.</a></H4>
<p>
<blockquote>
<p>
The Astracon Stinger NetConnect is safe against the vulnerability
reported by VU#107186. The Stinger NetConnect processes SNMP
responses only. Since the trap demon is never invoked, the Stinger
NetConnect will never receive a trap; it is always safe.
<p>
The Stinger NetConnect doesn't accept SNMP requests, but can send
SNMP version 1 or version 3 requests. By configuring the NetConnect
to use only SNMP version 3, the vulnerabilities caused when using
SNMP version 1 in the network will be avoided.
<p>
In order to ensure safety against the vulnerability reported by
VU#854306 and VU#107186, the test cases at <a
href="http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/">
http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/</a>
were executed, with no adverse effect on the NetConnect. The Stinger
NetConnect passed all of the test cases.
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="avaya">
<H4><a href="http://www.avaya.com/">Avaya</a></H4>
<p>
<blockquote>
Avaya is addressing the vulnerabilities identified in this advisory. The
latest information on the affect of this vulnerability on Avaya products
can be found at: <a href="http://support.avaya.com/security">http://support.avaya.com/security</a>
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="avet">
<H4><a href="http://www.avet.com.pl/">AVET Information and Network Security</a></H4>
<p>
<blockquote>
AVET FireBorder OS (any version, including 1.4) is not vulnerable to the
following vulnerabilities: - CAN-2002-0012 - CAN-2002-0013<br>
<br>
This is due to several reasons:<br>
<br>
- AVET FireBorder OS does not contain SNMP server<br>
- administrator user can not install SNMP server due to lack of privileges<br>
- system architecture would not allow to run arbitrary code in any of running
network daemons; theoretically under some circumstances it could be possible
to perform remote DoS attack on vulnerable servers; still to install and
run SNMP daemon local user would need to bypass default permission and ACL
settings.
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="avici">
<H4><a href="http://www.avici.com/">Avici Systems Inc.</a></H4>
<p>
<blockquote>
Avici Systems has tested the TSR and SSR product lines, including all
associated line card modules according to recommendations issued by CERT,
and has found no security vulnerabilities associated with Advisory
CA-2002-03 (Multiple Vulnerabilities in Many Implementations of SNMP).
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="bintec">
<H4><a href="http://www.bintec.de/">BinTec Communications AG</a></H4>
<p>
<blockquote>
BinTec Communications announces that SNMP vulnerabilty VU#854306 reported
in<br>
March has been resolved with System Software Release 6.2.1. If you
do not<br>
wish to use the workarounds suggested in March in order to obviate possible<br>
exploits of VU#854306, you can update your system. The software is currently<br>
available as BETA software from www.bintec.net, and the final release is<br>
expected in June.<br>
<br>
Please, note that BETA software is susceptible to malfunctions, and that<br>
BinTec Communications does not assume responsibility for any problems<br>
arising from the use of BETA software. If you do not want to use System<br>
Software Release 6.2.1 BETA, you can still use the workarounds suggested
in<br>
our initial statement.
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="bmc">
<H4><a href="http://www.bmc.com/">BMC Software</a></H4>
<p>
<blockquote>
BMC Software, Inc. has completed it's analysis of this security advisory<br>
and has posted detailed information to it's web site. Specific product<br>
information is referenced at the following location:<br>
<a href="http://www.bmc.com/info_center_support/snmp_cert_advise041802.html">
http://www.bmc.com/info_center_support/snmp_cert_advise041802.html</a>.<br>
<br>
BMC's Patrol Agent was found to require a patch to fix problems found<br>
when running the test suite from Oulu University Secure Programming<br>
Group. Information on this patch can be found by referencing the above<br>
page or reviewing Problem Resolution ID 116035 from the BMC Support<br>
website, <a href="http://www.bmc.com/support.html">http://www.bmc.com/support.html</a>
. The BMC DevCon SNMP forum at<br>
<a href="http://devcon.bmc.com/">http://devcon.bmc.com/</a> also has information
about the PATROL patches.<br>
<br>
Other information about this alert is also available on the BMC Support<br>
website, under News at "SNMP Advisory Posted by CERT", the direct<br>
reference to this page is:<br>
<a href="http://www.bmc.com/info_center_support/news_detail/0,2561,18962_0_125215,00.html">
http://www.bmc.com/info_center_support/news_detail/0,2561,18962_0_125215,00.html</a>
.
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="cacheflow">
<H4><a href="http://www.cacheflow.com/">CacheFlow</a></H4>
<p>
<blockquote>
The purpose of this email is to advise you that CacheFlow Inc. has
provided a software update. Please be advised that updated versions of
the software are now available for all supported CacheFlow hardware
platforms, and may be obtained by CacheFlow customers at the following
URL:
<dl>
<dd>
<a href="http://download.cacheflow.com/">http://download.cacheflow.com/</a><br>
</dl>
</dd>
The specific reference to the software update is contained within the
Release Notes for CacheOS Versions 3.1.22 Release ID 17146, 4.0.15
Release ID 17148, 4.1.02 Release ID 17144 and 4.0.15 Release ID 17149.
<p>
RELEASE NOTES FOR CACHEFLOW SERVER ACCELERATOR PRODUCTS:
<ul>
<li><a href="http://download.cacheflow.com/release/SA/4.0.15/relnotes.htm">http://download.cacheflow.com/release/SA/4.0.15/relnotes.htm</a>
</ul>
RELEASE NOTES FOR CACHEFLOW CONTENT ACCELERATOR PRODUCTS:
<ul>
<li><a href="http://download.cacheflow.com/release/CA/3.1.22/relnotes.htm">http://download.cacheflow.com/release/CA/3.1.22/relnotes.htm</a>
<li><a href="http://download.cacheflow.com/release/CA/4.0.15/relnotes.htm">http://download.cacheflow.com/release/CA/4.0.15/relnotes.htm</a>
<li><a href="http://download.cacheflow.com/release/CA/4.1.02/relnotes.htm">http://download.cacheflow.com/release/CA/4.1.02/relnotes.htm</a>
</ul>
* SR 1-1647517, VI 13045: This update modified a potential vulnerability
by using an SNMP test tools exploit.
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="3com">
<H4><a href="http://www.3com.com/index2.html">3Com Corporation</a></H4>
<p>
<blockquote>
A vulnerability to an SNMP packet with an invalid length community
string has been resolved in the following products. Customers
concerned about this weakness should ensure that they upgrade to the
following agent versions:
<br>
<br>
<b>PS Hub 40</b><br>
2.16 is due Feb 2002<br>
<br>
<b>PS Hub 50</b><br>
2.16 is due Feb 2002<br>
<br>
<b>Dual Speed Hub</b><br>
2.16 is due Jan 2002<br>
<br>
<b>Switch 1100/3300</b><br>
2.68 is available now<br>
<br>
<b>Switch 4400</b><br>
2.02 is available now<br>
<br>
<b>Switch 4900</b><br>
2.04 is available now<br>
<br>
<b>WebCache1000/3000</b><br>
2.00 is due Jan 2002<br><br>
For updated information on CommWorks Corporation, a 3Com company,
visit <a href="http://www.commworks.com/Press/Archive/2002/February/CERT_Advisory.asp">
http://www.commworks.com/Press/Archive/2002/February/CERT_Advisory.asp</a><br>
<p>
In addition, CommWorks' customers should monitor <a
href="http://totalservice.commworks.com/cert_update.cfm">
http://totalservice.commworks.com/cert_update.cfm</a> for updated
information addressing the CERT advisory, as well as information on
available patches for CommWorks' products.
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="caldera">
<H4><a href="http://www.caldera.com/">Caldera</a></H4>
<P>
<blockquote>
Caldera International, Inc. has reproduced faulty behavior in Caldera
SCO OpenServer 5, Caldera UnixWare 7, and Caldera Open UNIX 8. We have
coded a software fix for supported versions of Caldera UnixWare 7 and
Caldera Open UNIX 8 that will be available from our support
site at
<a href="http://stage.caldera.com/support/security">http://stage.caldera.com/support/security</a>
immediately following the publication of this CERT announcement. A fix for supported versions
of OpenServer 5 will be available at a later date.
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="cambridgebroadband">
<H4><a href="http://www.cambridgebroadband.com/">Cambridge Broadband Ltd.</a></H4>
<P>
<blockquote>
Cambridge Broadband's products use the ucd-snmp package, version 4.2.3,
with proprietary extensions. We have tested our build of the software
with the OUSPG test suites and determined that it is not susceptible to
these vulnerabilities.
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="canogaperkins">
<H4><a href="http://www.canogaperkins.com/">Canoga Perkins Corporation</a></H4>
<P>
<blockquote>
Please see <a
href="http://www.canoga.com/technical_bulletins.htm">http://www.canoga.com/technical_bulletins.htm</a>
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="carrieraccess">
<H4><a href="http://www.carrieraccess.com/">Carrier Access</a></H4>
<P>
<blockquote>
Carrier Access has reviewed the released CERT® Advisory CA-2002-03
related
to security vulnerabilities that exist in network devices using SNMPv1 as
the management
protocol.<br>
<br>
There are no known format string or buffer overflow vulnerabilities. Denial of service
(management) is a known vulnerability of Carrier Access products
residing on non-secure networks. Specific testing and a review of test
reports have revealed no SNMP V1 security issues. Carrier Access has
documented this finding in a Product Technical Note (PTN-02-003). To
receive a copy of this documentation, please contact Carrier Access customer
support center at 1-800-786-9929 or email to "tech-support@carrieraccess.com"<br>
<br>
Recommended Actions for Network Security:<br>
. Review and implementation of accepted solutions outlined in section III
(Solution) of CERT ® Advisory CA-2002-03<br>
. Filter of SNMP traffic at network access points<br>
. Use of proprietary SNMP Community Strings<br>
. Segregate/Filter Network Management traffic from public domains
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="checkpoint">
<H4><a href="http://www.checkpoint.com/">Check Point Software Technologies Inc.</a></H4>
<P>
<blockquote>
Check Point Statement on SNMP Vulnerability Test Suite<br>
<br>
Recently, an automated suite has been released which tests products for known
SNMP vulnerabilities.<br>
<br>
FireWall-1, by default, blocks all SNMP communication to, from, or across
a FireWall-1 gateway. SNMP communication is enabled only if the
administrator
writes a specific rule which allows the communication.<br>
<br>
SNMP communication is not required for correct functionality of any Check
Point products.<br>
<br>
If SNMP monitoring of Check Point firewalls is needed, Check Point recommends
that the FireWall-1 rule base tightly restrict SNMP communication and that
all relevant operating system security patches be applied.<br>
<br>
Check Point knows of no SNMP-related security issues in any of its products,
and has conducted an extensive review to ensure that none exist.
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="ciphertrust">
<H4><a href="http://www.ciphertrust.com/">CipherTrust, Inc.</a></H4>
<P>
<blockquote>
This is in reference to your notification regarding VU#107186 and VU#854306.
CipherTrust has confirmed that IronMail is not vulnerable to these issues.
IronMail allows alert notification via SNMP traps. This allows the IronMail
to be integrated into SNMP managed services without being open to
vulnerabilities such as these. Specifically, due to the way that IronMail
uses SNMP, it does not receive requests or traps.
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="cisco">
<H4><a href="http://www.cisco.com/">Cisco Systems</a></H4>
<P>
<blockquote>
Cisco Systems is addressing the vulnerabilities identified by VU#854306 and VU#107186 across its entire product line. Cisco has released an advisory:
<blockquote>
<a href="http://www.cisco.com/warp/public/707/cisco-malformed-snmp-msgs-pub.shtml">http://www.cisco.com/warp/public/707/cisco-malformed-snmp-msgs-pub.shtml</a>
</blockquote>
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<a name="cnt"></a>
<h4><a href="http://www.cnt.com">CNT</a></h4>
<p>
<blockquote>
<b>Overview</b><br>
On February 12, 2002, the CERT® Coordination Center of Carnegie-Mellon
University issued an advisory identifying possible security
vulnerabilities of multiple vendor products that utilize the Simple
Network Management Protocol (SNMP) for management of those products. This
advisory was based on research done by the University of Oulu in Finland.
The complete advisory may be found on the CERT web site at:
<a
href="http://www.cert.org/advisories/CA-2002-03.html">http://www.cert.org/advisories/CA-2002-03.html</a>.
If your
site uses
SNMP-based CNT products in any capacity, we encourage you to read this
advisory.
<p>
<b>I. Description</b><br>
The Simple Network Management Protocol (SNMP) is a widely deployed
protocol that is commonly used to monitor and manage network devices.
Version 1 of the protocol (SNMPv1) defines several types of SNMP messages
that are used to request information or configuration changes, respond to
requests, enumerate SNMP objects, and send unsolicited alerts. The <a
href="http://www.ee.oulu.fi/research/ouspg/">Oulu
University Secure Programming Group</a> (OUSPG,
<a
href="http://www.ee.oulu.fi/research/ouspg/">http://www.ee.oulu.fi/research/ouspg/</a>)
has reported vulnerabilities in
SNMPv1 implementations from many different vendors. OUSPG's research
focused on the manner in which SNMPv1 agents and managers handle request
and trap messages. By applying the <a
href="http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/0100.html">PROTOS
c06-snmpv1 test suite</a>
(<a
href="http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/0100.html">http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/0100.html</a>)
to a variety of popular SNMPv1-enabled products, the OUSPG revealed the
following vulnerabilities:
<p>
<a href="http://www.kb.cert.org/vuls/id/107186">VU#107186</a> -
<b>Multiple
vulnerabilities in SNMPv1 trap handling</b><br>
SNMP trap messages are sent from agents to managers. A trap message may
indicate a warning or error condition or otherwise notify the manager
about the agent's state. SNMP managers must properly decode trap messages
and process the resulting data. In testing, OUSPG found multiple
vulnerabilities in the way many SNMP managers decode and process SNMP trap
messages.
<p>
<a href="http://www.kb.cert.org/vuls/id/854306">VU#854306</a> -
<b>Multiple
vulnerabilities in SNMPv1 request handling</b><br>
SNMP request messages are sent from managers to agents. Request messages
might be issued to obtain information from an agent or to instruct the
agent to configure the host device. SNMP agents must properly decode
request messages and process the resulting data. In testing, OUSPG found
multiple vulnerabilities in the way many SNMP agents decode and process
SNMP request messages.
<p>
Vulnerabilities in the decoding and subsequent processing of SNMP messages
by both managers and agents may result in denial-of-service conditions,
format string vulnerabilities, and buffer overflows. Some vulnerabilities
do not require the SNMP message to use the correct SNMP community string.
<p>
<b>II. CNT® Products</b><br>
CNT has a number of products affected by the SNMP vulnerabilities
described above. Each CNT product with SNMP functionality is described
below along with the specific vulnerability, or lack thereof, of that
product and the recommended procedures to follow with that product.
<p>
<ul type="disc">
<li><b>UltraNet® Storage Director</b><br>
The UltraNet Storage Director (USD) was tested with the PROTOS test suite.
Two tests caused snmpd on the USD to abort and restart; the snmpd
responded to requests specifying a community string beginning with a null;
several minor ASN.1 / BER handling discrepancies related to invalid
encodings were noted. Corrective code for the snmpd aborts and the
community string handling issue has been developed and successfully
tested. This code will be made available in the USD 2.7 software release,
currently scheduled for availability in April 2002. The ASN.1 / BER
invalid encoding handling issues will be addressed in a future release.
CNT recommends upgrading to the USD 2.7 software release as soon as it is
available.
<p>
<li><b>UltraNet Edge Storage Router</b><br>
The UltraNet Edge Storage Router (Edge) was tested with the PROTOS test
suite. Three tests caused the Edge to hang or abort, requiring a reboot.
Corrective code for these errors has been developed and successfully
tested. The Edge responded to requests specifying a bad SNMP version
number; several minor ASN.1 / BER handling discrepancies related to
invalid encodings were noted. The responded to bad SNMP version number and
the ASN.1 / BER invalid encoding handling issues will be addressed in a
future release. This code will be made available in the Edge software
release 1.4.1, currently scheduled for release in April 2002. CNT
recommends upgrading the Edge to release 1.4.1 as soon as it is available.
<p>
<li><b>Channelink®</b><br>
The Channelink product was tested with the PROTOS test suite. All tests
ran successfully. No failures occurred. No corrective action is required
with the Channelink product.
<p>
<li><b>WebView</b><br>
The WebView SNMP-based element manager was tested with the PROTOS test
suite. WebView is not affected by the recent SNMP vulnerabilities found
by CERT. No corrective action is required with the WebView product.
<p>
<li><b>UltraNet CMF</b><br>
The CastleRock software upon which CNT's UltraNet CMF SNMP-based
management software is based was tested with the PROTOS test suite.
CastleRock has reported two test failures. Corrective code for these
errors has been developed and is now being tested within UltraNet CMF.
This code will be made available in the CMF release 6.4, currently
scheduled for release in early May 2002. CNT recommends upgrading CMF to
release 6.4 as soon as it is available.
<p>
</ul>
<b>III. CNT Product Upgrades</b><br>
CNT will continue to test new releases of its products against the PROTOS
test suite to ensure that additional vulnerabilities are not introduced as
a result of any new releases.
<p>
To determine whether a new CNT product release is available and how to
upgrade to that release when available, contact CNT Technical Support
(800-752-8061 or 763-268-6600) or contact your company's CNT Technical
Account Engineer (TAE).
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="compaq">
<H4><a href="http://www.compaq.com/">Compaq Computer Corporation</a></H4>
<p>
<blockquote>
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
TITLE: (SSRT0779) Potential Security Vulnerabilities in SNMP<br>
Posted at http://ftp.support.compaq.com/patches/.new/security.shtml<br>
<br>
NOTICE: There are no restrictions for distribution of this<br>
Bulletin provided that it remains complete and intact.<br>
<br>
RELEASE DATE: 18 FEBRUARY, 2002<br>
<br>
UPDATED: 03 APRIL, 2002 - update Tru64,
patch availability<br>
08 MARCH,
2002 - add StorageWorks products, and<br>
Compaq/Microcom based products.<br>
05 MARCH,
2002 - update TRU64 Information<br>
<br>
SEVERITY: MEDIUM<br>
<br>
SOURCE: Compaq Computer Corporation<br>
Compaq Global Services<br>
Software Security Response Team<br>
<br>
CROSS REFERENCE: (SSRT0799, CAN-2002-0012,<br>
CAN-2002-0013,
CERT CA-2002-03)<br>
<br>
PROBLEM SUMMARY:<br>
<br>
The Computer Emergency Response Team (CERT/cc) has recently issued an<br>
advisory regarding numerous potential vulnerabilities in SNMPv1<br>
implementations. These potential vulnerabilities are applicable to<br>
SNMPv1 trap handling and SNMPv1 Request handling. The CERT article<br>
outlines vulnerabilities that can cause SNMP services to stop<br>
functioning and in some cases may enable "unauthorized access,"<br>
"denial of service attacks" or may cause system instability.<br>
<br>
IMPACT:<br>
Compaq NonStop Himalaya Servers:<br>
Compaq TCP/IP Services for OpenVMS:<br>
Compaq Tru64 UNIX:<br>
Compaq Insight Management Suite:<br>
Compaq Deskpro, Professional Workstation, Armada, Evo:<br>
Compaq SANworks Hardware:<br>
Compaq StorageWorks Products<br>
Compaq/Microcom Products:<br>
<br>
Compaq's findings to date regarding the SNMPv1 issues are as<br>
follows:<br>
<br>
________________________________<br>
Compaq NonStop Himalaya Servers:<br>
<br>
The Compaq Himalaya NonStop Kernel prohibits execution of code on the<br>
stack or heap by hardware TLB permissions (read/write only),<br>
preventing Trojan horse attacks by embedding code within the buffer<br>
overflow area. However, process ABENDs can occur.<br>
<br>
The SNMP agent ABENDs in the c06-snmpv1 buffer-overflow tests.<br>
This affects forwarding trap messages and/or sending info responses<br>
to SNMP managers.<br>
<br>
Sub-agents use IPCs to communicate with the SNMP agent, so they<br>
cannot be directly attacked. More importantly, sub-agents are<br>
confined to information only requests, so they cannot be used to<br>
configure/manage their sub-systems. Our investigation an analysis is<br>
continuing and further updates will be provided.<br>
<br>
IPMs to address the ABEND problem of the SNMP are in development and<br>
will be released as soon as verification is complete. Availability of<br>
these IPMs will be announced in future updates. The exposure to<br>
SNMP agent ABENDs can be reduced by running the SNMP agent as a<br>
process-pair or by configuring auto-restart in the Persistence<br>
Manager.<br>
<br>
__________________________________<br>
Compaq TCP/IP Services for OpenVMS:<br>
<br>
There is some impact to the SNMP agent provided with Compaq TCP/IP<br>
Services for OpenVMS. This problem can cause the SNMP agent to ACCVIO<br>
and terminate temporarily denying service to SNMP, but in most cases<br>
after this occurs Compaq TCP/IP Services for OpenVMS will restart<br>
the SNMP agent in response to the next SNMP request. There are no<br>
known risks of compromising system security due to this problem.<br>
The SNMP agent executes from a non-privileged process, which<br>
prevents any compromise to system security.<br>
<br>
Our investigation and analysis has determined the cause of the<br>
problem. The updated images for Compaq TCP/IP Services for OpenVMS<br>
are now in final test. Compaq will provide updates to Compaq TCP/IP<br>
Services for OpenVMS in the next ECO and also in the next release,<br>
Compaq TCP/IP Services for OpenVMS V5.3. Contact Compaq's Customer<br>
Support Center if an earlier updated is required.<br>
<br>
__________________<br>
Compaq Tru64 UNIX:<br>
<br>
UPDATE: 02 April, 2002<br>
<br>
There is no known risk of compromising Tru64 UNIX system security<br>
due to the recent SNMP attack. The SNMP agent provided with<br>
Tru64 UNIX is susceptible to a limited problem - the SNMP<br>
agent may stop responding to SNMP requests, or it may incur a<br>
segmentation fault, generate a core file, and exit. Either scenario<br>
denies SNMP service to SNMP-based network management applications.<br>
However, we have not found the attack to cause the system to be<br>
unstable, vulnerable to "unauthorized access", or subject to any<br>
denial of service other than to the SNMP service.<br>
<br>
Impacted Tru64 UNIX operating system versions include:<br>
Tru64 UNIX 4.0f, 4.0g, 5.0a, 5.1, 5.1a.<br>
<br>
SOLUTION:<br>
<br>
Until the Tru64 UNIX fixes are available in the mainstream release<br>
patch kits, Compaq is releasing the following Early Release Patch<br>
Kit(s) (ERPs) publicly for use by any customer.<br>
<br>
The Early Release Patch kits use dupatch to install and will not<br>
install over any Customer-Specific-Patches (CSPs) which have file<br>
intersections with the ERPs. Raise an IPMT case to UNIX Support<br>
Engineering if you need a CSP merged with one of the following<br>
ERPs.<br>
<br>
The fixes contained in the Early Release Patch (ERP) kits will be<br>
available in the next mainstream patch kit(s) for:<br>
- Tru64 UNIX 4.0F PK8<br>
- Tru64 UNIX 4.0G PK4<br>
- Tru64 UNIX 5.0A PK4<br>
- Tru64 UNIX 5.1 PK5<br>
- Tru64 UNIX 5.1A PK2<br>
<br>
---------------------<br>
Early Release Patches<br>
---------------------<br>
<br>
Tru64 UNIX 4.0F<br>
PREREQUISITE: Tru64 UNIX 4.0F with PK7 (BL18) installed<br>
ERP Kit Name: DUV40FB18-C0071301-13866-ES-20020401<br>
Kit Location: http://ftp1.support.compaq.com/public/unix/v4.0f/<br>
<br>
<br>
Tru64 UNIX 4.0G<br>
PREREQUISITE: Tru64 UNIX 4.0G with PK3 (BL17) installed<br>
ERP Kit Name: T64V40GB17-C0012100-13640-ES-20020313<br>
Kit Location: http://ftp1.support.compaq.com/public/unix/v4.0g/<br>
<br>
<br>
Tru64 UNIX 5.0A<br>
PREREQUISITE: Tru64 UNIX 5.0A with PK3 (BL17) installed<br>
ERP Kit Name: T64V50AB17-C0019600-13593-ES-20020308<br>
Kit Location: http://ftp1.support.compaq.com/public/unix/v5.0a/<br>
<br>
<br>
Tru64 UNIX 5.1<br>
PREREQUISITE: Tru64 UNIX 5.1 with PK4 (BL18) installed<br>
ERP Kit Name: T64V51B18-C0109002-13712-ES-20020318<br>
Kit Location: http://ftp1.support.compaq.com/public/unix/v5.1/<br>
<br>
<br>
Tru64 UNIX 5.1A<br>
PREREQUISITE: Tru64 UNIX 5.1A with PK1 (BL1) installed<br>
ERP Kit Name: T64V51AB1-C0014802-13710-ES-20020318<br>
Kit Location: http://ftp1.support.compaq.com/public/unix/v5.1a/<br>
<br>
MD5 and SHA1 checksums are available in the public patch notice for<br>
the ERP kits. You can find information on how to verify MD5 and<br>
SHA1 checksums at:<br>
http://www.support.compaq.com/patches/whats-new.shtml<br>
<br>
________________________________<br>
Compaq Insight Management Suite:<br>
<br>
(ProLiants running industry standard operating systems including<br>
Windows 2000, NetWare, Linux, etc)<br>
<br>
The Compaq Insight Management Suite utilizes SNMP as a primary<br>
communications method. Fixes to the operating systems affected will<br>
be provided by the vendors involved. Check<br>
http://www.compaq.com/manage/security the most up-to-date<br>
information.<br>
<br>
_______________________________________________<br>
Deskpro, Professional Workstation, Armada, Evo:<br>
<br>
The Deskpro, Professional Workstation, Armada, Evo(Microsoft<br>
operating systems including Windows XP, Windows 2000, Windows 98, and<br>
Windows 95) Compaq Management Agents for Clients utilizes SNMP as an<br>
optional communications method.<br>
<br>
Fixes to the operating systems affected<br>
will be provided by Microsoft. Check<br>
www.microsoft.com/technet/security/bulletin/MS02-006.asp for the most<br>
up-to-date information.<br>
<br>
<br>
_____________________________________<br>
Compaq SANworks Management Appliance:<br>
<br>
The SANworks management appliance is essentially a Compaq server and<br>
our recommended configuration does not have it connected directly to<br>
the internet. Therefore, it is less exposed than other servers to<br>
external SNMP security attacks. However, the appliance is<br>
susceptible to SNMP security attacks from inside the firewall that<br>
could result in the graceful termination of some storage management<br>
applications on the appliance.<br>
<br>
Compaq will provide a patch to the appliance as soon as possible.<br>
<br>
_____________________________<br>
COMPAQ STORAGEWORKS PRODUCTS:<br>
<br>
UPDATE: 08 MARCH, 2002<br>
<br>
The following Compaq StorageWorks products have Ethernet<br>
connections that may potentially be exposed to the SNMPv1<br>
vulnerability:<br>
<br>
Compaq StorageWorks SAN Switch 8, 8-EL, 16, 16-EL, 2/16, Integrated<br>
32 or 64 Port<br>
Compaq StorageWorks SAN Director 64<br>
Compaq StorageWorks Modular Data Router<br>
Compaq StorageWorks 12 Port Fibre Channel Managed Hub<br>
Compaq StorageWorks 20/40 GB 8 Cassette AutoLoader<br>
<br>
<br>
RESOLUTION:<br>
Compaq StorageWorks SAN Switch 8, 8-EL,<br>
16, 16-EL, 2/16, Integrated 32 or 64 Port:<br>
There are currently no known issues related to vulnerability<br>
notes VU#854306 or VU#107186 with these products.<br>
They have passed all validation tests conducted to date.<br>
<br>
Compaq StorageWorks SAN Director 64:<br>
This product has been evaluated with a SNMP based test program that<br>
attempts to overload the director with SNMP traffic such as GET, Set<br>
and Get Next commands. No problems were found in this testing.<br>
Additionally, Compaq is in the process of evaluating the details of<br>
the SNMP implementation in this product. Any problems identified that<br>
are determined to pose a risk to customer operations will be<br>
documented and addressed in future maintenance releases. Note that<br>
the advisory documented two areas of vulnerability. One area involves<br>
Trap handling on the part of SNMP Management components, and the<br>
other area involves the processing of GET, Set and Get Next commands<br>
on the part of SNMP Agent components. The director implements only<br>
the SNMP Agent components, so none of the problems related to Trap<br>
handling apply. Also, the SNMP Agent on the director management<br>
server is disabled by default. No SNMP messages are processed by<br>
the management server unless the systems administrator has explicitly<br>
enabled the SNMP Agent. On the director itself, the SNMP Agent is<br>
enabled by default, but for read access only.<br>
<br>
Compaq StorageWorks Modular Data Router:<br>
The potential vulnerability has to do with SNMP Set commands.<br>
The only Set command the MDR allows is to set the trap address.<br>
<br>
Compaq StorageWorks 12 Port Fibre Channel Managed Hub:<br>
Compaq is in the process of evaluating the SNMP implementation<br>
in this product.<br>
<br>
Compaq StorageWorks 20/40 GB 8 Cassette AutoLoader:<br>
Compaq is in the process of evaluating the SNMP implementation<br>
in this product.<br>
<br>
________________________<br>
COMPAQ/MICROCOM PRODUCTS:<br>
<br>
UPDATE: MARCH 08, 2002<br>
_________________________________________<br>
Microcom Access Integrator (All Versions)<br>
Compaq-Microcom 6000 Series Remote Access Concentrators(All Versions)<br>
<br>
Both products use SNMPv1 protocol as the transport for system<br>
management, either through expressWATCH, or third party SNMP clients.<br>
These products are normally managed over the LAN by clients using IP<br>
ports UDP 161 for SNMP and UDP 162 for SNMP Traps. The SNMP agents<br>
integrated in these products cannot be disabled. Access to the system<br>
via the PRI, T1 or analog modules do not present a security risk<br>
related to SNMPv1.<br>
<br>
Incursions may result in instability of the system requiring a hard<br>
reset of one or more of the systems modules, which will result in<br>
temporary loss of connectivity to dial in clients. Users will be<br>
able to reconnect after the systems has reset.<br>
<br>
RECOMMENDATIONS:<br>
Compaq recommends the following precautions in accordance with good<br>
general networking administration practices.<br>
<br>
1. Apply perimeter filtering to SNMP traffic. Upstream<br>
internet routers, or Firewall should be configured to filter<br>
UDP ports 161 and 162.<br>
<br>
2. Compaq has always recommended that the associated<br>
engines contained in the CM6000 Series reside on an internal<br>
network using a non-routable private addressing scheme.<br>
<br>
3. The system should not be managed over the internet or<br>
an non secure LAN.<br>
<br>
______________________________<br>
Microcom ISPorte (All Versions)<br>
Compaq Microcom 4000 concentrator<br>
<br>
These products make very limited use of the SNMPv1 protocol on<br>
the Ethernet portion of their PRI/T1 modules. In the limited<br>
number of installations where digital calls are being tunneled<br>
to NT servers on the connected LAN, there is a potential for<br>
SNMP packets to reach the PRI/T1 card through it's Ethernet<br>
port. Access to the system via the analog modem modules do<br>
not present security risk related to SNMPv1.<br>
<br>
Incursions may result in instability of the PRI/T1 card, resulting<br>
in a loss of connectivity for dial in users. A hard reset is the<br>
only way to correct these failure, but a hard reset will also<br>
disconnect all remaining users. Users will be able to reconnect<br>
after the system resets.<br>
<br>
RECOMMENDATIONS:<br>
Compaq recommends the following precautions in accordance with good<br>
general networking administration practices.<br>
<br>
1. Apply perimeter filtering to SNMP traffic. Upstream internet<br>
routers should be configured to filter UDP ports 161 and 162.<br>
<br>
2. If the system is being used for analog dial in access only,<br>
it should not be connected to the LAN via the Ethernet port on<br>
the PRI/T1 card.<br>
<br>
___________________________<br>
Microcom SNMP HDMS+ System (Version 1.3.1)<br>
<br>
The great majority of HDMS+ systems installed do not have SNMP<br>
capabilities and are therefore not at risk. These systems can be<br>
identified by the absence of a 10baseT connector on the rear of the<br>
controller card.<br>
<br>
A limited number of SNMP HDMS+ systems were produced, this product<br>
uses SNMPv1 protocol as the transport for system management.<br>
Management clients can include either expressWATCH, or third party<br>
SNMP clients.<br>
<br>
The product can be managed over the LAN by clients using IP ports<br>
UDP 161 for SNMP and UDP 162 for SNMP Traps, or through a serial<br>
RS232 port using SLIP. The SNMP agents integrated in these products<br>
cannot be disabled. Access to the system via the analog modem modules<br>
do not present security risk related to SNMPv1.<br>
<br>
Incursions may result in instability of the systems management<br>
controller, which may require a hard reset. The reset of this<br>
controller may result in a temporary loss of connectivity for<br>
dial in users. Dial in users will be able to reconnect after<br>
the system has reset.<br>
<br>
RECOMMENDATIONS:<br>
Compaq recommends the following precautions in accordance with good<br>
general networking administration practices.<br>
<br>
1. Apply perimeter filtering to SNMP traffic. Upstream<br>
internet routers or firewalls should be configured to filter<br>
UDP ports 161 and 162.<br>
<br>
2. The system should not be managed over the internet.<br>
<br>
3. The system should not be managed over a non secure LAN.<br>
Direct management via a serial RS232 SLIP connection would be<br>
recommended.<br>
<br>
For assistance or clarification on any of the recommendation for<br>
Compaq/Microcom products, please call 01-800-652-6672 and from<br>
the menu select 2,3,1 then enter routing code 1851<br>
<br>
____________________________________________________________________<br>
<br>
<br>
<br>
<br>
NOTE:<br>
<br>
Many systems operate behind firewalls and would normally<br>
implement SNMP blocking for SNMP as standard procedure. Based on SNMP<br>
blocking and ingress/egress filtering, the potential Security<br>
vulnerability may only be exploited by users who have access to your<br>
local security domain, therefore the risk is diminished.<br>
<br>
<br>
SUPPORT:<br>
<br>
This advisory bulletin will be updated for the various<br>
products requiring patches and individual patch notifications<br>
will be done through standard "patch notification" procedures<br>
for those products. For further information, contact your normal<br>
Compaq Support channel.<br>
<br>
<br>
SUBSCRIBE:<br>
<br>
To subscribe to automatically receive future Security<br>
Advisories from the Compaq's Software Security Response Team via<br>
electronic mail:<br>
<br>
http://www.support.compaq.com/patches/mailing-list.shtml<br>
<br>
REPORT:<br>
<br>
To report a potential security vulnerability with any Compaq<br>
supported product, send email mailto:security-ssrt@compaq.com<br>
or mailto:sec-alert@compaq.com<br>
<br>
Compaq appreciates your cooperation and patience. As always,<br>
Compaq urges you to periodically review your system management<br>
and security procedures. Compaq will continue to review and<br>
enhance the security features of its products and work with<br>
our customers to maintain and improve the security and integrity<br>
of their systems.<br>
<br>
"Compaq is broadly distributing this Security Bulletin in order to<br>
bring to the attention of users of the affected Compaq products the<br>
important security information contained in this Bulletin.<br>
Compaq recommends that all users determine the applicability of<br>
this information to their individual situations and take appropriate<br>
action. Compaq does not warrant that this information is necessarily<br>
accurate or complete for all user situations and, consequently,<br>
Compaq will not be responsible for any damages resulting from<br>
user's use or disregard of the information provided in this<br>
Bulletin."<br>
<br>
Copyright 2002 Compaq Information Technologies Group, L.P.<br>
Compaq shall not be liable for technical or editorial errors<br>
or omissions contained herein. The information in this document<br>
is subject to change without notice. Compaq and the names of<br>
Compaq products referenced herein are, either, trademarks<br>
and/or service marks or registered trademarks and/or service<br>
marks of Compaq Information Technologies Group, L.P. Other product<br>
and company names mentioned herein may be trademarks and/or service<br>
marks of their respective owners.<br>
<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: PGP 7.0.1<br>
<br>
iQA/AwUBPLQ7jznTu2ckvbFuEQLuTwCgrJV3CBEwYiFEbWsCF0mbHBRVc/oAoNcI<br>
1KxCsylGTohymyn9t4kbuR/C<br>
=F6B1<br>
-----END PGP SIGNATURE-----
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="computerassociates">
<H4><a href="http://www.ca.com/">Computer Associates</a></H4>
<p>
<blockquote>
Computer Associates has confirmed Unicenter vulnerability to
the SNMP advisory identified by CERT notification reference
[VU#107186 & VU#854306] and OUSPG#0100. We have
produced corrective maintenance to address these vulnerabilities,
which is in the process of publication for all applicable releases / platforms
and will be offered through the CA Support site. Please contact our
Technical Support organization for information regarding
availability / applicability for your specific configuration(s).
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="comtek">
<H4><a href="http://www.comtekservices.com/">COMTEK Services, Inc.</a></H4>
<p>
<blockquote>
In reference to your notification regarding [VU#617947] [OUSPG#0100],
vulnerabilities in COMTEK Services' SNMP products are as follows:<br>
<br>
NMServer for AS/400 is not an SNMP master and is therefore not vulnerable.
However this product requires the use of the AS/400 SNMP master agent
supplied by IBM. Please refer to IBM for statements of vulnerabilities
for
the AS/400 SNMP master agent.<br>
<br>
NMServer for OpenVMS has been tested and has shown to be vulnerable.
COMTEK
Services has released a new version (version 3.5) of this product that
includes a fix for this problem. Contact COMTEK Services
support@comtekservices.com to arrange to download the new version.<br>
<br>
NMServer for VOS has not as yet been tested; vulnerability of this agent
is
unknown. Contact support@comtekservices.com for further information
on the
testing schedule of the VOS product.
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="concord">
<H4><a href="http://www.concord.com/">Concord Communications, Inc.</a></H4>
<p>
<blockquote>
Concord's eHealth Console product has some vulnerabilities to the OUSPG test
suite. Patches are available.<br>
<br>
Concord's SystemEDGE agent has been tested and is not vulnerable on Unix
platforms. Under Windows, it is a sub-agent of the Windows SNNMP agent, and
therefore the Windows hot fixes should be applied. SystemEDGE is not
vulnerable on Win2K and XP with Microsoft's hot fixes.<br>
<br>
Please see this page on Concord's web site for more detail and for patch
availability: <a href="http://www.concord.com/certadvisory.shtml">http://www.concord.com/certadvisory.shtml</a>
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="conectivalinux">
<H4><a href="http://en.conectiva.com/">Conectiva</a></H4>
<p>
<blockquote>
The ucd-snmp package from Conectiva Linux 5.0, 5.1, 6.0, 7.0, "ferramentas
gráficas" and "ecommerce" are affected by this vulnerability. Previous
Conectiva Linux are also affected, but they are no longer supported and no
update will be provided for them.<br>
<br>
New packages will be provided shortly and will be announced to our mailing
lists and updates website (<a href="http://distro.conectiva.com.br/atualizacoes/">
http://distro.conectiva.com.br/atualizacoes/</a>).
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="controlware">
<H4><a href="">Controlware GmbH</a></H4>
<p>
<blockquote>
<A HREF="http://www.controlware.de/cwp/">Controlware GmbH</A>
<P>
In order to determine the impact of these vulnerabilities, Controlware
immediately started extensive testing of the effected products.
The results of these tests can be viewed on the <A HREF="http://www.controlware.de/en/cwp/infobase/allusers/marketing_information/generalinfo/SNMPvulnerability.pdf">Website</A>.
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="corsaire">
<H4><a href="http://www.corsaire.com/">Corsaire Limited</a></H4>
<p>
<blockquote>
Corsaire Limited response to SNMP Vulnerability Test Suite (CERT Advisory
CA-2002-03)<br>
<br>
Corsaire Limited have analysed the Secure Technical Assistance Centre (STAC)
SNMP agent software that is used as part of their managed services solution
and can confirm that the agent is not susceptible to any of the
vulnerabilities reported.<br>
<br>
The STAC SNMP agent software has been entirely developed in-house and does
not rely on any third-party libraries. Probing by the PROTOS test suite is
correctly recognised as malformed packets and reported as such within the
audit trail.<br>
<br>
Further information is available from <a href="http://www.corsaire.com">http://www.corsaire.com</a>
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="covalent">
<H4><a href="http://www.covalent.net/">Covalent Technologies</a></H4>
<p>
<blockquote>
Covalent Technologies has tested the Enterprise Ready Server, Managed
Server, and Covalent Conductor SNMP module according to recommendations
issued by CERT, and has found no security vulnerabilities associated with
Advisory CA-2002-03.
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="cray">
<H4><a href="http://www.cray.com/">Cray Inc.</a></H4>
<p>
<blockquote>
Cray, Inc. had opened spr 721879 to track this problem.
At this time, Cray suggests that Unicos and Unicos/mk
sites disable the SNMP daemon.
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="cscare">
<H4><a href="http://www.cscare.com/">CSCare, Inc.</a></H4>
<p>
<blockquote>
As a result of this advisory, CSCare has conducted extensive testing of its
products. We have determined that exploiting these
vulnerabilities can interfere with the normal operation of Trap Console 1.4b.
Results have not indicated any vulnerability that will
allow an attacker to gain access to the host computer. It has been determined
that Active SNMP 2.0b is not vulnerable.<br>
<br>
CSCare has released Trap Console 1.4c update on March 5, 2002. This release
containing fixes for all known vulnerabilities is
now available for download at <a href="http://www.cscare.com/TrapConsole">
http://www.cscare.com/TrapConsole</a>.<br>
<br>
For more information, please feel free to contact CSCare by email at info@cscare.com
or by phone at 408-490-2736.
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="dart">
<H4><a href="http://www.dart.com/">Dart Communications</a></H4>
<p>
<blockquote>
In response to CERT® Advisory CA-2002-03, the PowerTCP SNMP Tool has
been
reviewed and found vulnerable for issue VU#854306 and VU#107186. To
address
these issues, an update of the PowerTCP SNMP Tool will be released on
February 28th, 2002. Details of the specific problems found and the
methods
used to address these vulnerabilities will be included in the PowerTCP
Release History at <a href="http://www.dart.com/downloads/update.txt">http://www.dart.com/downloads/update.txt</a>
. If you have
any questions concerning PowerTCP SNMP security vulnerabilities, please
contact Dart Communications at support@dart.com.
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="dartware">
<H4><a href="http://www.dartware.com/">Dartware, LLC</a></H4>
<p>
<blockquote>
Dartware, LLC (<a href="www.dartware.com">www.dartware.com</a>) supplies
two products that use SNMPv1 in a
manager role, InterMapper and SNMP Watcher. These products are not vulnerable
to
the SNMP vulnerability described in [VU#854306 and VU#107186]. This statement
applies to all present and past versions of these two software packages.<br>
<br>
In addition, our port of net-snmp to MacOS X has been updated to version
4.2.2,
and is not susceptible to this attack. More information is available from
<a href="http://www.dartware.com/net-snmp/">http://www.dartware.com/net-snmp/</a>
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="dell">
<H4><a href="http://www.dell.com/">Dell</a></H4>
<p>
<blockquote>
<strong>Title</strong><br>
Dell Response to CERT® Advisory CA-2002-03 Multiple Vulnerabilities
in Many Implementations of the Simple Network Management Protocol
(SNMP)
<br>
<br>
<strong>Audience</strong><br>
For worldwide distribution provided that the contents are not altered
in any way.
<br>
<br>
<strong>Released</strong><br>
April 8, 2002
<br>
<br>
<strong>Updated</strong><br>
April 19, 2002 (Updated the <a href="#Dell_Dev_PowerVault">Dell
PowerVault</a> section regarding PowerVault 701N and PowerVault 705N)
<br>
<br>
<strong>Reference</strong><br>
CERT Advisory CA-2002-03 - <a
href="http://www.cert.org/advisories/CA-2002-03.html">http://www.cert.
org/advisories/CA-2002-03.html</a>
<br>
<br>
<strong>Overview</strong><br>
The CERT/CC released an industry-wide SNMP advisory on February 12,
2002. An SNMPv1 test suite provided by the Oulu University Secure
Programming Group (OUSPG) has been found to adversely affect many
SNMPv1 implementations, causing the potential for “unauthorized
privileged access”, “denial-of-service attacks” and general unstable
behavior.
<br>
<br>
<strong>Potential Impact</strong><br>
<a href="#Dell_Dev_PowerEdge_OpenManage">Dell PowerEdge</a><br>
<a href="#Dell_Dev_PowerEdge_OpenManage">Dell OpenManage</a><br>
<a href="#Dell_Dev_PowerVault">Dell PowerVault</a><br>
<a href="#Dell_Dev_PowerApp">Dell PowerApp</a><br>
<a href="#Dell_Dev_PowerConnect">Dell PowerConnect</a><br>
<br>
<hr>
<a name="Dell_Dev_PowerEdge_OpenManage"></a>
<i><strong>Dell PowerEdge, Dell OpenManage</strong></i><br>
Dell PowerEdge servers running Dell OpenManage software utilize
SNMPv1, however this software makes use of the operating system’s
master SNMP agent. After applying the appropriate update(s) from the
operating system manufacturer, Dell SNMP agents are not affected.
<br>
<br>
<strong>Solution</strong>: Apply the appropriate update(s) provided
by the operating system vendor. For more information, <a
href="#DELL_OS_VENDOR_INFO">click here</a>.
<br>
<br>
<hr>
<a name="Dell_Dev_PowerVault"></a>
<i><strong>Dell PowerVault</strong></i><br>
The following Dell PowerVault storage systems have been found
vulnerable to the OUSPG SNMPv1 test suite:
<br>
<br>
Dell PowerVault 701N<br>
Dell PowerVault 705N<br>
<br>
<strong>Solution</strong>: These devices require an update from Dell.
<br>
<br>
The Dell PowerVault Assist utility that is required to update both
PowerVault 701N and PowerVault 705N devices can be found <a
href="http://support.dell.com/us/en/filelib/download/index.asp?fileid=
r41770">here</a>.<br>
The updated image for both the PowerVault 701N and PowerVault 705N
devices can be found <a
href="http://support.dell.com/us/en/filelib/download/index.asp?fileid=
r41769">here</a>.<br>
<br>
<hr>
<a name="Dell_Dev_PowerApp"></a>
<i><strong>Dell PowerApp</strong></i><br>
The following Dell PowerApp appliance has been found vulnerable to
the OUSPG SNMPv1 test suite:
<br>
<br>
Dell PowerApp 220 (Dell PowerApp.BIG-IP)<br>
<br>
<strong>Solution</strong>: This device requires an update from Dell.
<br>
<br>
Information regarding the update for <i>non-encrypted</i> devices can
be found <a
href="http://support.dell.com/us/en/filelib/download/index.asp?fileid=
r40730">here</a>.
<br>
Information regarding the update for <i>encrypted</i> devices can be
found <a
href="http://support.dell.com/us/en/filelib/download/index.asp?fileid=
r40729">here</a>.
<br>
<br>
<hr>
<a name="Dell_Dev_PowerConnect"></a>
<i><strong>Dell PowerConnect</strong></i><br>
All Dell PowerConnect devices successfully passed the test cases
provided by the OUSPG SNMPv1 test suite.
<br>
<br>
<hr>
<a name="Dell_OS_Vendor_Info"></a>
<i><strong>Operating System Vendor Information</strong></i><br>
The following Dell supported operating system vendors have released
information regarding their SNMPv1 vulnerabilities:
<br>
<br>
<i>Microsoft®</i><br>
<a
href="http://www.microsoft.com/technet/security/bulletin/MS02-006.asp"
>http://www.microsoft.com/technet/security/bulletin/MS02-006.asp</a>
<br>
<br>
<i>Novell®</i><br>
<a
href="http://support.novell.com/servlet/tidfinder/2961546">http://supp
ort.novell.com/servlet/tidfinder/2961546</a>
<br>
<br>
<i>Red Hat®</i><br>
<a
href="http://www.redhat.com/support/errata/RHSA-2001-163.html">http://
www.redhat.com/support/errata/RHSA-2001-163.html</a>
<br>
<br>
<hr>
Dell Computer Corporation has provided this advisory bulletin in
response to the concerns raised by OUSPG and to provide information
to users of Dell systems regarding its SNMP implementation. Dell
recommends that user's review this information and determine its
applicability to their individual situations. In addition, Dell does
not provide any warranty as to the accuracy or completeness of this
information and will not be liable for damages that may result from
usage or disregard of the information provided. The information
provided is subject to change. For further information and related
updates, please contact your standard Dell support channel. Dell
retains ownership of its trademarks and service marks as well as the
information contained in this advisory bulletin.
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="digitalnetworks">
<H4><a href="http://www.dnpg.com">Digital Networks</a></H4>
<p>
<blockquote>
Digital Networks is addressing the vulnerabilities identified in
this<br> advisory. The latest information on the affect of this
vulnerability on<br> Digital Networks products as well as any remedial
software patches can be<br> found at <a
href="http://www.digitalnetworks.net/support">http://www.digitalnetworks.net/support</a>.
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="dlink">
<H4><a href="http://www.dlink.com/">D-Link Systems, Inc.</a></H4>
<p>
<blockquote>
D-Link has tested our DES-3226, DES-3326, DES-3624i and DES-6000 products
and determined that these products are not susceptible to the SNMP
vulnerability issue. Since all D-Link products with SNMP agent use
the
same code base, D-Link has concluded that all of our products do not have
the SNMP vulnerability issue. However, we continue to evaluate and
investigate all D-Link products implemented with SNMP agent. Upon
completion of our evaluation, D-Link will provide and post an update with
our thorough test results.
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="DMH Software">
<H4><a href="http://www.dmhsoftware.com/">DMH Software</a></H4>
<p>
<blockquote>
DMH Software applied the OULU University test suite to its various<br>
portable snmp-agent products: SNMPv1, SNMPv2c and SNMPv3.<br>
<br>
We found that the following or later releases of DMH portable<br>
snmp-agent products are NOT vulnerable to CERT vulnerability advisory<br>
VU#854306 (Multiple vulnerabilities in SNMPv1 request handling)<br>
<br>
<br>
(1) SNMPv1 Agent version - 2.0.9.1<br>
<br>
(2) SNMPv2c Agent version - 3.0.5.3<br>
<br>
(3) SNMPv3 Agent version - 4.0.8.2<br>
<br>
<br>
The above releases, or newer releases, are currently available to our<br>
customers. We strongly recommend our customers to contact us to obtain<br>
an upgrade and update their source code.<br>
<br>
Please note that we received notes from some of our customers who<br>
reported that previous releases of DMH snmp-agent products were tested<br>
an found not vulnerable to VU#107186. Nevertheless we recommend an<br>
upgrade to the recent releases.
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="efficientnetworks">
<H4><a href="http://www.efficient.com/">Efficient Networks, Inc.</a></H4>
<p>
<blockquote>
Efficient Networks, Inc. has reviewed CERT Advisory CA-2002-03 and is
performing the recommended tests to determine if its products are impacted.
The following products do not have SNMP management capabilities and are not
affected: SpeedStream 1000, 2000, 3000, 4000, 5200, and 5300 series devices,
as well as the 5667 bridge product. Testing is still in progress on
other
Efficient Networks' products. Efficient Networks will continue to update
its
statement on this site as additional information becomes available.
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="engarde">
<H4><a href="http://www.engardelinux.org/">EnGarde Secure Linux</a></H4>
<p>
<blockquote>
EnGarde Secure Linux did not ship any SNMP packages in version 1.0.1
of our distribution, so we are not vulnerable to either bug.
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="enterasys">
<H4><a href="http://www.enterasys.com">Enterasys</a></H4>
<p>
<blockquote>
<p>
On 12-February-2002, CERT (<a href="http://www.cert.org">http://www.cert.org</a>) announced serious vulnerabilities in the SNMP implementations of virtually every networking vendor's equipment. These vulnerabilities were discovered by a Finnish research group known as OUSPG, associated with Oulu University, and are documented in advisory CA-2002-03.
</p>
<p>
These vulnerabilities exist in all versions of SNMP (v1/v2c/v3) and can be used to cause SNMP implementations to behave in an unpredictable manner, resulting in denials of service or system failures.
</p>
<p>
Given the serious nature of these vulnerabilities, Enterasys is testing our product line to determine which products are affected. Patches for affected products will be made available to our customers. Please check the Enterasys Support web site periodically for further details and patch information.
</p>
<p>
Until these patches become available, Enterasys recommends that the following steps be taken to help reduce exposure to these vulnerabilities.
</p>
<ul>
<li>Disable SNMP from interfaces through which SNMP commands should not be received, such as those providing connection from the Internet or Extranets.</li>
<li>Use Access Control Lists at the access edge to prevent SNMP traffic from unauthorized internal hosts from entering the network.</li>
<li>Use management VLANs or out-of-band management to contain SNMP traffic and multicasts. These do not prevent an attacker from exploiting these vulnerabilities, but they may make it more difficult to initiate the attacks.</li>
<li>Enable 802.1X port-locking and RADIUS to prevent unauthenticated users from attaching to the network.</li>
<li>Use NetSight Policy Manager to automatically restrict the use of SNMP to authenticated, SNMP-authorized personnel.</li>
<li>Update Dragon IDS signatures to help identify when these attacks are being used.</li>
</ul>
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="entradanetworks">
<H4><a href="http://www.entradanet.com/">Entrada Networks</a></H4>
<p>
<blockquote>
This is in reference to you notification regarding VU#854306, VU#107186,
and OUSPG#0100. Entrada Networks has reproduced this behavior and coded a
software release enhancement for the affected products which is currently
in regression testing within Entrada Networks' Quality Assurance organization.
The release of Entrada Networks software enhancement addressing the behavior
outlined in VU#854306, VU#107186, and OUSPG#0100 will be available to Entrada
Networks, Sync Research, and Rixon Networks customers with Software Subscription
Service on a request basis, no later than April 15, 2002.<br>
<br>
Entrada Networks has also produced a document discussing the alternative
workarounds or configuration options to address the behavior outlined in
VU#854306, VU#107186, and OUSPG#0100.This document is also available on request
from customers. Please contact the Technical Support organization at 800-331-8669
for more information.<br>
<br>
Entrada Networks is providing the statement below as a response to<br>
be included in your vendor's statement section on SNMP CERT Alert 2002-03.<br>
<br>
Entrada Networks Sync Research, Inc. and Rixon Networks, Inc., (both are
companies of Entrada Networks)<br>
<br>
Entrada Networks, through the companies of Sync Research, Inc. and<br>
Rixon Networks ,has confirmed vulnerability to the SNMP advisory identified<br>
by CERT notification reference [VU#107186 & VU#854306] and OUSPG#0100.<br>
<br>
Sync Research also manufactures and supports products formerly<br>
manufactured by Tylink, Inc. and Osicom, Inc.<br>
Rixon Networks, Inc. also manufactures and supports products<br>
formerly manufactured by Osicom, Inc.<br>
<br>
Entrada Networks has run all the test cases found in the PROTOS test-suite,
c06snmpv1:<br>
1. c06-snmpv1-req-app-pr1.jar<br>
2. c06-snmpv1-req-enc-pr1.jar<br>
3. c06-snmpv1-trap-app-pr1.jar<br>
4. c06-snmpv1-trap-enc-pr1.jar<br>
<br>
The tests were run with standard delay time between the requests<br>
(100ms).<br>
<br>
Entrada Networks, through their companies of Sync Research
and Rixon<br>
Networks, supplies a broad range of networking products, some of which are<br>
affected by the SNMP vulnerabilities identified by CERT Coordination Center.<br>
The manner, in which, they are affected and the actions required to avoid<br>
being impacted by exploitation of these vulnerabilities varies from product<br>
to product.<br>
<br>
Entrada Networks customers may contact our Technical Support Center<br>
via either telephone 800-331-8669 or via email: mailto:support@sync,com
for<br>
additional information, especially regarding their availability of the<br>
latest enhanced code releases addressing the SNMP vulnerabilities.<br>
<br>
The tests that were run apply to the following Entrada Networks,<br>
Sync Research, and Rixon Networks products.<br>
<br>
The Sync Research FRADs (3600,3700, 4200, and 4300 series),
the<br>
Tylink FRAPs (D-FRAP, M-FRAP, S-FRAP, T-FRAP),<br>
Sync Research management platform (Envisage for Windows and
Envisage<br>
for UNIX) and the Osicom Routermate series.<br>
The software tested on these products was the latest software<br>
releases that are generally available.<br>
<br>
Entrada Networks is in the process of creating a publication
for all<br>
applicable releases / platforms and will be offering this publication<br>
through the Entrada Networks Support site at<br>
<http://www.entradanetworks.com> or the Sync Research, Inc. site
at<br>
<http://www.sync.com> at a future date.<br>
<br>
Please contact our Technical Support organization for information<br>
regarding availability / applicability for your specific configurations.<br>
<br>
Following is a list of companies whose products are addressed
by<br>
this preliminary response:<br>
<br>
Sync Research, Inc. (see Entrada Networks)<br>
Osicom, Inc. (see Entrada Networks)<br>
Rixon Networks, Inc. (see Entrada Networks)<br>
Torrey Pines Networks, Inc. (see Entrada Networks)<br>
Tylink, Inc. (see Entrada Networks)
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="equinoxsystems">
<H4><a href="http://www.equinox.com/">Equinox Systems</a></H4>
<p>
<blockquote>
This is in reference to the CERT Advisory CA-2002-03 addressing
potential security vulnerabilities that exist in network devices
using SNMPv1 as the management protocol. Equinox has determined that
exploitation of these vulnerabilities may interfere with normal
operation of our ESP serial hub through malicious use of the
management interfaces provided for its Equiview Plus application.
We
are evaluating the impact on the ESP and will release appropriate
fixes if necessary. In the interim, Equinox recommends the following
mitigation procedures.<br>
<br>
In most network environments, firewalls are deployed to prohibit
externally originating SNMP traffic and both detect and prevent
Denial of Service attacks. Since the ESP does not currently allow
for disabling of SNMP, it is recommended that this device be operated
in a secure environment in conjunction with the following SNMP
network security safeguards:<br>
<br>
1. Filter SNMP access to managed devices to ensure the traffic
originates from known management systems<br>
2. Use upstream firewall/access lists to deny access to the
SNMP
agents accessible on the network<br>
3. Use access profiles to deny SNMP access to unknown users<br>
4. Use dedicated management VLANs or out-of-band management
to
contain SNMP traffic and multicasts<br>
5. Change the default community strings<br>
<br>
Equinox will continue to address potential security problems across
its product line and provide patches as circumstances dictate.
</ul>
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="esecurity">
<H4><a href="http://www.esecurityinc.com/">e-Security, Inc.</a></H4>
<p>
<blockquote>
e-Security Advisory:<br>
SNMPv1 Request and Trap Handling Vulnerabilities<br>
Revision 1.0<br>
Release Date: March 14, 2002<br>
<br>
Summary<br>
<br>
On February 12, 2002 the CERT®/CC released an advisory related to
security vulnerabilities that may exist in network devices using
SNMPv1 as the management protocol. The vulnerabilities may allow
unauthorized privileged access, denial of service attacks, or cause
unstable behavior. In response to this advisory, "CERT® Advisory
CA-2002-03 Multiple Vulnerabilities in Many Implementations of the
Simple Network Management Protocol (SNMP)", e-Security began
executing the tests that elicit these vulnerabilities for all
e-Security products.<br>
<br>
The issue centers on the SNMP library that we use in our products to
communicate in SNMP versions 1,2 & 3. Currently, e-Security uses
SNMP Research's Emanate 15.2.7 on with our agents (e-Wizard and eSAW)
and UC Davis 4.0.1 with our control center (e-Sentinel and OeSP).<br>
<br>
Preliminary test results have indicated that e-Sentinel, e-Wizard,
OeSP, and e-SAW products exhibited the vulnerabilities in the CERT®
Advisory.<br>
<br>
Though we were affected with the vulnerabilities in our code, note
this should not be viewed as a negative statement on SNMP protocol,
as the latest packages from UC Davis and SNMP Research are not
vulnerable to these exploits.<br>
<br>
Solution<br>
<br>
e-Security has applied the PROTOS c06-SNMPv1 test suite to all
e-Security products and has released patches to eliminate these
vulnerabilities. Our patches address e-Security products through
v.3.1. Future releases of e-Security products will utilize the
latest packages from UC Davis and SNMP Research which have resolved
these vulnerabilities.<br>
<br>
e-Security also recommends considering one or more of the following
solutions to minimize your network's potential exposure to these
vulnerabilities:<br>
<br>
· Ingress filtering<br>
· Egress filtering<br>
· Filter SNMP traffic from non-authorized internal hosts<br>
· Change default community strings<br>
<br>
For Further Information<br>
<br>
Contact e-Security Customer Support at 1-800-474-3131, or you can
e-mail us at support@esecurityinc.com.
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="evidian">
<H4><a href="http://www.evidian.com/">Evidian Inc.</a></H4>
<p>
<blockquote>
<u>VU#854306</u><br>
<br>
This advisory is not applicable to OpenMaster for Telecom as it is a management
system and not an agent. As a management system, OpenMaster for Telecom processes
subsequent SNMP responses or send SNMP requests but doesn't process any SNMP
requests.<br>
<br>
<u>VU#107186 </u><br>
<br>
Evidian will issue a bulletin regarding this advisory once we have completed
the investigation.
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="extremenetworks">
<H4><a href="http://www.extremenetworks.com/">Extreme Networks</a></H4>
<p>
<blockquote>
Extreme Networks has identified the vulnerability outlined in this CERT
Advisory CA-2002-03 and is in addressing the issue. A technical advisory
has
been released. Please go to the following web site for information:<br>
<a href="http://www.extremenetworks.com/support/techsupport.asp">http://www.extremenetworks.com/support/techsupport.asp</a>.
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="f5">
<H4><a href="http://www.f5.com/">F5 Networks</a></H4>
<p>
<blockquote>
<p>All versions of BIG-IP, 3-DNS, GLOBAL-SITE and EDGE-FX are vulnerable
if the SNMP agent is enabled. Most versions have the SNMP agent enabled by
default. Patches are available for all affected versions.</p>
<p>SEE-IT is not affected by this vulnerability.</p>
<p>If a customer is unable to install the patch, the SNMP service may be
disabled. Below are instructions for obtaining patches and for disabling
the SNMP service for each vulnerable product.</p>
<h3>BIG-IP</h3>
<p>A patch exists to correct this problem. Please see <a
href="http://tech.f5.com/home/bigip/solutions/security/sol1622.html">http://tech.f5.com/home/bigip/solutions/security/sol1622.html</a>
.</p>
<p>Alternatively, you can simply disable the SNMP service using the instructions
below:</p>
<ol>
<li>Log in to the BIG-IP Configuration utility.<br>
<br>
</li>
<li>Navigate to the SNMP section. For version 4.0 and above this is a tab
under <b>System Administration</b>.<br>
<br>
</li>
<li>De-select the Enable box at the top of the screen and click the <b>
Apply</b> button. </li>
</ol>
<p>This will disable the SNMP service on BIG-IP.</p>
<br>
<h3>3-DNS</h3>
<p>A patch exists to correct this problem. Please see <a
href="http://tech.f5.com/home/3dns/solutions/security/sol1624.html">http://tech.f5.com/home/3dns/solutions/security/sol1624.html</a><a
href="http://tech.f5.com/home/3dns/solutions/security/sol1624.html"></a>
.</p>
<p>Alternatively, you can simply disable the SNMP service using the instructions
below:</p>
<ol>
<li>Log in to the 3-DNS Configuration utility.<br>
<br>
</li>
<li>Navigate to the SNMP section. This is the tab under <b>3-DNS Sync</b>
.<br>
<br>
</li>
<li>De-select the <b>Enable</b> box at the top of the screen and click the
Apply button.<br>
<br>
</li>
<li>Log in to the Command Line Interface of the 3-DNS.<br>
<br>
</li>
<li>Run the following command:
<p class="code">kill -9 `ps -ax | grep snmpd | awk '{print $1}'`</p>
</li>
</ol>
<p>This will disable the SNMP service on 3-DNS.</p>
<br>
<h3>GLOBAL-SITE</h3>
<p>A patch exists to correct this problem. Please see <a
href="http://tech.f5.com/home/globalsite/solutions/security/sol1626.html">
http://tech.f5.com/home/globalsite/solutions/security/sol1626.html</a>.</p>
<p>Alternatively, you can simply disable the SNMP service using the instructions
below:</p>
<h4>GLOBAL-SITE version 2.2</h4>
<p>To disable the SNMP agent for GLOBAL-SITE version 2.2, type the following
command from the command prompt:</p>
<p class="code">ITCMconsole service snmpd stop</p>
<p>This command stops the <b>snmpd</b> agent.</p>
<p class="code">ITCMconsole service snmpd disable</p>
<p>This command disables <b>snmpd</b> so it does not start again at the next
boot.</p>
<p>To verify the status of <b>snmpd</b>, enter the following command:</p>
<p class="code">ITCMconsole show snmpd status</p>
<br>
<h4>GLOBAL-SITE version 2.1PTF-01 and earlier:</h4>
<p>On versions 2.1 PTF-01 and earlier, <b>snmpd</b> is not running by default
so the GLOBAL-SITE Controller should not be affected. However, if you have
enabled <b>snmpd</b> manually, you should disable it.</p>
<br>
<h3>EDGE-FX</h3>
<p>A patch exists to correct this problem. Please see <a
href="http://tech.f5.com/home/edgefx/solutions/security/sol1625.html">http://tech.f5.com/home/edgefx/solutions/security/sol1625.html</a>
.</p>
<p>Alternatively, you can simply disable the SNMP service using the instructions
below:</p>
There are three SNMP daemons running on the cache. By default, the EDGE-FX
Cache runs the <b>snmpd</b>, the <b>edgefxsnmpd</b>, and Inktomi's <b>snmpdm</b>
. <br>
<h4>Disabling snmpd and edgefxsnmpd</h4>
<p>To disable and stop the SNMP agents, you should use the ITCMconsole. Type
the following commands from the command prompt:</p>
<p class="code">ITCMconsole service snmpd stop</p>
<p>This command stops the <b>snmpd</b> agent.</p>
<p class="code">ITCMconsole service snmpd disable</p>
<p>This command disables <b>snmpd</b> so it does not start again at the next
boot.</p>
<br>
<p>To verify the status of <b>snmpd</b>, enter the following command:</p>
<p class="code">ITCMconsole show snmpd status</p>
<br>
<p>Once the <b>snmpd</b> and <b>edgefxsnmpd</b> daemons are disabled, no other
snmp traffic will be accepted. </p>
<br>
<h4>Disabling snmpdm</h4>
<p>The <b>snmpdm</b> agent, is also enabled by default. This Inktomi specific
agent can be disabled or killed. In order to avoid traffic server anomalies,
you should not kill this this daemon.</p>
<p>According to CERT<span style="font-size: 75%;"><sup>®</sup></span>
Advisory <a href="http://www.cert.org/advisories/CA-2002-03.html">CA-2002-03</a>
:</p>
<p>"Inktomi Corporation does not believe our [Inktomi] CDS product is vulnerable.
Vulnerability would stem from the use of SNMP Research software in the CDS
product. However, SNMP Research has stated that their product Emanate, versions
15.x and higher, is not vulnerable. As Inktomi's CDS uses Emanate 15.3, we
[Inktomi] conclude that CDS is not vulnerable."</p>
<p>Inktomi's CDS contains the same Traffic Server that EDGE-FX utilizes, which
contains the Emanate 15.3 daemon (<b>snmpdm</b>).</p>
<p>If you still want to kill this SNMP agent, you can use the Configuration
utility or the command line.</p>
<p>To disable the SNMP agent from the Configuration utility:</p>
<ol>
<li>From your browser, access the Configuration utility (refer to <a
href="http://tech.f5.com/home/edgefx/manuals/edgefx2_2/edgefx2_2admin/Getstart.html#51335">
Accessing the Configuration utility</a>).<br>
<br>
</li>
<li>On the Configure tab, click the <b>Server</b> button.<br>
<br>
</li>
<li>Scroll to the SNMP section of the Server Basics page.<br>
<br>
</li>
<li>Click the <b>SNMP Agent Off</b> radio button.<br>
<br>
</li>
<li>Click the <b>Make These Changes</b> button. </li>
</ol>
<br>
<p>To disable the SNMP agent manually:</p>
<ol>
<li>In a text editor, open the <b>records.config</b> file located in the
EDGE-FX Cache’s <b>/config/traffic_server/config</b> directory.<br>
<br>
</li>
<li>Edit the following variable:
<p class="code">proxy.config.snmp.master_agent_enabled </p>
<p>Set this variable to <b>0</b> to disable SNMP on the EDGE-FX Cache
node.</p>
</li>
<li>Save and close the <b>records.config</b> file.<br>
<br>
</li>
<li>Make the <b>/usr/local/cache/bin</b> directory the working directory
and run the following command to apply the configuration changes.
<p class="code">./traffic_line -x</p>
<p class="note"><b>Note:</b> you can also use the following command to
restart the traffic_server: start_traffic_server.</p>
</li>
</ol>
<br>
<h3>SEE-IT</h3>
<p>It has been determined that SEE-IT is not vulnerable.</p>
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="f5">
<H4><a href="http://www.fluke.com/">Fluke Corporation</a></H4>
<p>
<blockquote>
<div align="Left">Fluke Networks' response to CERT Advisory 2002-03<br>
<br>
The CERT® Coordination Center
recently announced that numerous <br>
vulnerabilities have been reported
in multiple vendors' SNMP <br>
implementations. For your information,
Fluke Networks has created<br>
the following Q&A which includes
a tutorial, Using Fluke Networks <br>
products to manage SNMP risk on
your network. <br>
<br>
Q&A<br>
<br>
What is the actual risk? <br>
<br>
The impact of the vulnerability
is different for each vendor and <br>
their own products. For SNMP agents
and Trap listeners running on <br>
network operating systems, some
attacks could bypass system security <br>
controls. Overall, most attacks
resulted in a “denial-of-service” in <br>
which the entire product or portions
of the product stopped working <br>
properly. <br>
<br>
Which Fluke Networks products are
affected? <br>
<br>
Fluke Networks has tested its products
that listen for SNMP Traps or <br>
contain an internal SNMP agent.
It has been discovered that some <br>
circumstances exist that could
potentially cause a <br>
“denial-of-service”
condition for a Fluke Networks product, forcing <br>
the product to “hang”
or reboot. However, this situation would only <br>
affect Fluke Networks products
and would not compromise our <br>
customers’ networks. <br>
<br>
Fluke Networks products that could
be affected include the OptiView™ <br>
Integrated Network Analyzer, the
OptiView™ Workgroup Analyzer and <br>
the OptiView™ Link Analyzer.
<br>
<br>
As of this writing, there have
been no known "denial-of-service" <br>
incidents reported with Fluke Networks
products. To reiterate, <br>
should such an event occur involving
a Fluke Networks product, this <br>
would not affect the operation
of customers' networks or any of <br>
their network infrastructures.
Nor would there be any risk of anyone <br>
externally gaining access to customer
data. <br>
<br>
Future action <br>
<br>
At this time, we plan to resolve
all known vulnerabilities in the <br>
next scheduled software update
for the affected products. Customers <br>
who participate in the Gold Priority
Support program will be <br>
eligible to receive these updates
as part of their membership. <br>
Customers who do not participate
in this program should contact our <br>
Technical Assistance Center (TAC)
at 1-800-638-3497 (North America) <br>
or +1-425-446-4519 (Outside North
America). <br>
<br>
Recommendations <br>
<br>
We recommend the following "best
practices" to reduce the potential <br>
risk of SNMP related attacks:
<br>
1. Ensure that yourexternal
firewalls deny all incoming SNMP traffic.<br>
2. Change the default community
strings for all SNMP devices. Audit <br>
your network for
devices using the community strings of "public"<br>
and "private" as
well as for those other community strings that<br>
are set by default
by equipment manufacturers.<br>
3. Analyze SNMP traffic
for patterns of attack.<br>
<br>
Tutorial: Using Fluke Networks
products to manage this risk on your <br>
network<br>
<br>
1. Identify SNMP agents on the
network<br>
The OptiView Integrated Network
Analyzer and OptiView Workgroup <br>
Analyzer have the capability of
discovering all devices within a <br>
broadcast domain that are SNMP
enabled. <br>
<br>
On the Setup/Security screen, configure
all known and old community <br>
strings making sure you include
strings such as "public", "private" <br>
and "security". <br>
<br>
Re-run the tests by selecting the
"Rerun Test" tab. <br>
<br>
Select the "Discovery" tab and
then select the SNMP Agents category <br>
in the left hand pane. The resulting
display shows all SNMP agents <br>
discovered by the test. <br>
<br>
2. Test your firewall for filtering
SNMP traffic<br>
From a LAN segment outside your
firewall, use the OptiView <br>
Integrated Network Analyzer to
query known SNMP agents on the <br>
protected side of your network.
After the "Network-Under-Test" <br>
interface has a proper IP configuration,
enter the IP address of a <br>
known SNMP agent on the Tools screen.
<br>
<br>
Note: Using Fluke Networks’
Protocol Expert™ on the protected side <br>
of your firewall, allows you to
see if the firewall is denying any <br>
and all SNMP traffic from flowing
through the firewall as well as <br>
preventing SNMP responses from
leaving your network. <br>
<br>
Using two OptiView Analyzers, one
on either side of the firewall, <br>
can be used to easily check this
condition. Use the Packet Capture <br>
and Statistics feature to ensure
that no SNMP traffic is flowing in <br>
from outside of the firewall. <br>
<br>
3. Analyze network patterns for
SNMP attacks<br>
Using the OptiView Integrated Network
Analyzer, the OptiView <br>
Workgroup Analyzer or the OptiView
Link Analyzer, a combination of <br>
packet capture and protocol statistics
can be used to gather <br>
evidence of an SNMP attack. <br>
<br>
Select the "Top Hosts" tab to look
for nodes that should not be <br>
sending SNMP queries. Select the
"Top Conversations" to check for <br>
unusual Conversation Pairs within
the SNMP traffic. <br>
<br>
Fluke Networks' Copper
and Fiber taps can be used to access <br>
switch-to-switch links and the
Switch-TAP™ capability of the <br>
OptiView™ Inspector Console
can be used to program the mirror ports <br>
of a variety of switches. <br>
<br>
For more information <br>
<br>
For questions, concerns or more
information, please contact the <br>
Fluke Networks TAC at 1-800-638-3497
(North America), <br>
+1-425-446-4519 (outside North
America) or email us at: <br>
nettech@flukenetworks.com.</div>
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="foundrynetworks">
<H4><a href="http://www.foundrynet.com/">Foundry Networks, Inc.</a></H4>
<p>
<blockquote>
According to testing completed by Foundry engineering using
the stress tools recommended by CERT, we determined that NO Foundry
devices are affected by any known SNMP security issue. All of Foundry's
products use the same SNMP engine with varying SNMP versions (v1, v2c,
and v3), and all SNMP versions have been tested.<br>
<br>
We are extremely appreciative to CERT's help during our testing period,
and would like to wholeheartedly thank everyone involved.
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="freebsd">
<H4><a href="http://www.freebsd.org/">FreeBSD</a></H4>
<p>
<blockquote>
FreeBSD does not include any SNMP software by default, and so is not
vulnerable. However, the FreeBSD Ports Collection contains the
UCD-SNMP / NET-SNMP package. Package versions prior to
ucd-snmp-4.2.3 are vulnerable. The upcoming FreeBSD 4.5 release
will ship the corrected version of the UCD-SNMP / NET-SNMP
package. In addition, the corrected version of the packages is
available from the FreeBSD mirrors.
<p>
FreeBSD has issued the
following FreeBSD Security Advisory regarding the UCD-SNMP / NET-SNMP
package:
<blockquote>
<a href="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:11.snmp.asc">ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:11.snmp.asc</a>.
</p>
</blockquote>
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="FutureCommunicationsSoftware ">
<H4><a href="http://www.futsoft.com/">Future Communications Software</a></H4>
<blockquote>
<p>
FutureSoft has tested its SNMP Product FutureSoftSNMP Release 5.0.1.0
according to the recommendations issued by CERT, and has found no
security vulnerabilities associated with Advisory CA-2002-03 (Multiple
Vulnerabilities in Many Implementations of SNMP).
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="generaldatacom">
<H4><a href="http://www.gdc.com/">General DataComm</a></H4>
<blockquote>
<p>
General DataComm Advisory Bulletin<br>
<br>
<a href="http://www.gdc.com/products/bulletin.shtml">http://www.gdc.com/products/bulletin.shtml</a><br>
<br>
Ref: CERT Advisory CA-2002-03<br>
Multiple Vulnerabilities in Many Implementations of Simple Network Management
Protocol (SNMP)<br>
<br>
GDC TEAM SNMP<br>
<br>
The GDC TEAM applications use the HP OpenView NNM SNMP protocol stack for
its SNMP network management communication to its SpectraComm Manager (SCM) card.
The SCM contains an SNMP proxy agent.<br>
<br>
Recommendations:<br>
<br>
1. The SCM does not have a default read/write community name of "private"
which makes it less susceptible for hackers to change device configurations or taking down the
management or data network. The SCM does have a default read only community name of "public".
The customer is advised to change this.<br>
<br>
2. The major GDC network management customers usually use a separate private LAN for their
management traffic to eliminate the exposure to outside illegal entry.<br>
<br>
3. Please read below, obtain and install the HP HPOV patches from the listed
sites.<br>
<br>
<b>HP HPOV NNM (Network Node Manager)</b><br>
Some problems were found in NNM product were related to trap handling. Patches in process. Watch for
the associated HP Security Bulletin.<br>
<br>
----------------------------------------------------------
<br>
HP-UX Systems running snmpd or OPENVIEW<br>
----------------------------------------------------------<br>
The following patches are available now:<br>
<br>
PHSS_26137 s700_800 10.20 OV EMANATE14.2 Agent
Consolidated Patch<br>
PHSS_26138 s700_800 11.X OV EMANATE14.2 Agent
Consolidated Patch <br>
<br>
PSOV_03087 EMANATE Release 14.2 Solaris 2.X
Agent Consolidated Patch<br>
<br>
All three patches are available from:<br>
<br>
http://support.openview.hp.com/cpe/patches/<br>
<br>
In addition PHSS_26137 and PHSS_26138 will soon be available from:<br>
<br>
http://itrc.hp.com<br>
<br>
NOTE: The patches are labeled OV(Open View). However, the patches
are also applicable to systems that are not running Open View.<br>
<br>
Any HP-UX 10.X or 11.X system running snmpd or snmpdm is vulnerable. To determine if your HP-UX
system has snmpd or snmpdm installed:<br>
<br>
swlist -l file | grep snmpd<br>
<br>
If a patch is not available for your platform or you cannot install an available patch, snmpd
and snmpdm can be disabled by removing their entries from /etc/services and removing the
execute permissions from /usr/sbin/snmpd and /usr/sbin/snmpdm.
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="hp">
<H4><a href="http://www.hp.com/">Hewlett-Packard Company</a></H4>
<blockquote>
<p>
HP Support Information Digests<br>
<br>
==================================================<br>
o Security Bulletin Digest Split<br>
------------------------------<br>
<br>
The security bulletins digest has been split into multiple digests based
on the operating system (HP-UX, MPE/iX, and HP Secure OS
Software for Linux). You will continue to receive all security
bulletin digests unless you choose to update your subscriptions.
<br>
<br>
To update your subscriptions, use your browser to access the
IT Resource Center on the World Wide Web at:<br>
<br>
http://www.itresourcecenter.hp.com/<br>
<br>
Under the Maintenance and Support Menu, click on the "more..." link.
Then use the 'login' link at the left side of the screen to login
using your IT Resource Center User ID and Password.<br>
<br>
Under the notifications section (near the bottom of the page), select
Support Information Digests.<br>
<br>
To subscribe or unsubscribe to a specific security bulletin digest,
select or unselect the checkbox beside it. Then click the
"Update Subscriptions" button at the bottom of the page.<br>
<br>
o IT Resource Center World Wide Web Service<br>
-----------------------------<br>
<br>
If you subscribed through the IT Resource Center and would
like to be REMOVED from this mailing list, access the
IT Resource Center on the World Wide Web at:<br>
<br>
http://www.itresourcecenter.hp.com/<br>
<br>
Login using your IT Resource Center User ID and Password.
Then select Support Information Digests (located under
Maintenance and Support). You may then unsubscribe from the
appropriate digest.<br>
==================================================<br>
<br>
<br>
Digest Name: daily HP-UX security bulletins digest<br>
Created: Tue Feb 26 8:45:03 PST 2002<br>
<br>
Table of Contents:<br>
<br>
Document ID Title<br>
--------------- -----------<br>
HPSBUX0202-184 Sec. Vulnerability in SNMP (rev. 3)<br>
<br>
The documents are listed below.<br>
----------------------------------<br>
<br>
<br>
Document ID: HPSBUX0202-184<br>
Date Loaded: 20020212<br>
Title: Sec. Vulnerability in SNMP (rev. 3)<br>
<br>
TEXT<br>
-----------------------------------------------------------------<br>
**REVISED 03** HEWLETT-PACKARD COMPANY SECURITY BULLETIN: #0184,<br>
Originally issued: 12 Feb. 2002<br>
Last revised: 24 Feb. 2002<br>
-----------------------------------------------------------------<br>
<br>
The information in the following Security Bulletin should be acted
upon as soon as possible. Hewlett-Packard Company will not be
liable for any consequences to any customer resulting from customer's
failure to fully implement instructions in this Security Bulletin as
soon as possible.<br>
<br>
------------------------------------------------------------------<br>
PROBLEM: Vulnerabilities in SNMP request and trap handling.<br>
<br>
PLATFORM: HP 9000 Series 700 and Series 800 running HP-UX<br>
releases 10.X and 11.X<br>
HP Procurve switches<br>
**REVISED 03**<br>
---->> JetDirect Firmware<br>
MC/ServiceGuard, EMS HA Monitors<br>
<br>
DAMAGE: Possible denial-of-service, service interruptions,<br>
unauthorized access.<br>
<br>
SOLUTION: Apply patches or implement workarounds. See below.<br>
For HP-UX releases:<br>
PHSS_26137 s700_800 HP-UX 10.20
OV EMANATE14.2 Agent<br>
PHSS_26138 s700_800 HP-UX 11.X
OV EMANATE14.2 Agent<br>
PSOV_03087 Solaris 2.X
EMANATE Release 14.2<br>
For systems running OV NNM:<br>
PHSS_26286 s700_800 HP-UX
10.20 ovtrapd large trap fix<br>
PHSS_26287 s700_800 HP-UX
11.X ovtrapd large trap fix<br>
PSOV_03100 Solaris 2.X
ovtrapd large trap fix<br>
NNM_00857 NT 4.X/Windows 2000
ovtrapd large trap fix<br>
<br>
MANUAL ACTIONS: Upgrade or workaround action per below.<br>
<br>
AVAILABILITY: Patches for some affected systems are available now.<br>
CHANGE SUMMARY: Rev.01 affected HP Procurve scope expanded, <br>
plus Procurve patch availability added.<br>
NNM ovtrapd patch availability added.<br>
Rev.02 SG and EMS found
not vulnerable.<br>
Rev.03 Jetdirect vulnerability
updated<br>
------------------------------------------------------------------<br>
<br>
A. Background<br>
CERT has issued an advisory:<br>
CERT Advisory CA-2002-03 Multiple Vulnerabilities in Many
Implementations of the Simple Network Management Protocol
(SNMPv1) containing information about the vulnerabilities.<br>
<br>
Hewlett-Packard Company will revise this bulletin as new
information becomes available.<br>
<br>
---------------------------------------------------------<br>
hp Procurve switches<br>
---------------------------------------------------------<br>
<br>
We are still in the process of determining which other HP
Procurve products are subject to these vulnerabilities.
We have created fixes for products below which will resolve
these issues. See Section C below.<br>
<br>
Customers can download these patches in the form of software
upgrades at:<br>
http://www.hp.com/rnd/software/switches.htm<br>
<br>
Product
Fix revision
number<br>
----------------------------------
--------------------<br>
HP Procurve Switch 2524 (J4813A)
F.04.08 or greater<br>
HP Procurve Switch 2512 (J4812A)
F.04.08 or greater<br>
HP Procurve Switch 4108GL (J4865A)
G.04.05 or greater<br>
HP Procurve Switch 4108GL-bundle (J4861A) G.04.05 or
greater<br>
<br>
Not all HP Procurve products have completed testing, nor are
they listed here, and may or may not have these vulnerabilities.
This bulletin will again be updated as new information becomes
available.<br>
<br>
---------------------------------------------------------<br>
NNM (Network Node Manager)<br>
---------------------------------------------------------<br>
<br>
Some problems found in NNM product were related to trap
handling. Patches are available. See Section C below.<br>
<br>
**REVISED 03**<br>
---------------------------------------------------------<br>
-->> JetDirect Firmware<br>
---------------------------------------------------------<br>
<br>
JetDirect Firmware Version State<br>
========================== =====<br>
--->> X.08.32 and lower VULNERABLE<br>
--->> (where X = A through K)<br>
--->> X.21.00 and higher NOT
vulnerable<br>
--->> (where X = L through P)<br>
<br>
----------------------------------------------------------<br>
HP-UX Systems running snmpd or OPENVIEW<br>
----------------------------------------------------------<br>
Any HP-UX 10.X or 11.X system running snmpd or snmpdm is
vulnerable. To determine if your HP-UX system has snmpd
or snmpdm installed:<br>
<br>
swlist -l file | grep snmpd<br>
<br>
B. Fixing the problem<br>
Install the appropriate patch or firmware revision or work
around problem as detailed below.<br>
<br>
C. Recommended solution<br>
---------------------------------------------------------<br>
hp Procurve switches<br>
---------------------------------------------------------<br>
<br>
Customers can download these patches in the form of software
upgrades at:<br>
http://www.hp.com/rnd/software/switches.htm<br>
<br>
Product
Fix revision number<br>
----------------------------------- -------------------<br>
HP Procurve Switch 2524 (J4813A)
F.04.08 or greater<br>
HP Procurve Switch 2512 (J4812A)
F.04.08 or greater<br>
HP Procurve Switch 4108GL (J4865A) G.04.05
or greater<br>
HP Procurve Switch 4108GL-bundle (J4861A) G.04.05 or greater<br>
<br>
---------------------------------------------------------<br>
NNM (Network Node Manager)<br>
---------------------------------------------------------<br>
<br>
Problems found in the NNM product (related only to trap
handling) are addressed in patches available at:<br>
<br>
http://support.openview.hp.com/cpe/patches/nnm/6.2/s700_800_11.X.jsp<br>
<br>
PHSS_26286 s700_800 HP-UX 10.20
ovtrapd large trap fix<br>
PHSS_26287 s700_800 HP-UX 11.X
ovtrapd large trap fix<br>
PSOV_03100 Solaris 2.X
ovtrapd large trap fix<br>
NNM_00857 NT 4.X/Windows 2000 ovtrapd
large trap fix<br>
<br>
---------------------------------------------------------<br>
MC/ServiceGuard<br>
---------------------------------------------------------<br>
MC/ServiceGuard is not affected. Testing has been completed
and neither MC/ServiceGuard nor ServiceGuard OPS Edition are
negatively impacted.<br>
<br>
The ServiceGuard Manager product does not use the cluster
SNMP and remains unaffected.<br>
<br>
---------------------------------------------------------<br>
Event Monitoring System (EMS)<br>
---------------------------------------------------------<br>
Testing of the MC/ServiceGuard or ServiceGuard OPS Edition
application with package resources defined using EMS High
Availability Monitors has been completed and shows no
vulnerability to this issue.<br>
<br>
**REVISED 03**<br>
---------------------------------------------------------<br>
--->> JetDirect Firmware<br>
---------------------------------------------------------<br>
<br>
JetDirect Firmware Version State<br>
========================== =====<br>
--->> X.08.32 and lower VULNERABLE<br>
--->> (where X = A through K)<br>
--->> X.21.00 and higher NOT
vulnerable<br>
--->> (where X = L through P)<br>
<br>
--->>FIX STATUS: HP is working on a firmware fix.<br>
<br>
--->>WORKAROUND: Change the set-community-name and use the<br>
--->>Access Control List as described in "HP Jetdirect Print<br>
--->>Servers - Making HP Jetdirect Print Servers Secure on<br>
--->>the Network":<br>
<br>
--->> http://www.hp.com/cposupport/networking/support_doc/<br>
--->> bpj05999.html#P88_10129<br>
<br>
--->> LIMITING THE VULNERABILITY<br>
<br>
--->>SNMPv1 security relies on the set community name. It is<br>
--->>important that a set-community-name be configured on the<br>
--->>Jetdirect device and that it be kept secret.<br>
<br>
--->>Jetdirect Print Servers offer an Access Control List that<br>
--->>can be used to specify which hosts can make SNMP<br>
--->>configuration changes to Jetdirect Print Servers.<br>
<br>
--->>The steps above can help prevent exploitation of the<br>
--->>vulnerability. To eliminate the vulnerability before a fix<br>
--->>is available SNMP can be disabled on the Jetdirect device.<br>
<br>
--->> DISABLING SNMP ON A JETDIRECT PRINT SERVER<br>
<br>
--->>1. Update the firmware to the highest level as described in<br>
--->> the Jetdirect Upgrade Instructions document:<br>
<br>
--->> http://www.hp.com/cposupport/networking/support_doc/bpj06917.html<br>
<br>
--->>NOTE: Disabling SNMP may affect device discovery
and port<br>
--->> monitors that use SNMP to get status
on the device.<br>
--->> Use this feature with care.<br>
<br>
--->>2. Telnet to the Jetdirect device (on the latest firmware)<br>
--->> and type:<br>
--->>
snmp-config: 0<br>
--->>
quit<br>
<br>
--->>This will completely disable SNMP on the Jetdirect device.<br>
<br>
<br>
--->>HP always recommends upgrading Jetdirect firmware for the<br>
--->>latest bug fixes and security benefits. The upgrade firmware<br>
--->>and download utility are available free of charge:<br>
<br>
--->>http://www.hp.com/cposupport/networking/support_doc/bpj06917.html<br>
<br>
--->>The following is a list of JetDirect Product Numbers<br>
--->>that can be freely upgraded to X.08.32 or X.21.00 or<br>
--->>higher firmware. The latest firmware revision available<br>
--->>for download is given. For example, the latest firmware<br>
--->>revision for the J3110A is G.08.32.<br>
<br>
--->>EIO (Peripherals Laserjet 4000, 5000, 8000, etc...)<br>
--->> J3110A 10T
[G.08.32]<br>
--->> J3111A 10T/10B2/LocalTalk
[G.08.32]<br>
--->> J3112A Token Ring (discontinued)
[G.08.32]<br>
--->> J3113A 10/100 (discontinued)
[G.08.32]<br>
--->> J4169A 10/100
[L.21.22]<br>
--->> J4167A Token Ring
[L.21.25]<br>
--->> J6057A 10/100
[R.22.09]<br>
<br>
--->>MIO (Peripherals LaserJet 4, 4si, 5si, etc...)<br>
--->> J2550A/B 10T (discontinued) [A.08.32]<br>
--->> J2552A/B 10T/10Base2/LocalTalk (discontinued)
[A.08.32]<br>
--->> J2555A/B Token Ring (discontinued)
[A.08.32]<br>
--->> J4100A 10/100
[K.08.32]<br>
--->> J4105A Token Ring
[K.08.32]<br>
--->> J4106A 10T
[K.08.32]<br>
<br>
--->>LIO (Peripherals Color Inkjet cp1160, cp1700)<br>
--->> J6042A 250m 10/100
[N.21.22]<br>
<br>
--->>External Print Servers<br>
--->> J2591A EX+ (discontinued)
[E.08.32]<br>
--->> J2593A EX+3 10T/10B2 (discontinued)
[D.08.32]<br>
--->> J2594A EX+3 Token Ring (discontinued)
[D.08.32]<br>
--->> J3263A 300X 10/100
[H.08.32]<br>
--->> J3264A 500X Token Ring
[J.08.32]<br>
--->> J3265A 500X 10/100
[J.08.32]<br>
--->> J6038A 310x USB 10/100
[Q.22.04]<br>
<br>
----------------------------------------------------------<br>
HP-UX Systems running snmpd or OPENVIEW<br>
----------------------------------------------------------<br>
The following patches are available now:<br>
<br>
PHSS_26137 s700_800 HP-UX 10.20 OV EMANATE14.2
Agent$<br>
PHSS_26138 s700_800 HP-UX 11.X OV
EMANATE14.2 Agent$<br>
PSOV_03087 Solaris 2.X EMANATE
Release 14.2 $<br>
<br>
All three patches are available from:<br>
<br>
http://support.openview.hp.com/cpe/patches/<br>
<br>
In addition PHSS_26137 and PHSS_26138 are now available
from:<br>
http://itrc.hp.com<br>
<br>
=================================================<br>
NOTE: The patches are labeled OV (Open View). However, the
patches are also applicable to systems that are _NOT_
running Open View.<br>
=================================================<br>
<br>
Workaround for HP-UX Systems:<br>
<br>
If a patch is not available for your platform or you cannot
install an available patch, snmpd and snmpdm can be disabled
by removing their entries from /etc/services and removing the
execute permissions from /usr/sbin/snmpd and /usr/sbin/snmpdm.<br>
<br>
D. To subscribe to automatically receive future NEW HP Security
Bulletins from the HP IT Resource Center via electronic
mail, do the following:<br>
<br>
Use your browser to get to the HP IT Resource Center page
at:<br>
<br>
http://itrc.hp.com<br>
<br>
Use the 'Login' tab at the left side of the screen to login
using your ID and password. Use your existing login or the
"Register" button at the left to create a login, in order to
gain access to many areas of the ITRC. Remember to save the
User ID assigned to you, and your password.<br>
<br>
In the left most frame select "Maintenance and Support".<br>
<br>
Under the "Notifications" section (near the bottom of
the page), select "Support Information Digests".<br>
<br>
To -subscribe- to future HP Security Bulletins or other
Technical Digests, click the check box (in the left column)
for the appropriate digest and then click the "Update
Subscriptions" button at the bottom of the page.<br>
<br>
or<br>
<br>
To -review- bulletins already released, select the link
(in the middle column) for the appropriate digest.<br>
<br>
To -gain access- to the Security Patch Matrix, select
the link for "The Security Bulletins Archive". (near the
bottom of the page) Once in the archive the third link is
to the current Security Patch Matrix. Updated daily, this
matrix categorizes security patches by platform/OS release,
and by bulletin topic. Security Patch Check completely
automates the process of reviewing the patch matrix for
11.XX systems.<br>
<br>
For information on the Security Patch Check tool, see:<br>
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/<br>displayProductInfo.pl?productNumber=B6834AA"<br>
<br>
The security patch matrix is also available via anonymous
ftp:<br>
<br>
ftp.itrc.hp.com:~ftp/export/patches/hp-ux_patch_matrix<br>
<br>
On the "Support Information Digest Main" page:
click on the "HP Security Bulletin Archive".<br>
<br>
<br>
E. To report new security vulnerabilities, send email to<br>
<br>
security-alert@hp.com<br>
<br>
Please encrypt any exploit information using the
security-alert PGP key, available from your local key
server, or by sending a message with a -subject- (not body)
of 'get key' (no quotes) to security-alert@hp.com.<br>
<br>
Permission is granted for copying and circulating this
Bulletin to Hewlett-Packard (HP) customers (or the Internet
community) for the purpose of alerting them to problems,
if and only if, the Bulletin is not edited or changed in
any way, is attributed to HP, and provided such reproduction
and/or distribution is performed for non-commercial purposes.<br>
<br>
Any other use of this information is prohibited. HP is not
liable for any misuse of this information by any third party.<br>
________________________________________________________________<br>
-----End of Document ID:<br>
HPSBUX0202-184--------------------------------------<br>
<br>
Re: Hewlett Packard HP3000 - MPE vulnerable to CERT®
Advisory CA-2002-03 SNMP<br>
<br>
This is resolved on HP-e3000 MPE/iX systems - fix:<br>
8606-248966 in the following
patches to the SNMP Agent:<br>
<br>
SNMGDL9 for C.60.00<br>
SNMGDM0 for C.65.00<br>
SNMGDM1 for C.70.00<br>
</p>
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="hirschmannelectronics">
<H4><a href="http://www.hirschmann.de">Hirschmann Electronics GmbH & Co. KG</a></H4>
<blockquote>
Hirschmann Electronics GmbH & Co. KG supplies a broad range of networking
products, some of which are affected by the SNMP vulnerabilities identified
by CERT Coordination Center. The manner in which they are affected and the
actions required to avoid being impacted by exploitation of these
vulnerabilities, vary from product to product. Hirschmann customers may
contact our Competence Center (phone +49-7127-14-1538, email: ans-support@nt.hirschmann.de) for additional information, especially
regarding availability of latest firmware releases addressing the SNMP
vulnerabilities.
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="hitachidatasystems">
<H4><a href="http://www.hds.com">Hitachi Data Systems (HDS)</a></H4>
<blockquote>
Hitachi Data Systems (HDS) has evaluated the information about the industry
wide SNMP (Simple Network Management Protocol) vulnerabilities and is conducting
the appropriate series of tests to determine the possible exposure on its
entire product offering.<br>
<br>
While a potential vulnerability has already been assessed in certain product’s
configurations, HDS has designed the necessary temporary workaround and made
them available to our customers through the local support personnel.
As soon as a permanent fix will become available, it will be immediately
provided to all our customers.<br>
<br>
For further details please contact the Hitachi Data System technical support
structure or visit our web site at:<br>
<br>
<a href="http://www.hds.com/products_services/support/">http://www.hds.com/products_services/support/</a>.
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="ibm">
<H4><a href="http://www.ibm.com/">IBM Corporation</a></H4>
<p>
<blockquote>
The AIX operating system is susceptible to the vulnerabilities
tested for by the Oulu University PROTOS test suite for all
levels of AIX 4.3.x prior to level 4.3.3.51, and AIX 5.1 prior
to level 5.1.0.10. APARs were developed and made available last
year that closed the vulnerabilities looked for by the test suite.
For 4.3.x, the relevant APAR is #IY17630; for 5.1, the appropriate
APAR is #IY20943.<br>
<br>
To see if your version and level of AIX is vulnerable, enter the
command:<br>
<br>
lslpp -l bos.net.tcp.client<br>
<br>
If the "Level" stated is lower than those given above, your
system is vulnerable, and you are urged to apply the appropriate
APAR.<br>
<br>
AIX versions prior to 4.3 are also vulnerable, but these versions
are no longer supported by IBM.<br>
<br>
To remain consistent with IBM's standing agreement with our customers who
use zOS and OS/400, IBM asks that these customers contact IBM Service
for information regarding this vulnerability.
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="infovista">
<H4><a href="http://www.infovista.com/">InfoVista</a></H4>
<blockquote>
<P>
In reference to CERT Advisory CA-2002-03, Multiple Vulnerabilities in Many
Implementations of the Simple Network Management Protocol (SNMP), InfoVista
has reviewed and addressed this advisory that reports how vulnerabilities
may allow unauthorized privileged access, denial of service attacks, or unstable
behavior.<br>
<br>
InfoVista has assessed the InfoVista product portfolio and investigated the
impact of this advisory. Tests have been performed against the PROTOS c06-snmpv1
test suite and as a result, InfoVista products fixes are being created, if
needed, which will resolve any related issues. Upgrades to our product line
that address these issues will be released in the near future.<br>
<br>
A status of each InfoVista product is as follows: <br>
<br>
<b>InfoVista Server</b><br>
<br>
The InfoVista Server is not affected by trap & agent-side vulnerabilities.
The InfoVista Server performs numerous consistency checks on SNMP packets,
thus being immune to most attacks. Further evaluation is underway to assess
any vulnerability and, if exposures as reported in the advisory are found,
fixes will be provided.<br>
<br>
<b>Vista Plug-in for NetFlow</b><br>
<br>
The Vista Plug-in for NetFlow version 3.0 includes Emanate 15.2.1.7, which
does not address these vulnerabilities. The latest version of Emanate 15.3.1.7,
which accounts for these vulnerabilities, will be included in the next version
of the Vista Plug-in for NetFlow. A product release schedule will be communicated
soon.<br>
<br>
<b>Vista Plug-in Family</b><br>
<br>
Full testing of our agents for the vulnerabilities identified in CERT Advisory
CA-2002-03, VU#854306 and VU#107186 have been completed. A hotfix for the
Vista Plug-in Family that corrects these vulnerabilities is scheduled for
release at the end of March.<br>
<br>
<b>VistaNotifier</b><br>
<br>
VistaNotifier is not affected by agent-side vulnerabilities. VistaNotifier
does consistency checks for traps, while expecting these traps to be in a
specific format (from the InfoVista server), thus being immune to most attacks.
Further evaluation is underway to assess any vulnerability and, if exposures
as reported in the advisory are found, fixes will be provided.
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="inktomi">
<H4><a href="http://www.inktomi.com/">Inktomi Corporation</a></H4>
<blockquote>
<P>
All releases of Inktomi Traffic Server and Inktomi Media-IXT prior to
version 5.2 are vulnerable, releases after 5.2 are not vulnerable. A
software patch is available to close the vulnerability. Download and
installation instructions are available at:<br>
<a href="ftp://traffic_swul:!nc0ming@support.inktomi.com/CA-2002-03/README">
ftp://traffic_swul:!nc0ming@support.inktomi.com/CA-2002-03/README</a><br>
<br>
Traffic Server deployed as part of the Inktomi Content Networking
Platform 1.0 is also vulnerable, and should be immediately updated to
v1.1 or 1.1.1. Inktomi CNP customers can get the 1.1.1 release from
<a href="http://downloads.inktomi.com">http://downloads.inktomi.com</a>.<br>
<br>
Other Inktomi Products:<br>
Inktomi CDS is not vulnerable. CDS is safe because it does not listen
for SNMP requests. Inktomi Enterprise Search is also not vulnerable,
because it does not include any SNMP. Finally, Inktomi Media
Distribution Network is also safe because it does
not include any SNMP.
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="innerdive">
<H4><a href="http://www.innerdive.com/">Innerdive Solutions, LLC</a></H4>
<blockquote>
Innerdive Solutions, LLC has two SNMP based products:<br>
<br>
1. The "SNMP MIB Scout" (<a href="http://www.innerdive.com/products/mibscout/">http://www.innerdive.com/products/mibscout/</a>)<br>
2. The "Router IP Console" (<a href="http://www.innerdive.com/products/ric/">http://www.innerdive.com/products/ric/</a>)<br>
<br>
The "SNMP MIB Scout" is not vulnerable to either bug.<br>
<br>
The "Router IP Console" releases prior to 3.3.0.407 are vulnerable. The release of "Router IP Console" correcting the behavior outlined in OUSPG#0100 is 3.3.0.407 and is already available on our site. Also, we will notify all our customers about this new release no later than March 5, 2002.
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="inrangetechnologies">
<H4><a href="http://www.inrange.com/">INRANGE Technologies</a></H4>
<blockquote>
The CERT Coordination Center has issued a broad based alert to the
technology industry, including INRANGE Technologies, regarding potential
security vulnerabilities identified in the Simple Network Management
Protocol (SNMP), a common networking standard. The company is assessing
the issue with its products. Updates will be posted to the INRANGE
website (<a href="http://www.inrange.com">http://www.inrange.com</a>) as
circumstances dictate.
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="internichetechnologies">
<H4><a href="http://www.iNiche.com/">InterNiche Technologies, Inc.</a></H4>
<blockquote>
InterNiche Technologies, Inc.'s SNMPv1 product is not susceptible to
problems described in CERT Advisory VU#107186, and the company is in the
process of evaluating the behavior of its implementation with respect to
Advisory VU#854306.<br>
<br>
It is unclear at this point whether the product is vulnerable to attack
as described in this second advisory (VU#854306), and if any problems
are discovered InterNiche customers will be notified and a fix made
available under the terms of their support agreement.
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="iplanet">
<H4><a href="http://www.iplanet.com/">iPlanet</a></H4>
<blockquote>
Update on CERT ALERT CA-2002-03 <br>
iPlanet has identified a problem in the CERT Alert CA-2002-03, regarding
implementations of its directory server and web proxy server. <br>
<br>
The SNMP agent (magt) daemon supplied with the Admin Server component of
Netscape Directory Server 4.1x, iPlanet Directory Server 5.0,
iPlanet Directory Server 5.1 and iPlanet Web Proxy Server 3.6 on UNIX platforms
is vulnerable to a malformed request. The malformed request will cause the
"magt" daemon to abruptly exit, so that it will no longer accept requests.
The "magt" daemon is not included in the Admin Server component of the Netscape
Directory Server or iPlanet Directory Server on the Windows NT, Windows 2000
platforms and is not used on AIX platforms, so the Directory Server and Web
Proxy Server are not affected on these platforms. <br>
<br>
This vulnerability is present in the following versions running on Unix platforms:
<br>
Netscape Directory Server 4.12, 4.13, 4.14, 4.15 and 4.16 <br>
iPlanet Directory Server 5.0, 5.0SP1 and 5.1 <br>
iPlanet Web Proxy Server 3.6 <br>
<br>
We do not believe that this vulnerability affects the overall integrity of
the directory server or web proxy server in any way. <br>
<br>
As a general practice, we recommend disabling all services affected by the
"magt" daemon that are not explicitly required until a patch is downloaded
and installed. If you are not using SNMP to monitor the directory server,
we recommend that you do not run the "magt" daemon process. You can also
limit your exposure to this vulnerability by using a firewall to restrict
access to the UDP port on which "magt" receives incoming SNMP requests. <br>
<br>
Patches and Service packs fixing this problem will be posted under http://www.iplanet.com/downloads/patches/.
<br>
<br>
Version Recommended action <br>
Directory Server 4.1x Install standalone "magt" patch <br>
Directory Server 5.0 Upgrade to 5.0SP2 or install "magt" patch <br>
Directory Server 5.0SP1 Upgrade to 5.0SP2 or install "magt" patch <br>
Directory Server 5.1 Install standalone "magt" patch <br>
iPlanet Web Proxy Server 3.6 Install standalone "magt" patch<br>
<br>
iPlanet products, such as iPlanet Application Server Enterprise Edition<br>
6.x, bundling the above mentioned products are also affected. Installing<br>
the appropriate Directory Server patches and/or service pack is<br>
recommended.<br>
<br>
iPlanet customers with questions on this advisory are requested to contact
iPlanet Technical Support who will provide full support and up-to-date information.
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="ipswitch">
<H4><a href="http://www.ipswitch.com/">Ipswitch, Inc.</a></H4>
<blockquote>
Ipswitch has completed its assessment of WhatsUp Gold in response to the
CERT advisory (CA-2002-03). We have addressed all of the issues highlighted
by the CERT advisory's 24,000 test cases via a patch release.<br>
<br>
A free patch is currently available to upgrade WhatsUp Gold customers from
version 7.01 to 7.02. You can download the patch from
<a href="http://www.ipswitch.com/support/whatsup/patch-upgrades.html">http://www.ipswitch.com/support/whatsup/patch-upgrades.html</a>.<br>
<br>
For customers who are currently running WhatsUp Gold version 6.02, a patch
will be released shortly to upgrade you to version 6.03. Please check
back
with our patch page
(<a href="http://www.ipswitch.com/support/whatsup/patch-upgrades.html">
http://www.ipswitch.com/support/whatsup/patch-upgrades.html</a>) over the next
couple of weeks.<br>
<br>
Thank you for your continued support of WhatsUp Gold and other Ipswitch
products.
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="itouch">
<H4><a href="http://www.itouchcom.com/">iTouch Communications</a></H4>
<blockquote>
iTouch Communications has confirmed that the following tests failed
(software crash) in the MX and InReach Series run-time image
Xpcsrv20.sys version 6.3 and NEMC_IR.SYS version 3.0 and earlier:<br>
<br>
1. APP tests, 10545 and 10549<br>
2. ENC tests 878,7643,7686,7687,7688,13358 & 13486<br>
<br>
These issues were fixed in Xpcsrv20.sys version 6.3s15 and
NEMC_IR.SYS version 3.0s1 and now they are fully compliant with the
SNMP vulnerability CERT tests.<br>
<br>
Customers requesting software updates or more information may
contact iTouch Communications at 800-435-7997 (domestic) and 978-952-4888
(International) and select the Customer Service option.
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="juniper">
<H4><a href="http://www.juniper.net/">Juniper Networks</a></H4>
<blockquote>
<P>This is in reference to your notification regarding CAN-2002-0012 and
CAN-2002-0013. Juniper Networks has reproduced this behavior and coded a
software fix. The fix will be included in all releases of JUNOS Internet
software built after January 5, 2002. Customers with current support
contracts can download new software with the fix from Juniper's web site
at <a href="http://www.juniper.net">http://www.juniper.net</a>
<P>Note: The behavior described in CAN-2002-0012 and CAN-2002-0013 can
only be reproduced in JUNOS Internet software if "snmp traceoptions flag
pdu" is enabled. Tracing of SNMP PDUs is generally not enabled in
production routers.
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="karlnet">
<H4><a href="http://www.karlnet.com/">KarlNet, Inc.</a></H4>
<p>
<blockquote>
Karlnet Advisory:<br>
SNMPv1 Implementation Vulnerabilities in Karlnet Products<br>
Revision 1.0<br>
Revision Date: 14 March 2002<br>
<br>
I Vulnerabilities Found<br>
<br>
Preliminary test results have indicated multiple Karlnet products exhibit
certain vulnerabilities to SNMP messages.
Some of these vulnerabilities can be exploited, resulting in a denial of
service or service interruption.<br>
<br>
These results have not indicated any vulnerability that will allow an attacker
to gain access to the affected device.<br>
<br>
II. Solution<br>
<br>
In response to CERT® Advisory CA-2002-03 Multiple Vulnerabilities in
Many
Implementations of the Simple Network Management Protocol (SNMP),
Karlnet Inc. has detected and repaired all of the inconsistencies found by
CERT Tests in our SNMP implementation. We have ensured that all
vulnerabilities found, using test suite, PROTOS c-06-SNMPv1, have
been corrected and implemented in all versions of Karlnet Software 4.01 or
greater.
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="kentrox">
<H4><a href="http://www.kentrox.com/">Kentrox,LLC</a></H4>
<p>
<blockquote>
Kentrox, LLC.. has reviewed CERT Advisory CA-2002-03 and has published the
results of our initial evaluation. Kentrox will continue testing products
that support SNMP against the PROTOS test suite. As results become available
they will be added to the information found at our web site.<br>
<br>
The results can be found at: <a href="http://www.kentrox.com/cert-CA-2002-03-response">
http://www.kentrox.com/cert-CA-2002-03-response</a>.
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="lantronix">
<H4><a href="http://www.lantronix.com/">Lantronix, Inc.</a></H4>
<p>
<blockquote>
Lantronix is committed to resolving security issues with our
products. The SNMP security bug you reported has been fixed in LRS
firmware version B1.3/611(020123).
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="larscom">
<H4><a href="http://www.larscom.com/">Larscom Incorporated</a></H4>
<p>
<blockquote>
Larscom Incorporated has completed a preliminary examination of its product
line in response to CA-2002-03. Larscom has identified a number of platforms
that use SNMP, both V1 and V2. It is felt that those using SNMP V2 are not
affected by the referenced vulnerabilities.<br>
<br>
A complete report listing the affected products and the recommended
circumvention can be found at <a href="http://www.larscom.com/support/advisory/cert_ca_2002_03.pdf">
http://www.larscom.com/support/advisory/cert_ca_2002_03.pdf</a>
or can be requested from service@larscom.com.
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="lexmark">
<H4><a href="http://www.lexmark.com/">Lexmark International, Inc.</a></H4>
<p>
<blockquote>
Lexmark International has tested the current MarkNet network adapters
and current Lexmark Utilities (MarkVision Professional) according to
recommendations issued by CERT. Lexmark Utilities are not
vulnerable. Below is a list of tested MarkNet devices and
information on obtaining updated network firmware when necessary:<br>
<br>
<!-- begin vul table -->
<table width="400" border="0" cellspacing="0" cellpadding="0">
<tr><td width="250"><font face="helvetica, arial, geneva"><small>
<b>Printer/Network Adapter type</b></small></font>
</td>
<td width="150"><font face="helvetica, arial, geneva"><small>
<b>Fix Revision (if applicable)</b></small></font></td>
</tr>
<tr><td width="250"><font face="helvetica, arial, geneva"><small>
Lexmark E322n Laser Printer
</small></font></td>
<td width="150"><font face="helvetica, arial, geneva"><small>
4.20.14 or greater
</small></font></td></tr>
<tr><td width="250"><font face="helvetica, arial, geneva"><small>
Lexmark T520n Laser Printer
</small></font></td>
<td width="150"><font face="helvetica, arial, geneva"><small>
Not vulnerable
</small></font></td></tr>
<tr><td width="250"><font face="helvetica, arial, geneva"><small>
Lexmark T522n Laser Printer
</small></font></td>
<td width="150"><font face="helvetica, arial, geneva"><small>
Not vulnerable
</small></font></td></tr>
<tr><td width="250"><font face="helvetica, arial, geneva"><small>
Lexmark T620n Laser Printer
</small></font></td>
<td width="150"><font face="helvetica, arial, geneva"><small>
Not vulnerable
</small></font></td></tr>
<tr><td width="250"><font face="helvetica, arial, geneva"><small>
Lexmark T622n Laser Printer
</small></font></td>
<td width="150"><font face="helvetica, arial, geneva"><small>
Not vulnerable
</small></font></td></tr>
<tr><td width="250"><font face="helvetica, arial, geneva"><small>
Lexmark Optra W810n Laser Printer
</small></font></td>
<td width="150"><font face="helvetica, arial, geneva"><small>
3.20.14 or greater
</small></font></td></tr>
<tr><td width="250"><font face="helvetica, arial, geneva"><small>
Lexmark W820n Laser Printer
</small></font></td>
<td width="150"><font face="helvetica, arial, geneva"><small>
Not vulnerable
</small></font></td></tr>
<tr><td width="250"><font face="helvetica, arial, geneva"><small>
Lexmark Optra C710nSBE Laser Printer
</small></font></td>
<td width="150"><font face="helvetica, arial, geneva"><small>
3.20.14 or greater
</small></font></td></tr>
<tr><td width="250"><font face="helvetica, arial, geneva"><small>
Lexmark Optra C710n Laser Printer
</small></font></td>
<td width="150"><font face="helvetica, arial, geneva"><small>
3.20.14 or greater
</small></font></td></tr>
<tr><td width="250"><font face="helvetica, arial, geneva"><small>
Lexmark C720n Color Laser Printer
</small></font></td>
<td width="150"><font face="helvetica, arial, geneva"><small>
3.20.14 or greater
</small></font></td></tr>
<tr><td width="250"><font face="helvetica, arial, geneva"><small>
Lexmark C720dn Color Laser Printer
</small></font></td>
<td width="150"><font face="helvetica, arial, geneva"><small>
3.20.14 or greater
</small></font></td></tr>
<tr><td width="250"><font face="helvetica, arial, geneva"><small>
Lexmark C750n Color Printer
</small></font></td>
<td width="150"><font face="helvetica, arial, geneva"><small>
Not vulnerable
</small></font></td></tr>
<tr><td width="250"><font face="helvetica, arial, geneva"><small>
Lexmark C750dn Color Printer
</small></font></td>
<td width="150"><font face="helvetica, arial, geneva"><small>
Not vulnerable
</small></font></td></tr>
<tr><td width="250"><font face="helvetica, arial, geneva"><small>
Lexmark C910n Color Printer
</small></font></td>
<td width="150"><font face="helvetica, arial, geneva"><small>
Not vulnerable
</small></font></td></tr>
<tr><td width="250"><font face="helvetica, arial, geneva"><small>
Lexmark C910dn Color Printer</small></font></td>
<td width="150"><font face="helvetica, arial, geneva"><small>
Not vulnerable</small></font></td></tr>
<tr><td width="250"><font face="helvetica, arial, geneva"><small>
Lexmark Optra Color 45n</small></font></td>
<td width="150"><font face="helvetica, arial, geneva"><small>
3.20.14 or greater</small></font></td></tr>
<tr><td width="250"><font face="helvetica, arial, geneva"><small>
Lexmark Optra T610n Laser Printer</small></font></td>
<td width="150"><font face="helvetica, arial, geneva"><small>
3.20.14 or greater</small></font></td></tr>
<tr><td width="250"><font face="helvetica, arial, geneva"><small>
</small></font></td>
<td width="150"><font face="helvetica, arial, geneva"><small>
</small></font></td></tr>
<tr><td width="250"><font face="helvetica, arial, geneva"><small>
MarkNet N2001e</small></font></td>
<td width="150"><font face="helvetica, arial, geneva"><small>
3.20.14 or greater</small></font></td></tr>
<tr><td width="250"><font face="helvetica, arial, geneva"><small>
MarkNet N2000t</small></font></td>
<td width="150"><font face="helvetica, arial, geneva"><small>
3.20.14 or greater</small></font></td></tr>
<tr><td width="250"><font face="helvetica, arial, geneva"><small>
MarkNet N2002e</small></font></td>
<td width="150"><font face="helvetica, arial, geneva"><small>
3.20.14 or greater</small></font></td></tr>
<tr><td width="250"><font face="helvetica, arial, geneva"><small>
MarkNet N2003fx-MTRJ</small></font></td>
<td width="150"><font face="helvetica, arial, geneva"><small>
3.20.14 or greater</small></font></td></tr>
<tr><td width="250"><font face="helvetica, arial, geneva"><small>
MarkNet N2003fx-SC</small></font></td>
<td width="150"><font face="helvetica, arial, geneva"><small>
3.20.14 or greater</small></font></td></tr>
<tr><td width="250"><font face="helvetica, arial, geneva"><small>
</small></font></td>
<td width="150"><font face="helvetica, arial, geneva"><small>
</small></font></td></tr>
<tr><td width="250"><font face="helvetica, arial, geneva"><small>
MarkNet N2401e</small></font></td>
<td width="150"><font face="helvetica, arial, geneva"><small>
5.20.14 or greater</small></font></td></tr>
<tr><td width="250"><font face="helvetica, arial, geneva"><small>
MarkNet N2501e</small></font></td>
<td width="150"><font face="helvetica, arial, geneva"><small>
5.20.14 or greater</small></font></td></tr>
<tr><td width="250"><font face="helvetica, arial, geneva"><small>
</small></font></td>
<td width="150"><font face="helvetica, arial, geneva"><small>
</small></font></td></tr>
<tr><td width="250"><font face="helvetica, arial, geneva"><small>
MarkNet X2011e</small></font></td>
<td width="150"><font face="helvetica, arial, geneva"><small>
4.20.14 or greater</small></font></td></tr>
<tr><td width="250"><font face="helvetica, arial, geneva"><small>
MarkNet X2012e</small></font></td>
<td width="150"><font face="helvetica, arial, geneva"><small>
4.20.14 or greater</small></font></td></tr>
<tr><td width="250"><font face="helvetica, arial, geneva"><small>
MarkNet X2030t</small></font></td>
<td width="150"><font face="helvetica, arial, geneva"><small>
4.20.14 or greater</small></font></td></tr>
<tr><td width="250"><font face="helvetica, arial, geneva"><small>
MarkNet X2031e</small></font></td>
<td width="150"><font face="helvetica, arial, geneva"><small>
4.20.14 or greater</small></font></td></tr>
<tr><td width="250"><font face="helvetica, arial, geneva"><small>
MarkNet XI</small></font></td>
<td width="150"><font face="helvetica, arial, geneva"><small>
4.20.14 or greater</small></font></td></tr>
<tr><td width="250"><font face="helvetica, arial, geneva"><small>
MarkNet XP</small></font></td>
<td width="150"><font face="helvetica, arial, geneva"><small>
4.20.14 or greater</small></font></td></tr>
<tr><td width="250"><font face="helvetica, arial, geneva"><small>
</small></font></td>
<td width="150"><font face="helvetica, arial, geneva"><small>
</small></font></td></tr>
<tr><td width="250"><font face="helvetica, arial, geneva"><small>
MarkNet Pro network family</small></font></td>
<td width="150"><font face="helvetica, arial, geneva"><small>
2.10.193 or greater</small></font></td></tr>
<tr><td width="250"><font face="helvetica, arial, geneva"><small>
MarkNet S network family</small></font></td>
<td width="150"><font face="helvetica, arial, geneva"><small>
1.10.193 or greater</small></font></td></tr>
<tr><td width="250"><font face="helvetica, arial, geneva"><small>
</small></font></td>
<td width="150"><font face="helvetica, arial, geneva"><small>
</small></font></td></tr>
<tr><td width="250"><font face="helvetica, arial, geneva"><small>
Lexmark X820e MFP</small></font></td>
<td width="150"><font face="helvetica, arial, geneva"><small>
Not vulnerable</small></font></td></tr>
<tr><td width="250"><font face="helvetica, arial, geneva"><small>
Lexmark X7500 MFP</small></font></td>
<td width="150"><font face="helvetica, arial, geneva"><small>
Not vulnerable</small></font></td></tr>
</table>
<br>
None of the Lexmark network adapters are vulnerable once the
community name is changed. If unable to update to one of the above
firmware levels, Lexmark recommends changing the community name.<br>
<br>
Firmware updates are available at:
<a href="http://support.lexmark.com/en/cert_ca-2002-03.html">http://support.lexmark.com/en/cert_ca-2002-03.html</a><br>
<br>
For questions related to these or other Lexmark devices please contact 1-800-LEXMARK.
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="lotus">
<H4><a href="http://www.lotus.com/">Lotus Development Corporation</a></H4>
<P>
<blockquote>
Lotus Software evaluated the Lotus Domino Server for vulnerabilities
using the test suite materials provided by OUSPG.<br>
<br>
This problem does not affect default installations of the Domino
Server. However, SNMP agents can be installed from the CD to provide
SNMP services for the Domino Server (these are located in the
/apps/sysmgmt/agents directory). The optional platform specific
master and encapsulator agents included with the Lotus Domino SNMP
Agents for HP-UX and Solaris have been found to be vulnerable. For
those platforms, customers should upgrade to version R5.0.1 a of the
Lotus Domino SNMP Agents, available for download from the Lotus
Knowledge Base on the IBM Support Web Site
(<a href="http://www.ibm.com/software/lotus/support/">http://www.ibm.com/software/lotus/support/</a>). Please refer to
Document #191059, "Lotus Domino SNMP Agents R5.0.1a", also in the
Lotus Knowledge Base, for more details.
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="logec">
<H4><a href="http://www.logec.com/">LOGEC Systems Inc</a></H4>
<P>
<blockquote>
The products from LOGEC Systems are exposed to
SNMP only via HP OpenView. We do not have an
implementation of SNMP ourselves. As such, there is
nothing in our products that would be an issue with this alert.
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="lucent">
<H4><a href="http://www.lucent.com/">Lucent</a></H4>
<P>
<blockquote>
Lucent is aware of reports that there is a vulnerability in certain implementations
of the SNMP (Simple Network Management Protocol) code. <br>
<br>
As soon as we were notified by CERT, we began assessing our product
portfolio and notifying customers with products that might be affected. <br>
<br>
Our 5ESS(R) switch and our optical portfolio were not affected. We
have developed, tested, and deployed fixes for most of the impacted products,
including our core and edge ATM switches and our edge and broadband access
products. Fixes for the rest of the affected product portfolio will
be available shortly. <br>
<br>
Customers with questions about product vulnerability and/or the status of
fixes for affected products should log in to the customer support section
of the Lucent web site at <a href="http://www.lucent.com">http://www.lucent.com</a>
. Customers who need help registering for the web site should talk
to their Lucent customer teams.
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="marconi">
<H4><a
href="http://www.marconi.com/html/homepage/home.htm">Marconi</a></H4>
<P>
<blockquote>
Marconi supplies a broad range of telecommunications and related
products, some of which are affected by the SNMP vulnerabilities
identified here. The manner in which they are affected and the
actions required (if any) to avoid being impacted by exploitation of
these vulnerabilities, vary from product to product. Those Marconi
customers with support entitlement may contact the appropriate
Technical Assistance Center (TAC) for additional information. Those
not under support entitlement may contact their sales representative.
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="mercuryinteractive">
<H4><a
href="http://www-heva.mercuryinteractive.com/">Mercury Interactive Corporation</a></H4>
<P>
<blockquote>
Of the Mercury Interactive products, both Topaz and SiteScope have the
capability to listen to SNMP traps. In both cases this capability is
not installed by default. In order to eliminate any vulnerabilities
we have taken the necessary steps to verify that our products are
immune to the issues mentioned in the advisory.<br><br>
The SiteScope product version 7.5 and onwards, uses Cyberons for Java
from Netaphor Software Inc., with the latest patches. These libraries
are immune to the issues mentioned in the advisory. More information
about this can be found at
http://www.netaphor.com/Products/CERTAdvisory.html The Topaz product
version 4.1 and onwards, uses the SNMP++ libraries by Agent++, at
version 3.1.4b or later. These libraries are immune to the issues
mentioned in the advisory. More information about this can be found at
http://www.agentpp.com/CERT_SNMPv1_Advisory/body_cert_snmpv1_advisory.html.<br><br>
Customers using these products, with the capability to listen to SNMP
traps, are advised to upgrade to the appropriate version. Mercury
Interactive also recommends considering one or more of the following
solutions to minimize your network's potential exposure to these
vulnerabilities:<br><br>
-Ingress filtering<br><br>
-Egress filtering<br><br>
-Filter SNMP traffic from non-authorized internal hosts<br><br>
-Change default community strings
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="metrobility">
<H4><a href="http://www.metrobility.com/">Metrobility Optical Systems</a></H4>
<P>
<blockquote>
Metrobility Optical Systems has identified some of the vulnerability
outlined in CERT Advisory CA-2002-03 and is addressing the issue. A
technical advisory has been released. Please go to the following web
site for information: <a href="http://www.metrobility.com/support/cert.htm">http://www.metrobility.com/support/cert.htm</a>.
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="mg-soft">
<H4><a href="http://www.mg-soft.com/">MG-SOFT Corporation</a></H4>
<blockquote>
<P>
MG-SOFT is currently performing detailed verification of the SNMP (SNMPv1, SNMPv2c and SNMPv3) engine implementation.
</p>
<p>
So far we have noticed that our WinSNMP implementation, the core of all our SNMP products, is vulnerable only in one case. We will post fixed versions of all affected MG-SOFT's SNMP products in few days, on our web site at <a href="http://www.mg-soft.com/">http://www.mg-soft.com/</a>.
</p>
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="micromuse">
<H4><a href="http://www.micromuse.com/">Micromuse</a></H4>
<blockquote>
Micromuse has published the following response to this advisory :<br>
<br>
<a href="http://www.micromuse.com/supportgate/certadvisoryca2002-03.html">
http://www.micromuse.com/supportgate/certadvisoryca2002-03.html</a><br>
<br>
This will be continually updated.
</p>
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="microsoft">
<H4><a href="http://www.microsoft.com">Microsoft Corporation</a></H4>
<P>
<blockquote>
The following documents regarding this vulnerability are available from Microsoft:
<blockquote>
<a href="http://www.microsoft.com/technet/security/bulletin/MS02-006.asp">http://www.microsoft.com/technet/security/bulletin/MS02-006.asp</a>
</blockquote>
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="modlink">
<H4><a href="http://www.modlinknetworks.com">ModLink Networks</a></H4>
<P>
<blockquote>
We ran all recommended tests and found no problems in handling
them. All tests passed, no memory leaks, out of bound array
references, or crashing were reported.
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="monfox">
<H4><a href="http://www.monfox.com">Monfox, LLC</a></H4>
<P>
<blockquote>
Monfox has completed testing of our Java DynamicSNMP(TM) Agent and Manager
Development Toolkits in accordance with advisory CA-2002-03. Releases of
DynamicSNMP prior to Version 3_3_2 are susceptible to 3 of the test cases
under certain conditions.<br>
<br>
A new release containing fixes for all known vulnerabilities is now
available for download. We will provide patch releases for prior versions
upon request in the event that any customer is not in the position to
upgrade to the latest version.<br>
<br>
For more information, please feel free to contact Monfox by email at
info@monfox.com or by phone at 678-771-4239.
</p>
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="multinet">
<H4><a
href="http://www.process.com/tcpip/multinet.html">Multinet</a></H4>
<p>
<blockquote>
MultiNet and TCPware customers should contact Process Software to
check for the availability of patches for this issue. A couple of
minor problems were found and fixed, but there is no security risk
related to the SNMP code included with either product.
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="muonics">
<H4><a
href="http://www.muonics.com/">Muonics</a></H4>
<p>
<blockquote>
Muonics added SNMP management-role (request originator) capabilities
to its MIB Smithy series of products starting with version
2.0. Notification (trap/inform) processing was added in version 2.1
(the current version as of this report). Neither version supports
agent-role (request processor) capabilities at this time. However, all
PDU types are fully parsed by both versions, including requests,
before unsupported PDU types are discarded by the dispatcher layer.
Both versions of MIB Smithy SDK, from which all of the MIB Smithy
series are derived, have been fully tested with all four of the PROTOS
c06-SNMPv1 Test Suites. Version 2.0 binds to any available port for
sending requests and receiving responses. Since this was not conducive
to testing, a special build was required, with the only difference
from the official 2.0 release being a hard-coded binding to ports 161
and 162 as appropriate. Version 2.1 allows configuration of a bind
port for receiving notifications, so it was not an issue for that
version.
After running the full series of tests we found both versions to
behave as expected, with no signs of failure. We have thus concluded
that Muonics' past and current product versions are not susceptible to
the security vulnerabilities associated with CA-2002-03.<br><br>
VU#107186 - Not Vulnerable<br>
VU#854306 - Not Vulnerable<br>
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="ncipher">
<H4><a
href="http://www.ncipher.com/">nCipher Corp.</a></H4>
<p>
<blockquote>
nCipher Corp. supplies two SNMP products:<br>
<br>
1) a SNMP agent bundled with the nForce/nShield and older nFast products
(nFast 75, 150 and 300)<br>
2) The SNMP support software bundled with the newer nFast800 products.<br>
<br>
The first product (bundled with the nForce, nShield and nFast 75/150/300
range) is a customised NET-SNMP agent version 4.2.1. This is vulnerable
to VU#854306 but not VU#107186. nCipher has upgraded this software
to
the NET-SNMP release 4.2.3 and this is now available as a patch release
(see below).<br>
<br>
The second product (bundled with the nFast800 product) has two operating
modes, one for Linux (and, in the near future, Solaris) and one for
Windows NT/2000. In each case, the only agent used is the one currently
installed on the OS (NET-SNMP for Linux/Solaris and the Microsoft SNMP
agent for Windows); the nCipher-supplied software runs in a separate
process.<br>
<br>
Customers using this product should therefore ensure that their
operating system SNMP agent is patched against this vulnerability.<br>
<br>
On Linux or Solaris , this requires installation of the NET-SNMP version
4.2.2 or greater. Running 'snmpd -v' (make sure it is in your path)
will
tell you the version of the NET-SNMP agent you are currently running.<br>
<br>
On Windows, this will require installation of the forthcoming patch from
Microsoft. If you have not installed the patch from Microsoft and the
'SNMP Service' is running then you are affected.<br>
<br>
Again, if upgrading is not currently possible customers are advised to
disable the SNMP service if it might be exposed to hostile network
traffic, or make use of other suggestions supplied elsewhere in CERT
advisory CA-2002-03.<br>
<br>
nCipher has released a specific advisory, which may be obtained from
<a href="http://www.ncipher.com/support/advisories/">http://www.ncipher.com/support/advisories/</a>
- this includes a patch to
download that upgrades the nCipher agent to version 4.2.3 of the
NET-SNMP kit and fixes the issues listed above. Installation instructions
are
contained within the patch file.
</p>
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="nec">
<H4><a href="http://www.nec.com">NEC Corporation</a></H4>
<blockquote>
<p>
updated on March 28, 2002<br>
<br>
[Server Products]<br>
<br>
* EWS/UP 48 Series<br>
- OS's of all versions are vulnerable.<br>
- SNMP should be off, if not necessary.<br>
- The patches are available through anonymous FTP from:<br>
FTP server: <a href="ftp.biglobe.ne.jp">ftp.biglobe.ne.jp</a><br>
directory: ~ftp/pub/48pub/security/<br>
Please refer to the README file in the directory.<br>
- Detail information in Japanese is at:<br>
<<a href="http://www.mid.comp.nec.co.jp/48info/48patch/ca200203snmpd.html">
http://www.mid.comp.nec.co.jp/48info/48patch/ca200203snmpd.html</a>><br>
<br>
[Software Products]<br>
<br>
* Network management system:<br>
+ ESMPRO/ServerManager, ESMPRO Manager<br>
- is vulnerable.<br>
- The patch will be available in the end of
March.<br>
- Detail information in Japanese is at:<br>
<<a href="http://www.express.nec.co.jp/care/Security/snmp58.html">
http://www.express.nec.co.jp/care/Security/snmp58.html</a>><br>
<br>
+ ESMPRO/ClientManager(MG), ESMPRO/ClientManager SmallBusiness
Pack<br>
- is vulnerable.<br>
- The patch will be produced.<br>
<br>
+ ESMPRO/Netvisor<br>
- is vulnerable.<br>
- The patch will be produced.<br>
<br>
+ SystemScope/UXServerManager (Viewer,WindowsMG)<br>
- is vulnerable.<br>
- The patch will be produced.<br>
<br>
+ OpenDiosa/OPBASE Base Manager-L (Windows version)<br>
- is vulnerable.<br>
- The patch will be produced.<br>
<br>
[Router Products]<br>
<br>
* Octpower Series<br>
IP8800/700 Series (710,720,730,735,740,750)<br>
IP8800/600 Series (610,620MM,620SM,620SS,630)<br>
ES8800/1700 Series (1711,1712,1720,1730)<br>
MegaAccessRouter Series (MA25UX/4EMA155MX/4EMA155SX/4E)<br>
MegaAccess Series (MA25LU/4EMA155LM/4EMA155LS/4E)<br>
SH380/200<br>
- are vulnerable.<br>
- The patch is available at:<br>
<<a href="http://www.octpower.nec.co.jp/download/index.html">
http://www.octpower.nec.co.jp/download/index.html</a>><br>
- Detail information in Japanese is at:<br>
<<a href="http://www.octpower.nec.co.jp/news/snmp.html">
http://www.octpower.nec.co.jp/news/snmp.html</a>><br>
<br>
* CX5200 Series (CX5220,CX5210)<br>
CX4200 Series (CX4220,CX4210)<br>
- are vulnerable.<br>
- To get fixed software, please contact to:<br>
<mailto: BQOS@ipnw.jp.nec.com><br>
- More information (in Japanese):<br>
<<a href="http://www1.ias.biglobe.ne.jp/IPNW/BQOS/whatsnew.html">
http://www1.ias.biglobe.ne.jp/IPNW/BQOS/whatsnew.html</a>><br>
<br>
[VoIP GW/RAS Products]<br>
<br>
* CX3200<br>
- is vulnerable.<br>
- To get fixed software, please contact to:<br>
<<a href="mailto: BQOS@ipnw.jp.nec.com">mailto:
BQOS@ipnw.jp.nec.com</a>><br>
- More information (in Japanese):<br>
<<a href="http://www1.ias.biglobe.ne.jp/IPNW/BQOS/whatsnew.html">
http://www1.ias.biglobe.ne.jp/IPNW/BQOS/whatsnew.html</a>><br>
<br>
[Other Network Equipment Products]<br>
<br>
[Devices and other products]
</p>
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="net.com">
<H4><a href="http://www.net.com">net.com</a></H4>
<blockquote>
<p>
Network Equipment Technologies, dba net.com <br>
Security Advisory:<br>
SNMPv1 Request and Trap Handling Vulnerabilities <br>
Release Date: 22 February 2002<br>
<br>
On February 12, 2002 the CERT®/CC released an advisory related to security
vulnerabilities that may exist in network devices using SNMPv1 as the management
protocol. In response to this advisory, CERT® Advisory CA-2002-03 Multiple
Vulnerabilities in Many Implementations of the Simple Network Management
Protocol (SNMP)", net.com began executing the tests that elicit these vulnerabilities
for all net.com products that feature SNMPv1 capability.<br>
<br>
Preliminary analysis indicates that multiple net.com products may exhibit
certain vulnerabilities to SNMP messages as described in this Advisory. net.com
is currently applying the PROTOS c06-SNMPv1 test suite to all products that
feature SNMPv1 capability. Until net.com has completed testing on all of its products and provided patches
or fixes to eliminate these vulnerabilities, net.com recommends one or more
of the following best practices, as identified in CERT® Advisory CA-2002-03,
to minimize your network's potential exposure to these vulnerabilities:<br>
· Disable SNMP on workstations or devices not being managed by SNMP
managers.<br>
· Ingress filtering<br>
· Egress filtering<br>
· Filter SNMP traffic from non-authorized internal hosts<br>
· Segregate SNMP traffic onto a separate management network<br>
· Restrict SNMP traffic to Virtual Private Networks (VPNs)<br>
· Change default community strings<br>
<br>
For more information please see: <a href="www.net.com/service/">www.net.com/service/</a>
</p>
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="netsilicon">
<H4><a href="http://www.netsilicon.com">NetSilicon</a></H4>
<blockquote>
<p>
The PROTOS c-06-SNMPv1 test suite provides evidence that the NetSilicon Softworks
SNMP v1/v2/v3 agent Release 2 is <u>not</u> susceptible to the vulnerabilities
described in this alert. Existing customers, with support agreements, using
Release 1 of the agent can receive a free upgrade to Release 2 via the customer
support link of the NetSilicon Softworks web site at <a href="http://www.netsilicon.com/Sftwrks/Support/helpdesk.asp">
http://www.netsilicon.com/Sftwrks/Support/helpdesk.asp</a>.
</p>
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="net-snmp">
<H4><a href="http://www.net-snmp.org">NET-SNMP</a></H4>
<blockquote>
<p>
All ucd-snmp version prior to 4.2.2 are susceptible to this vulnerability and users of versions prior to version 4.2.2 are encouraged to upgrade their software as soon as possible (<a href="http://www.net-snmp.org/download/">http://www.net-snmp.org/download/</a>). Version
4.2.2 and higher are not susceptible.
</p>
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="netaphor">
<H4><a
href="http://www.netaphor.com/">Netaphor</a></H4>
<p>
<blockquote>
NETAPHOR SOFTWARE INC. is the creator of Cyberons for Java -- SNMP Manager
Toolkit and Cyberons for Java -- NMS Application Toolkit, two Java based
products that
may be affected by the SNMP vulnerabilities identified here. The manner in
which they are
affected and the actions required (if any) to avoid being impacted by exploitation
of these
vulnerabilities, may be obtained by contacting Netaphor via email at info@netaphor.com
Customers with annual support may contact support@netaphor.com directly.
Those not under support entitlement may contact Netaphor sales:
sales@netaphor.com or (949) 470 7955 in USA.
</blockquote>
</p>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="netbsd">
<H4><a href="http://www.netbsd.org/">NetBSD</a></H4>
<blockquote>
<p>
NetBSD does not ship with any SNMP tools in our 'base' releases. We do
provide optional packages which provide various support for
SNMP. These packages are not installed by default, nor are they
currently provided as an install option by the operating system
installation tools. A system administrator/end-user has to manually
install this with our package management tools. These SNMP packages include:
</p>
<ul>
<li>netsaint-plugin-snmp-1.2.8.4 (SNMP monitoring plug-in for netsaint)</li>
<li>p5-Net-SNMP-3.60 (perl5 module for SNMP queries)</li>
<li>p5-SNMP-3.1.0 (Perl5 module for interfacing to the UCD SNMP library</li>
<li>p5-SNMP_Session-0.83 (perl5 module providing rudimentary access to remote SNMP agents)</li>
<li>ucd-snmp-4.2.1 (Extensible SNMP implementation) (conflicts with ucd-snmp-4.1.2)</li>
<li>ucd-snmp-4.1.2 (Extensible SNMP implementation) (conflicts with ucd-snmp-4.2.1)</li>
</ul>
We do provide a software monitoring mechanism called 'audit-packages',
which allows us to highlight if a package with a range of versions
has a potential vulnerability, and recommends that the end-user
upgrade the packages in question.
</p>
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="netscape">
<H4><a href="http://www.netscape.com/">Netscape Communications Corporation</a></H4>
<blockquote>
<p>
Netscape continues to be committed to maintaining a
high level of quality in our software and service offerings.
Part of this commitment includes prompt response to
security issues discovered by organizations such as the
CERT® Coordination Center. <br>
<br>
According to a recent CERT/CC advisory,
The Oulu University Secure Programming Group (OUSPG)
has reported numerous vulnerabilities
in multiple vendor SNMPv1 implementations.
These vulnerabilities may allow unauthorized
privileged access, denial of service attacks, or unstable behavior.<br>
<br>
We have carefully examined the reported findings, performing
the tests suggested by the OUSPG to determine whether
Netscape server products were subject to these vulnerabilities.
It was determined that several products fell into this category.
As a result, we have created fixes which will resolve the issues,
and these fixes will appear in future releases of our product line.
To Netscape's knowledge, there are no known instances of these
vulnerabilities being exploited and no customers have been affected to date.
<br>
<br>
When such security warnings are issued, Netscape has committed to
- and will continue to commit to - resolving these issues in a prompt and
timely fashion, ensuring that our customers receive products of the highest
quality and security.
</p>
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="netscout">
<H4><a href="http://www.netscout.com/">NetScout Systems, Inc.</a></H4>
<blockquote>
<p>
NetScout has determined that some of its products were affected by the warning
issued by the CERT Coordination Center of vulnerabilities in the processing
of Simple Network Management Protocol (SNMP) messages. As a result,
we have implemented patches, that protect our customers from a potential
attack.. <br>
NetScout customers can obtain necessary patches by going to the Software
Download area on our Web site at www.netscout.com/support. The patches
are found in a directory named “SNMP Security Patch.” Please
contact Customer Support if you require assistance.<br>
<br>
It is important to note that the NetScout probes are passive devices and
as such pose no risk to the network if compromised by an attack exploiting
these vulnerabilities. <br>
<br>
In an effort to help our customers minimize the risk of this vulnerability
to other SNMP enabled devices, NetScout has provided instructions on how
our products can be used to help defend against attacks. These instructions
are available on our Web site at <a href="http://www.netscout.com/support/alert.htm">
http://www.netscout.com/support/alert.htm</a>.<br>
<br>
<br>
If you have further questions regarding the SNMP vulnerabilities warning,
please contact Customer Support at 1-888-357-7667, or 1-978-614-4370 for
assistance.
</p>
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="netscreen">
<H4><a href="http://www.netscreen.com/">NetScreen</a></H4>
<blockquote>
<p>
NetScreen's Global PRO and Global PRO Express do not have an SNMP agent or
manager and are not sensitive to the issues raised in VU#107186
(CAN-2002-0012), "Multiple vulnerabilities in SNMP v1 trap handling". No
change in behavior or operation is required.<br>
<br>
NetScreen determined that the SNMP agent within all versions of ScreenOS
is sensitive to certain of the issues described in VU#854306
(CAN-2002-0013), "Multiple vulnerabilities in SNMP v1 request handling".
These vulnerabilities can in certain circumstances be exploited to produce
a denial of service. These vulnerabilities cannot be used to gain
management control of the device.<br>
<br>
NetScreen has developed and tested maintenance releases of ScreenOS
software that address these vulnerabilities. All NetScreen security
appliances and systems shipped from NetScreen after Wednesday 13 February
2002 have software pre-installed at the factory that addresses these
vulnerabilities. Customers may download maintenance releases from the
NetScreen support web site (<a href="http://www.netscreen.com/support/">http://www.netscreen.com/support/</a>
).
</p>
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="networkappliance">
<H4><a href="http://www.netapp.com/">Network Appliance</a></H4>
<blockquote>
<P>
Information about the vulnerability of our systems has been posted on our
primary support site: NOW (<a href="http://now.netapp.com">http://now.netapp.com</a>
). The following field alert
has also been issued to our customers:<br>
Field Alert # 120: CERT Advisory CA-2002-03: SNMP Vulnerabilities<br>
<br>
Testing shows some NetApp products will be affected by some of the issues
listed in the CERT Advisory.
Please note that NetCache appliances are only vulnerable if the attack comes
from a trusted host.<br>
<br>
The following appliances will PANIC when under attack: F85, F87, F820, F840,
F880, C1100 series, C3100, C6100. The following appliances were not observed
to panic, but they may still be vulnerable to attack: F720, F740, F760,
C720, C760. Information about the bug associated with this vulnerability
can
be found in Bugs Online area of NOW (<a href="http://now.netapp.com">http://now.netapp.com</a>).<br>
<br>
What happens when a filer/cache is hit by these cases?<br>
<br>
The NetApp system will PANIC with a PANIC string similar to the following:<br>
<br>
PANIC: Protection Fault accessing address 0x00000001 from EIP 0x5f02c9 in
process snmpd on release NetApp Release Rxxxxxxxx on Wed Feb 13 02:19:14
2002<br>
<br>
What releases have the fix for this issue?<br>
<br>
Patches have been built for the following OS levels:<br>
<br>
Data ONTAP 5.3.7R3 - Patch is 5.3.7R3D12<br>
Data ONTAP 6.1.1R2 - Patch is 6.1.1R2D16<br>
Data ONTAP 6.1.2R1 - Patch is 6.1.2R1D4<br>
NetCache 5.1 - Patch is 5.1R2D22<br>
NetCache 5.2.1 - Patch is 5.2.1R1D2<br>
<br>
The patches for both Data ONTAP and NetCache are available on the NOW site.<br>
<br>
What will I see if someone attempts to attack my machine and I have
installed an OS with the fix?<br>
<br>
You will see a message similar to the following in the messages log and the
filer or NetCache will continue to function normally.<br>
<br>
Wed Feb 13 21:57:56 GMT [snmpd:warning]: SNMP detected possible buffer
overflow attempt, skipping request<br>
<br>
For more information visit <a href="http://now.netapp.com">http://now.netapp.com</a>
</p>
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="network associates">
<H4><a href="http://www.nai.com/">Network Associates</a></H4>
<blockquote>
<P>
PGP is not affected, impacted, or otherwise related to this VU#.
</p>
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="ncomtech">
<H4><a href="http://www.ncomtech.com/">Network Computing
Technologies</a></H4>
<blockquote>
<P>
Network Computing Technologies has reviewed the information regarding
SNMP vulnerabilities and is currently investigating the impact to our
products.
</p>
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="networkharmoni">
<H4><a href="http://www.networkharmoni.com/">NETWORK HARMONi, Inc.</a></H4>
<blockquote>
<P>
Network Harmoni's response to CERT Advisory CA-2002-03<br>
The CERT/CC is part of the Networked Systems Survivability (NSS)
Program at the Software Engineering Institute (SEI), Carnegie Mellon
University. The primary goal of the NSS Program is to ensure that
appropriate technology and systems management practices are used to
resist attacks on networked systems and to limit damage and ensure
continuity of critical services in spite of successful attacks.
On February 12th, 2002, CERT issued two advisories that warn of
problems that could arise as the result of improper handling of
malformed packets by applications using SNMP protocols. The Oulu
University Secure Programming Group (OUSPG) had discovered that
improperly formed packets in the form of trap messages to SMNP
managers and request messages to SNMP agents had caused problems in a
number of SNMP based products. A list of vendors, with products
based on SNMP, was compiled by CERT, and they were notified directly
along with the press and analyst community covering the Network
Management space.<br>
<br>
Once we were notified of the situation, we immediately began
regression testing our agent software against the entire Protos Test
Suite: c06-snmpv1 used by Oulu University to discover these two
packet handling vulnerabilities. Because we are not currently
offering products that accept trap messages, testing was focused on
the ability of our SNMP agents to handle malformed SNMP requests
without incident. It was discovered through our testing that both
RMONplus and SLAplus are potentially vulnerable to this method of
disruption and will exhibit unpredictable behavior as a result of
running this test suite. Rather than issue a patch, we have made
modification to both versions of our agent to correct this problem.
Customers concerned about vulnerabilities related to CERT Advisory
CA-2002-03 should contact NETWORK HARMONi at
support@networkharmoni.com for a new build.<br>
<br>
Current status (Wednesday 2/20/2002 4:00 PM):<br>
RMONplus & SLAplus (Builds 232 and above)<br>
Sun Solaris - Passed All tests<br>
Windows XP - Passed All tests<br>
Windows 2000 - Passed All tests<br>
Windows NT - Passed All tests<br>
HP-UX - Passed All tests<br>
IBM AIX - Passed All tests<br>
Linux - Passed All tests
</p>
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="nokia">
<H4><a href="http://www.nokia.com/main.html">Nokia</a></H4>
<blockquote>
<P>
This vulnerability is known to affect IPSO versions 3.1.3,
3.3, 3.3.1, 3.4, and 3.4.1. Patches are currently available
for versions 3.3, 3.3.1, 3.4 and 3.4.1 for download from
the Nokia website. In addition, version 3.4.2 shipped
with the patch incorporated, and the necessary fix will
be included in all future releases of IPSO.<br>
<br>
We recommend customers install the patch immediately or
follow the recommended precautions below to avoid any
potential exploit.<br>
<br>
If you are not using SNMP services, including Traps,
simply disable the SNMP daemon to completely eliminate
the potential vulnerability.<br>
<br>
If you are using only SNMP Traps and running Check Point
FireWall-1, create a firewall policy to disallow incoming
SNMP messages on all appropriate interfaces. Traps will
continue to work normally.
</p>
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="nortel">
<H4><a href="http://www.nortel.com">Nortel Networks</a></H4>
<blockquote>
<p>
Nortel Networks is cooperating to the fullest extent with the CERT Coordination
Center and customers that potentially could be affected and other companies
within the networking industry to assess, address, and resolve the situation.<br>
<br>
For specific information on Nortel Networks response to CERT Bulletin CA-2002-03,
please visit our web site <a href="http://www.nortelnetworks.com/corporate/technology/snpmv1.html">
http://www.nortelnetworks.com/corporate/technology/snpmv1.html </a><br>
</p>
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="novell">
<H4><a href="http://www.novell.com">Novell</a></H4>
<blockquote>
<p>
Novell ships SNMP.NLM and SNMPLOG.NLM with NetWare 4.x, NetWare 5.x
and 6.0 systems. The SNMP and SNMPLOG vulnerabilities detected on
NetWare are fixed and available for download. The TID (Technical
Information Document) number is 2961546, it can be obtained from the
url <a href="http://support.novell.com/servlet/tidfinder/2961546">http://support.novell.com/servlet/tidfinder/2961546</a>.
</p>
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="nudesign">
<H4><a href="http://www.nudesignteam.com/">NuDesign Team, Inc.</a></H4>
<blockquote>
<p>NuDesign Team, Inc. is a vendor of SNMP Management and Agent software
solutions. We have tested our products and identified vulnerabilities
identified by VU#854306, VU#107186, and OUSPG#0100 advisories with our
SNMP Agent and SNMP Trap receiving products. We have applied required
corrections, new versions of NuDesign products have completed the
regression test cycle and have been made available to our customers on Feb
18, 2002.</p>
<p>For additional information please contact NuDesign Team, Inc. at 416
737 0328 or visit www.NuDesignTeam.com.</p>
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="openbsd">
<H4><a href="http://www.openbsd.org/">OpenBSD</a></H4>
<blockquote>
<p>OpenBSD does not ship SNMP code.</p>
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="openwavesystems">
<H4><a href="http://www.openwave.com/">Openwave Systems Inc.</a></H4>
<blockquote>
<p>
Openwave Systems Inc. ackowledges the potential of SNMP vulnerabilities
described in [VU#107186 and VU#854306]. Openwave embeds SNMP
in their messaging products for the purpose of internal measuring and
monitoring of the messaging system. The vulnerabilities listed above
can
cause denial of service of the SNMP service when specific malformed packets
are delivered, but since most customers do not allow SNMP traffic
through their firewall, and only utilize SNMP inside their firewall for
the purpose of internal monitoring, they should be immune
to the SNMP vulnerabilities listed above. Even if SNMP traffic
is allowed through the firewall, or no firewall is employed, the SNMP
vulnerabilities above can at most cause denial of service of the SNMP
services and cannot cause either unprivleged access or denial of service
of the messaging products themselves.<br>
<br>
A patch will be made available by Openwave to address the SNMP
vulnerabilities. Customers can determine if a patch is needed
by inspecting their version of snmpdm via the following command:<br>
<i><br>
% ./snmpdm -d</i><br>
<br>
Versions which are 15.3.1.7 or greater have no vulnerability. Customers
who require upgrades to their version of snmpdm should contact their Openwave
Technical Support representative for availability of a patch on their
specific product line.<br>
<br>
Some customers additionally use a toolkit delivered by Openwave
called the "TACPAC". This toolkit contains a utility called
snmptrapd which is also vulnerable to the SNMP issues mentioned
above. Customers who use this tool are encouraged to
contact their Openwave Technical Support representative to obtain
a new version of the tool which removes the vulnerabilities.
</p>
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="opticalaccess">
<H4><a href="http://www.opticalaccess.com/">Optical Access</a></H4>
<blockquote>
<p>
Following the release of vulnerability notes VU#107186 and VU#854306, our
company OpicalAccess has two product lines of switches and routers with SNMP
agent implementations: OptiSwitch and OptiSwitch Master.<br>
<br>
Optical Access tested the SNMP agents of our OptiSwitch product line with
the original Oulu university test patterns and found them not vulnerable.<br>
<br>
The OptiSwitch Master product line uses UCD-SNMP version that was found to
be vulnerable. UCD-SNMP version that includes the patch for the reported
vulnerabilities will be integrated into the next major release. Until then,
The use of ACL for management sessions feature can signifficantly reduce
the
risk ( without compromising performance).
</p>
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="oracle">
<H4><a href="http://www.oracle.com/">Oracle Corporation</a></H4>
<blockquote>
<p>
Oracle Security Alert #30<br>
Dated: 5 March, 2002<br>
SNMP Vulnerability in Oracle Enterprise Manager, Master_Peer Agent<br>
<br>
Description<br>
<br>
A potential security vulnerability has been discovered in the Oracle Enterprise
Manager (EM)
SNMP monitoring capability for Oracle Database that may result in a potential
Denial of Service
(DoS) attack against EM's "master_peer" agent.<br>
<br>
EM is comprised primarily of two driver programs, the "Intelligent
Agent" that performs core EM
functionality and the "master_peer" agent that provides monitoring
capability for EM when SNMP
is being used.<br>
<br>
This potential security vulnerability can manifest only when the SNMP monitoring
feature is used
in addition to the default functionality provided by EM. The "master_peer"
agent of EM, which
provides the SNMP monitoring capability, is vulnerable to ill-formed SNMP
requests that render it
unable to respond to further SNMP requests or send unsolicited SNMP messages.<br>
<br>
Note: The "Intelligent Agent" is not affected by this potential security
vulnerability. Therefore,
EM's core functionality such as job submission, event registration,
notifications, etc. is not
affected.<br>
<br>
Products affected<br>
<br>
EM Releases 1.6.5, 2.0, 2.1, 2.2, 9.0.1 running on (or "included with"):<br>
- Oracle7 Database, Release 7.3.x<br>
- Oracle8 Database, Releases 8.0.x<br>
- Oracle8i Database, Releases 8.1.x<br>
- Oracle9i Database, Release 9.0.1.x<br>
<br>
Platforms affected<br>
Windows and all Unix platforms that support SNMP variants except for IBM
AIX.<br>
<br>
Workarounds<br>
There are no workarounds to protect against the SNMP vulnerability.<br>
<br>
Patch Information<br>
Oracle has fixed the potential vulnerability identified above in patch/bug
fix number 2224724. Patches will be available only for supported releases of EM and Oracle Database
on all platforms
that require a patch.<br>
<br>
Download currently available patches for your platform from Oracle's Worldwide Support web
site, Metalink, <a href="http://metalink.oracle.com">http://metalink.oracle.com</a>
. Activate the "Patches" button to get to the patches Web
page. Enter the patch/bug fix number indicated above and activate the "Submit"
button.<br>
<br>
Please check Metalink and/or with Oracle Worldwide Support periodically for
patch availability if
the patch for your platform is not yet available.<br>
<br>
Oracle strongly recommends that you comprehensively test the stability of
your system upon
application of any patch prior to deleting any of the original file(s) that
are replaced by the patch.<br>
<br>
Credits<br>
<br>
Oracle Corporation thanks CERT of Carnegie Mellon University's Software
Engineering Institute
for bringing this potential security vulnerability to Oracle's attention.
</p>
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="outbackresourcegroup">
<H4><a href="http://www.outbackinc.com/">OutBack Resource Group, Inc.</a></H4>
<blockquote>
<p>
OutBack Resource Group, Inc.<br>
<br>
OutBack Resource Group, Inc. acknowledges the potential of SNMP<br>
vulnerabilities as identified in the following CERT advisories:<br>
<br>
VU#854306 - Multiple vulnerabilities in SNMPv1 request handling<br>
VU#107186 - Multiple vulnerabilities in SNMPv1 trap handling<br>
<br>
OutBack has investigated how these vulnerabilities may impact<br>
OutBack's jSNMP Enterprise product and has determined the following:<br>
<br>
VU#854306 - This advisory is not applicable to jSNMP, because jSNMP<br>
does not accept or process SNMP Get, Set, or GetNext PDUs; rather,<br>
jSNMP sends those requests to SNMP agents and processes subsequent<br>
responses.<br>
<br>
VU#107186 - jSNMP v3.2 passed the 24,098 applicable tests in the<br>
PROTOS c06-snmpv1 test suite. jSNMP v3.1 failed only one test with<br>
undesirable behavior. No consequences, other than potential<br>
denial-of-service, are known. There have been no reported instances<br>
of this vulnerability being exploited in the jSNMP product.<br>
<br>
We recommend that our customers upgrade to the latest available<br>
version of jSNMP.<br>
<br>
Up-to-date information is available at www.outbackinc.com or<br>
support@outbackinc.com.
</p>
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="paradyne">
<H4><a href="http://www.paradyne.com/">Paradyne</a></H4>
<blockquote>
<p>
A recent alert issued by CERT states that any device connected to the Internet
has potential security vulnerability. The specific root cause relates to
SNMP v1, which is implemented in many Paradyne products. This alert
has caused a number of Paradyne customers to call and request an official
statement and risk assessment associated with Paradyne's equipment.
<br>
<br>
The purpose of this document is to inform you that Paradyne engineering staff
is currently assessing the situation to determine if any vulnerabilities
exist. The analysis will take into consideration product features,
SNMP v1 issues and the typical usage of our products in DSL and Frame Relay
network topologies. In typical configurations, direct connection to the Internet
with Paradyne devices and/or management systems is extremely rare. <br>
<br>
Please note that while no device is completely secure, Paradyne has implemented
several safeguards that protect against intrusion such as that identified
by CERT Advisory CA-2002-03. Prior to the time that Paradyne releases
a more comprehensive statement, we recommend that you take the following
actions as appropriate:<br>
<br>
· Change community string from public; choose obscure names<br>
· Use device SNMP access list capability<br>
· Use firewall at NOC if NOC has access to Internet, same for
CEU central site products (FrameSaver)<br>
· Utilize inband management (dedicated management PVC) when
possible<br>
<br>
Taken together, these methods provide a robust security feature set which
should minimize the impact of the concerns raised in the CERT alert.
With this said, Paradyne will release a more complete assessment as soon
as possible. This response will consist of an analysis of the overall
security risks, recommendations to mitigate these risks and, if necessary,
plans for the introduction of new code to close any identified security breaches.
</p>
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="perlesystems">
<H4><a href="http://www.perle.com/">Perle Systems</a></H4>
<blockquote>
<p>
With regard to CERT Advisory CA-2002-03, it has been recognized by Perle
Systems that specific Perle products may be exposed to these SNMP
vulnerabilities. Perle is addressing these vulnerabilities across
all
affected product lines and has released an advisory and solution guide
at: <a href="http://www.perle.com/support_services/index.shtml">http://www.perle.com/support_services/index.shtml</a>
</p>
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="powerware">
<H4><a href="http://www.powerware.com/">Powerware Corporation</a></H4>
<blockquote>
<p>
Powerware Corporation notice regarding CERT SNMP Vulnerability Announcement
and popular Powerware Connectivity Devices<br>
<br>
Most customers operate firewalls that block externally
originating SNMP
traffic, and further, detect and prevent Denial of Service attacks.
It is
these devices that constitute a main focal point of SNMP concern since they
represent the vanguard of your network.<br>
<br>
Based upon SNMP blocking and ingress/egress
filtering, any possible
potential security vulnerability may only be exploited
by users who have
access to your local security domain, therefore the risk is diminished.<br>
<br>
Testing has revealed the following:<br>
<br>
Powerware, to date, knows of no SNMP-related security issues with its
legacy, internal and external, ConnectUPS SNMP cards. Testing with the
ConnectUPS and BestLink SNMP/Web Card has revealed that the card can, under
direct attack, cease to respond to further network requests. This resulting
behavior does not affect the operation of the underlying UPS. A firmware
patch will be available on the Powerware web site shortly
(<a href="www.powerware.com">www.powerware.com</a>).
</p>
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="qualcomm">
<H4><a href="http://www.qualcomm.com/">Qualcomm</a></H4>
<blockquote>
<p>
WorldMail does not support SNMP by default, so customers who run
unmodified installations are not vulnerable.
</p>
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="quallabycorporation">
<H4><a href="http://www.quallaby.com/">Quallaby Corporation</a></H4>
<blockquote>
<p>
QUALLABY's findings to date regarding the recent CERT advisory are as follows:
<br>
<br>
CERT Advisory CA-2002-03<br>
<br>
VU#854306 - Multiple Vulnerabilities in SNMPv1 Request Handling - <br>
This advisory is not applicable to PROVISO as it is a management
system and not an agent. As a management system, PROVISO does not accept
SNMP requests.
PROVISO sends SNMP requests and processes subsequent SNMP responses.<br>
<br>
CERT Advisory CA-2002-03<br>
<br>
VU#107186 - Multiple Vulnerabilities in SNMPv1 Trap Handling - <br>
This advisory is not applicable to PROVISO as it does not accept
SNMP Trap PDU. PROVISO only sends SNMP Traps.
</p>
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="quickeaglenetworks">
<H4><a href="http://www.quickeagle.com/">Quick Eagle Networks</a></H4>
<blockquote>
<p>
Quick Eagle Networks, Inc. is a provider of intelligent WAN access solutions
for IP and frame relay networks, and the world leader in multilink access
devices. Quick Eagle Networks continues to be committed to ensure a high
level of security and reliability of our customer’s networks. Part
of this commitment includes prompt responses to security issues discovered
by organizations such as the CERT® Coordination Center.<br>
<br>
I. Overview<br>
<br>
On February 12, 2002 the CERT®/CC released an advisory related to security
vulnerabilities that may exist in network devices using SNMPv1 as the management
protocol. In response to this advisory (CERT Advisory CA-2002-03: Multiple
Vulnerabilities in Many Implementations of the Simple Network Management
Protocol), Quick Eagle Networks Inc. began immediately investigating whether
these vulnerabilities impact Quick Eagle's products. <br>
<br>
II. Test Procedures<br>
<br>
Quick Eagle Networks is currently applying the PROTOS c06-SNMPv1 test suite
to all products and its variations that feature SNMPv1 capability. The tests
evaluate the robustness of the application logic of the SNMPv1 implementation
as well as the robustness of the BER decoder of the SNMPv1 implementation.<br>
<br>
III. Impact<br>
<br>
Preliminary test results have not indicated any vulnerability that will allow
an
attacker to gain access. In general, Quick Eagle Networks' products use out
of
band management, eliminating the chances of an attacker to gain access from
the
outside of a network. While most of Quick Eagle Networks' newer WAN access
devices have already passed the test, some of Quick Eagle Networks' older
products are still under investigation.<br>
<br>
IV. Solution<br>
<br>
Until Quick Eagle Networks has completed testing on all of its products and
provided patches or fixes to eliminate these vulnerabilities, Quick Eagle
Networks recommends considering one or more of the following solutions, as
also identified in CERT® Advisory CA-2002-03, to minimize your network’s
potential exposure to these vulnerabilities:<br>
<br>
· Disable SNMP on the device<br>
· Change the default community strings<br>
· Disconnect the management port. This won’t have any impact
on your network traffic as Quick Eagle’s solutions use out of band
management.<br>
<br>
The recommendations above apply only for those products that are still under
evaluation. Please refer to our status report for further information.<br>
<br>
IV. Status Reports<br>
<br>
For more information please visit <a href="http://www.quickeagle.com/support/cert.asp">
http://www.quickeagle.com/support/cert.asp</a>
</p>
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="raddatacommunications">
<H4><a href="http://www.rad.co.il/">RAD Data Communications Ltd.</a></H4>
<blockquote>
<p>
The security of our customer's networks is of highest priority to RAD Data
Communications Ltd. ("RAD"). RAD is aware of CERT's Advisories VU#854306
and
VU#107186, and is working together with it's partners to assess if any of
its products might be affected.<br>
<br>
VU#107186: RAD's Network Management System (RADview) is not vulnerable to
the extent of working in conjunction with 3rd party products, such as Castle
Rock's SNMPc 5, HP's NNM 6.2, Microsoft's Windows NT4 and Sun's Solaris 2.7.
Customers are advised to consult the respective responses of these vendors,
available at http://www.kb.cert.org/vuls/id/854306 and verify that they comply
with each vendor's specific recommendations.<br>
<br>
VU#854306: As a first measure, we have requested from 3rd party software
developers, the products of which are integrated within RAD's SNMP agents
and Network Management station, to provide us with statements as to their
products vulnerabilities and their potential impact. We are currently
waiting for their conclusions. In parallel, RAD is in process of internally
setting up the testing schedules and facilities to ascertain the
vulnerability of our products.
</p>
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="radware">
<H4><a href="http://www.radware.com/">Radware</a></H4>
<blockquote>
<p>
<p>Radware has assessed its SNMP based products against the vulnerabilities identified in CERT Advisory CA-2002-03.
The following table identifies by product the currently available software maintenance releases that include the fix for the SNMP vulnerabilities:</p>
<dl><dd><table cell cellpadding="4">
<tr><td><small><b><i>Product</i></b></small></td>
<td><small><b><i>Release (HW Platforms)</i></b></small></td></tr>
<tr><td valign="top"><small><b>WSD</b></small></td>
<td><small>6.18.02 (H, C)<br>7.10.08 (AS2, AS1, H, C)<br>7.20.02 (AS1, H)<br>7.21.02 (AS2, AS1)</small></td></tr>
<tr><td valign="top"><small><b>CSD</b></td>
<td><small>3.30.02 (AS2, AS1)<br>3.40.01 (AS2, AS1)</small></td></tr>
<tr><td valign="top"><small><b>FP</b></td>
<td><small>2.20.09 (AS1, H, C)</small></td></tr>
<tr><td valign="top"><small><b>LP</b></td>
<td><small>3.20.09 (AS1, H, C)</small></td></tr>
<tr><td valign="top"><small><b>CertainT 100</b></small></td>
<td><small>2.20.00 (Model A, Model B)</small></td></tr>
</table></dl>
<p>Radware customers can download this software from the following link:<br>
<br>
<a href="http://www.radware.com/content/support/customers/downloads/index.htm">
http://www.radware.com/content/support/customers/downloads/index.htm</a></p>
<p>Radware Channel Partners can download this software from the following link:<br>
<br>
<a href="http://www.radware.com/content/support/techresources/prodinfo/SWStatusMatrix.htm">
http://www.radware.com/content/support/techresources/prodinfo/SWStatusMatrix.htm</a></p>
<p>For upgrades within the same feature release, e.g. WSD 7.10.07 to WSD 7.10.08,
software passwords are not needed.</p>
<p>For upgrades to a new feature release, e.g. WSD 7.10.07 to WSD 7.21.02,
a software password is needed and can be obtained by contacting Radware technical support at
<a href="mailto:support@radware.com?subject=CERT Advisory Assistance">support@radware.com</a>.
The unit must be covered by an active support agreement to obtain a password
for a feature release upgrade.
Additional requirements, e.g. minimum Boot ROM software version, may exist.
Software upgrade instructions can be found at the following link:<br>
<br>
<a href="http://www.radware.com/archive/support/general/info/upgrades.PDF">
http://www.radware.com/archive/support/general/info/upgrades.PDF</a></p>
<p>Anyone who does not have access to the restricted areas of the Radware web site
or has any other questions regarding these maintenance releases and the upgrade process,
can contact Radware Technical Support at <a href="mailto:support@radware.com?subject=CERT Advisory Assistance">support@radware.com</a>
for assistance.</p>
<p>At all times, Radware recommends taking the following standard security precautions:</p>
<ul>
<li>Disable all remote management access through all unnecessary interfaces using the SNMP
or Management Ports Table feature, depending on the specific software release in use.
<li>If possible, limit all remote management access to a physically separate port
that is connected to a secure management segment.
</ul>
</p>
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="redbacknetworks">
<H4><a href="http://www.redback.com/">Redback Networks, Inc.</a></H4>
<blockquote>
<p>
Redback Networks, Inc. has identified that the vulnerability described
in CA-2002-03 may affect its products. To that end Redback has been
providing security workarounds to protect existing installations and
will issue software patches to provide a conclusive solution to the
problem. The SmartEdge Transport product line is unaffected by this
vulnerability. Customers should contact Redback Networks Technical
Assistance Center [Domestic TAC number (877) 733 2225; International TAC
number is 31-104987777; Web: <a href="www.redback.com/support">www.redback.com/support</a>
] for more
information and workarounds.
</p>
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="redhat">
<H4><a href="http://www.redhat.com">Red Hat</a></H4>
<blockquote>
<p>RedHat has released a security advisory at<br><br>
<a
href="http://www.redhat.com/support/errata/RHSA-2001-163.html">http://www.redhat.com/support/errata/RHSA-2001-163.html</a><br><br>
with updated versions of the ucd-snmp package for all supported
releases and architectures. For more information or to download the
update please visit this page.
</p>
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="riverstonenetworks">
<H4><a href="http://www.riverstonenet.com/">Riverstone Networks</a></H4>
<blockquote>
The Riverstone product line is, under certain circumstances,
vulnerable tosome of the SNMP issues described in CERT's VU#854306 (advisory
CA-2002-03). Based on current testing the assessment is that the risk to
an
operational network is low. Patch releases 7.0.2.6 and 8.0.3.3 will correct
these
vulnerabilities.<br>
<br>
Please, implement the following workarounds until these patches are made
available:<br>
<br>
<ul type="disc">
<li>create access control lists to allow only trusted management
stations to access the router.</li><br>
<li>create an exclusive management VLAN to manage the router.</li><br>
<li>manage the router through its ethernet management interface.<br>
or<br>
<li>disable SNMP</li>
</ul>
</p>
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="secureworks">
<H4><a href="http://www.secureworks.com">SecureWorks, Inc.</a></H4>
<blockquote>
<p>
SecureWorks is not vulnerable to SNMP based attacks. The SecureWorks
iSensor and Secure Operations Center uses a proprietary protocol in order
to
remotely monitor and configure devices. Additionally, the SecureWorks
iSensor is capable of filtering malformed and/or illegal snmp packets in
order to protect against incoming and outgoing SNMP based attacks.
</p>
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="sierrawireless">
<H4><a href="http://www.sierrawireless.com">Sierra Wireless</a></H4>
<blockquote>
<p>
We are not vulnerable.
</p>
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="sinetica">
<H4><a href="http://www.sinetica.co.uk/">Sinetica Corporation Limited</a></H4>
<blockquote>
<p>
<a href="http://www.kb.cert.org/vuls/id/IAFY-56DKEV">http://www.kb.cert.org/vuls/id/IAFY-56DKEV</a>
</p>
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="sgi">
<H4><a href="http://www.sgi.com">SGI</a></H4>
<blockquote>
<P>
SGI acknowledges the SNMP vulnerabilities reported by CERT and is
currently investigating. No further information is available at this
time.
</p>
<p>
For the protection of all our customers, SGI does not disclose,
discuss or confirm vulnerabilities until a full investigation has
occurred and any necessary patch(es) or release streams are available
for all vulnerable and supported IRIX operating systems. Until SGI
has more definitive information to provide, customers are encouraged
to assume all security vulnerabilities as exploitable and take
appropriate steps according to local site security policies and
requirements. As further information becomes available, additional
advisories will be issued via the normal SGI security information
distribution methods including the wiretap mailing list on <A
HREF="http://www.sgi.com/support/security/">http://www.sgi.com/support/security/</a>.
</P>
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="sniffertechnologies">
<H4><a href="http://www.sniffer.com/">Sniffer Technologies</a></H4>
<blockquote>
<P>
SNMP Request and Trap Handling Security Advisory<br>
Revision 1.0<br>
Release Date: 03/01/02<br>
<br>
Sniffer Technologies has prepared this advisory regarding SNMP in
Sniffer Technologies products. This advisory contains specific
instructions on how to disable these services where security may be an
issue.<br>
<br>
An update regarding this issue will be sent to all Sniffer Technologies
customers on Wednesday, March 13, 2002. The Sniffer Technologies team
is working diligently to fully resolve this issue. If you have further
questions in the interim, please contact technical support.<br>
<br>
What is the SNMP security risk?<br>
<br>
On February 12, 2002, The CERT Coordination Center issued a warning that
a broad array of network equipment used on the Internet -- including
switches, routers, hubs, printers and operating systems -- may be
vulnerable to an SNMP-related attack that could cause equipment to fail
or allow an attacker to take control of it. Though not mentioned on
their list of vendors, our Sniffer Distributed product is another such
device that may have this inherent SNMP vulnerability because of its
RMON/SNMP capabilities.<br>
<br>
There are two areas in our product that can be affected by this security
concern.<br>
<br>
1. The RMON/SNMP features of our Sniffer Distributed Appliance<br>
2. The Trap Capture application at our SniffView Console<br>
<br>
In both cases, these SNMP commands can be disabled on our product if not
in use.<br>
<br>
Can I avoid using these features in the Sniffer Distributed Product
without affecting the capabilities of the Sniffer Product?<br>
<br>
Yes, you can disable the SNMP/RMON capabilities of the product and
utilize our proprietary method of logging network statistics and Expert
Symptom and Diagnosis to disk for reporting with Reporter and/or Sniffer
Watch. This method does not utilize SNMP and therefore is not
susceptible to the SNMP vulnerability. You will still have the same
statistics and reports that are available using the SNMP/RMON features
of the product, with the addition of the Expert Symptoms and Diagnosis
which are unique to our method of logging and reporting.<br>
<br>
How do I turn off these SNMP capabilities in the product?<br>
<br>
Turning off SNMP at the Sniffer Distributed Appliance:<br>
By default, the SNMP and RMON features of the Sniffer Distributed
Appliance are enabled. To turn off these features, follow the
procedures below.<br>
<br>
1. Either Start Probe Viewer at the Sniffer Distributed Appliance, or
"Configure" an Agent from your SniffView Console.<br>
2. Select the SNMP tab.<br>
3. Disable SNMP Trap<br>
4. Disable SNMP/RMON.<br>
5. Restart the Sniffer Distributed Appliance for changes to take effect.<br>
<br>
Turning off the SNMP Trap Capture at the SniffView Console:<br>
By default, when you install the SniffView Console a program called Trap
Capture automatically gets installed and runs in the background. This
program can accept SNMP Traps from Sniffer Distributed Appliances as
well as other SNMP devices. Follow the procedures below to turn it
off:<br>
<br>
1. Start the SniffView Alarm Manager.<br>
2. Select Toggle Trap capture. The Trap capture program will be
disabled. However, if you reboot the PC the SniffView Console is running
on it will turn itself back on. Therefore you must remember to disable
it again.<br>
<br>
Will these features be disabled in the future?<br>
<br>
Yes, the SNMP/RMON features of the product will be disabled by default
starting with the Sniffer Distributed v4.1 (with Support for Web
Console) version.<br>
<br>
What if I require these features?<br>
<br>
If you require these features then there are a few steps that you can
take to protect yourself from this security concern.<br>
<br>
1. Under the SNMP Tab (see above) Change Community name from
"public" to
something else.<br>
2. Using routers and/or firewalls, control SNMP access to the
Sniffer
Distributed Appliances or SniffView Console to ensure the traffic
originates from known management systems and addresses.<br>
3. Filter SNMP services at your network perimeter (ingress/egress
filtering).<br>
4. Segregate network management traffic onto a separate network.
(i.e. a
VPN) Refer to CERT advisory CA-2002-03
(http://www.cert.org/advisories/CA-2002-03.html) for more details and
the most recent information regarding recommended solutions.<br>
<br>
How will this security concern affect my network?<br>
<br>
This issue has the potential to create a denial of service attack. An
attacker sending bogus SNMP requests and traps could flood the Sniffer
Distributed Appliance and/or SniffView console running the Trap Capture
application. This might cause the system to hang and may require a
reboot.<br>
<br>
An attacker should not be able to configure or take control of either
the Sniffer Distributed Appliance or the SniffView Console.<br>
<br>
Has anyone reported an exploitation of this vulnerability on a Sniffer
Distributed system?<br>
<br>
No.<br>
<br>
Have we notified CERT of our concern?<br>
<br>
Yes<br>
<br>
Where can I find out more information regarding this security concern?<br>
For more information regarding this vulnerability please refer to the
following URLs on CERT's web site:<br>
http://www.cert.org/advisories/CA-2002-03.html<br>
http://www.cert.org/tech_tips/snmp_faq.html
</P>
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="snmpresearch">
<H4><a href="http://www.snmp.com/">SNMP Research International</a></H4>
<blockquote>
<P>The most recent releases (15.3.1.7 and above) of all SNMP
Research products address the vulnerabilities identified
in the following CERT vulnerability advisories:
<blockquote>
VU#854306 (Multiple vulnerabilities in SNMPv1 request handling)<BR>
VU#107186 (Multiple vulnerabilities in SNMPv1 trap handling)
</blockquote>
<P>A few of the malformed packets sent in these tests result in
out of bound array references in allocated memory and minor memory
leaks. No consequences, other than potential denial of service
on some platforms, are known.
<P>All customers who maintain a support contract have received either
the new release or the appropriate patch sets to their 15.3.1.1
and later source code releases addressing these vulnerabilities. Users
maintaining earlier releases should update to the current release if
they have not already done so. Up-to-date information is available from
<a href="mailto:support@snmp.com">support@snmp.com</A>.
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="sonicwall">
<H4><a href="http://www.sonicwall.com/">SonicWALL, Inc.</a></H4>
<blockquote>
SonicWALL has tested its products in response to CERT® Advisory
CA-2002-03 "Multiple Vulnerabilities in Many Implementations of the
Simple Network Management Protocol (SNMP)," SonicWALL's has found NO
evidence of any SNMP vulnerabilities in any SonicWALL Firewall/VPN
appliance or Red Creek 3VPN appliances. No updates are required to
maintain the integrity of these products.<br>
<br>
SonicWALL acknowledges the potential of SNMP vulnerabilities in its SSL
offloader products and is currently working to address any potential
security issues. However, exposure to vulnerability is extremely low due
to the nature of the typical SSL Offloader network configuration.
Because the SSL Offloader is located within a secure network
environment, rather than at the network perimeter, the only opportunity
for attack would be internal. Customers can eliminate the risk by
temporarily disabling the SNMP sub-system.
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="solarwinds">
<H4><a href="http://www.solarwinds.net/">SolarWinds.Net, Inc.</a></H4>
<blockquote>
While the SolarWinds tools are not susceptible to the vulnerabilities
listed within this advisory, SolarWinds products can be used to
determine if SNMP agents contain known vulnerabilities.<br>
<br>
SolarWinds supports the recommendations made by CERT regarding SNMP
implementations and has released a Router Security Check tool that
can be used to check routers and switches for several known SNMP
security flaws.<br>
<br>
For more information on using the SolarWinds tools to secure your
SNMP implementation please visit:<br>
<a href="http://www.solarwinds.net/Tools/Security/Security_SNMP.htm">http://www.solarwinds.net/Tools/Security/Security_SNMP.htm</a>
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="sonusnetworks">
<H4><a href="http://www.sonusnet.com">Sonus Networks</a></H4>
<blockquote>
<p>
Since the release of CERT Advisory CA-2002-03, Sonus Networks has
reviewed its product offering and determined a potential issue may exist
within
its management offering.<br>
<br>
The Sonus PSX6000, SGX2000, and Insight products utilize SNMP Research
software in the SONScia package that has been identified by its vendor
as possibly vulnerable to the exploit. Sonus product versions 3.2.x,
3.3.x, and 3.4.x all have the affected SONScia package. The issue has
been
resolved in the upcoming 4.0 versions of the PSX6000, SGX2000, and
Insight products and concerned customers are advised to upgrade as the software
becomes available.<br>
<br>
Sonus PSX6000, SGX2000, and Insight products run on top of Sun
Microsystems's Solaris operating environment (versions 2.6 and 2.8).
Sun Microsystems has identified these operating environments as vulnerable
to the exploit IF they are started or used. Given that Sonus Networks
software neither starts nor uses the process in question, snmpdx, Sonus products
are not vulnerable to the exploit through this Solaris process.<br>
<br>
The Sonus GSX9000 does not use the same third party software as other
products from Sonus Networks and at this time we have not found any problems
relating to its SNMP operation. Negative testing is a routine portion
of
GSX9000 SQA and to date has not shown any undesired results. We have
recently
tested the GSX9000 with OUSPG's PROTOS c06-snmpv1 test suite and those tests
passed successfully.
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="spidersoftware">
<H4><a href="http://www.spider.com">Spider Software</a></H4>
<blockquote>
<p>
Spider is currently investigating this potential problem and, if
applicable, a new version of the SNMP agent will be made available through
the standard release process of SpiderTCP.<br>
<br>
Spider will notify its customers of any new patches resulting from this
investigation through the normal support channel.
</p>
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="standardnetworks">
<H4><a href="http://www.stdnet.com">Standard Networks, Inc.</a></H4>
<blockquote>
Standard Networks offers a "mainframe connectivity" family of products under
the "UniGate" brand name.
These products contain SNMP agents. After reviewing the recent information
regarding SNMP vulnerabilities,
performing a source code audit and running a variety of publicly available
SNMP exploit suites (including the OUSPG test suite),
we believe the UniGate product is not vulnerable to the problems described
in VU#854306.<br>
<br>
SNMP agent services are enabled by default on UniGate after version 3.6.07.
(This version was released in late 1995; anyone
with a "Year 2000 Compliant" version runs SNMP services.) It is not currently
possible to turn on and shut off SNMP services
on a UniGate, but it is possible to change the "inquiry" and "update" strings
to unusual values (i.e. "m2H9j3s4")
to prevent unauthorized access to the machine. Alternatively, a current version
of the UniGate software with SNMP "hardcoded off" (3.99.31)
is available from Standard Networks directly for customers who feel they
need to have this service disabled immediately.
(A future version will allow users to toggle SNMP services on and off.)<br>
<br>
Attempts to find or exploit SNMP vulnerabilities on a UniGate platform will
often cause the UniGate to log those attempts
as "Community Errors" or "Misc Errors" on the "SNMP Statistics" screen and/or
as "IP: Fragment Msg too big" errors on the main status screen.<br>
<br>
Standard Networks' "OpenIT mainframe connectivity" product will also act
as an SNMP agent if SNMP is enabled under Windows NT (rare).
OpenIT customers are encouraged to follow "Microsoft Corporation's" latest
recommendations regarding Windows
NT SNMP issues if they are using this service. It is however possible to
immediately disable any active SNMP services on
any OpenIT platform by stopping the "SNMP" service from the "Services Control
Panel."<br>
<br>
No other Standard Networks products (i.e. "EMU Terminal Emulator", "ActiveHEAT
Host Access", the "MOVEit" family of secure file transfer products) are affected
by this issue.<br>
<br>
Customers are encouraged to call Standard Networks immediately (+001 608.227.6100)
with any questions or concerns about their specific configuration.
</p>
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="stonesoft">
<H4><a href="http://www.stonesoft.com">Stonesoft</a></H4>
<blockquote>
<p>
Stonesoft's StoneGate product does not include an SNMP agent, and is therefore not vulnerable to this. Other Stonesoft's products are still under investigation. As further information becomes available, additional advisories will be available at
<p>
<a href="http://www.stonesoft.com/support/techcenter/">http://www.stonesoft.com/support/techcenter/</a>
</p>
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="sun">
<H4><a href="http://www.sun.com">Sun Microsystems, Inc.</a></H4>
<blockquote>
<P>
Sun's SNMP product, Solstice Enterprise Agents (SEA), described here:
<blockquote>
<a href="http://www.sun.com/solstice/products/ent.agents/">http://www.sun.com/solstice/products/ent.agents/</a>
</blockquote>
is affected by <a href="http://www.kb.cert.org/vuls/id/854306">VU#854306</a> but not <a href="http://www.kb.cert.org/vuls/id/107186">VU#107186</a>. More specifically the main agent of SEA, snmpdx(1M), is
affected on Solaris 2.6, 7, 8. Sun has released Security Bulletin <a href="http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/215">#00215</a>.
<p>
Sun Security Bulletins are available from:
<blockquote>
<a href="http://sunsolve.sun.com/security">http://sunsolve.sun.com/security</a>
</blockquote>
Sun patches are available from:
<blockquote>
<a href="http://sunsolve.sun.com/securitypatch">http://sunsolve.sun.com/securitypatch</a><br><br>
Sun products which utilize SNMP are listed in the following SunAlert along<br>
with their vulnerability status:<br>
<br>
<a href="http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F43704">
http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F43704</a><br>
<br>
Products listed with a vulnerability status of "Under Investigation" will<br>
be updated as soon as more information becomes available.
</blockquote>
</p>
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="symantec">
<H4><a href="http://www.symantec.com/">Symantec Corporation</a></H4>
<blockquote>
<p>
Symantec verified that the snmptrap.exe on the Intruder Alert (ITA)
3.6 agent, if configured to accept SNMP traps from Symantec
NetProwler, is susceptible to a communications Denial of Service when
the PROTOS test suite is directed against it. The communicator
service will be halted, the halt will be logged and the service
requires a restart to reinitiate communications.<br><br>
This should be a very low risk issue to Symantec ITA customers. The
snmptrap.exe module is loaded on an ITA agent machine. Depending on
customer configuration if the snmptrap module is loaded on an ITA
agent located on the internal network of the company then the
collector is only vulnerable to an internal attack as long as the
firewall rule set blocks snmptrap communications through the firewall.<br><br>
The functionality of the snmptrap.exe allows smooth integrated alert
management of both NIDS and HIDS from a single administrator console.
Halting the communicator module disrupts the integrated communications
only. Both the NetProwler and the ITA IDS systems continue to fuction
normally but will require monitoring from separate consoles until the
communicator service is restarted.<br><br>
Symantec takes any product issue such as this very seriously. We have
developed a patch for Symantec ITA 3.6 that addresses this problem.
The patch is available to Symantec ITA 3.6 customers from the Symantec
customer ITA ftp download site as ITA3_6Patch1/061302/. There is a
patch for both domestic and international releases.<br><br>
Please contact supportsolutions@symantec.com for questions on product
upgrades.
</p>
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="tandberg">
<H4><a href="http://www.tandberg.no/">TANDBERG</a></H4>
<blockquote>
<p>
Tandberg have run all the testcases found the PROTOS test-suite, c06snmpv1:<br>
<br>
1. c06-snmpv1-req-app-pr1.jar<br>
2. c06-snmpv1-req-enc-pr1.jar<br>
3. c06-snmpv1-trap-app-pr1.jar<br>
4. c06-snmpv1-trap-enc-pr1.jar<br>
<br>
The tests were run with standard delay time between the requests
(100ms), but also with a delay of 1ms. The tests applies to all
TANDBERG products (T500, T880, T1000, T2500, T6000 and T8000). The
software tested on these products were B4.0 (our latest software) and
no problems were found when running the test suite.
</p>
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="tavve">
<H4><a href="http://www.tavve.com/">Tavve Software Company</a></H4>
<blockquote>
<p>
Tavve Software Company has investigated its products in light of CERT
Advisory CA-2002-03 regarding SNMP vulnerabilities. Tavve's EventWatch,
PReView, and Amerigo products always reside within the network management
system (NMS) framework supplied by either HP OpenView Network Node Manager
or Tivoli NetView; therefore, these Tavve products have no inherent or
intrinsic exposure to SNMP vulnerabilities beyond those of the underlying
NMS. We advise our customers to apply any patches for Network Node
Manger
or NetView made available by HP or Tivoli. Tavve has created a solution
for ePROBE and will make this update available via its Web site (<a href="http://www.tavve.com">
http://www.tavve.com</a>).
</p>
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="tivoli">
<H4><a href="http://www.tivoli.com/">Tivoli Systems</a></H4>
<blockquote>
<p>
Introduction<br>
<br>
This document serves as an update regarding the current status of Tivoli/IBM
products’ implementation of Simple Network Management Protocol (SNMP),
Version 1, and the potential vulnerabilities related to the implementation.
<br>
<br>
Tivoli has identified the following products that implement SNMP v1:<br>
<br>
§ Tivoli NetView for Unix<br>
<br>
§ Tivoli NetView for Windows<br>
<br>
§ Tivoli NetView Mid-Level Manager (MLM)<br>
<br>
§ Tivoli Comprehensive Network Address Translator
(CNAT)<br>
<br>
§ Tivoli NetView for OS/390 <br>
<br>
§ Tivoli Enterprise Console SNMP Adapter<br>
<br>
§ Tivoli Storage Network Manager <br>
<br>
§ Tivoli Risk Manager<br>
<br>
As an interim step, customers should be directed to secure their networks
so as to prevent SNMP access from unknown sources. The CERT advisory
contains substantial information on this topic under the heading of “Ingress
Filtering”.<br>
<br>
The following products have been identified for having the potential exposure:<br>
This information is current as of March 29, 2002.<br>
<br>
Identified Loss of Service<br>
The following products have been identified as containing issues that can
result in loss of service:<br>
<br>
Tivoli NetView for Unix & Windows<br>
<br>
DETAILS <br>
<br>
Tivoli NetView for Unix & Tivoli NetView for Windows are vulnerable to
a loss of service when subjected to certain SNMP get requests or traps as
indicated in CA-2002-03.<br>
<br>
STATUS<br>
<br>
A fix is available (See the section on ‘Fix Locations’).<br>
<br>
Tivoli NetView Mid-Level Manager (MLM) Agent for Solaris, HPUX, Windows
and AIX<br>
<br>
DETAILS<br>
<br>
The Tivoli NetView Mid-Level Manager (MLM) on Solaris, HPUX, Windows and
AIX (Version 7.1 and earlier) is vulnerable to a loss of service when subjected
to certain SNMP get requests or traps as indicated in CA-2002-03.<br>
<br>
STATUS<br>
<br>
A fix is currently being tested and will be released. (See the section
on ‘Fix Locations’).<br>
<br>
Tivoli Comprehensive Network Address Translator (CNAT)<br>
<br>
DETAILS<br>
<br>
This product is vulnerable to a temporary loss of service of the AIX system,
which causes a loss of connectivity to the portion of the network relying
on the CNAT system for NAT routing.<br>
<br>
STATUS<br>
<br>
A fix is currently being tested and will be released. The fix will
be available on this site (See the section on ‘Fix Locations’).<br>
<br>
Tivoli NetView for OS/390 Version 1.2, 1.3, and 1.4 <br>
<br>
DETAILS: <br>
<br>
ABEND in E/AS (Event Automation Services) Trap-to-Alert adapter when Enterprise
Object Identification (OID) is very large can occur. <br>
<br>
STATUS<br>
<br>
A fix is available. <br>
<br>
Tivoli Enterprise Console SNMP Adapter<br>
<br>
DETAILS<br>
<br>
The Tivoli Enterprise Console SNMP Adapter is vulnerable to a loss of service
when subjected to certain SNMP get requests or traps.<br>
<br>
STATUS<br>
<br>
A fix is currently being tested and will be released. <br>
<br>
Tivoli Risk Manager<br>
<br>
DETAILS<br>
<br>
The Tivoli Risk Manager utilizes the Tivoli Enterprise Console SNMP Adapter,
which is vulnerable to a loss of service when subjected to certain SNMP get
requests or traps as indicated in CA-2002-03.<br>
<br>
STATUS<br>
<br>
A fix is currently being tested and will be released. <br>
<br>
Tivoli Storage Network Manager<br>
<br>
DETAILS<br>
<br>
This condition only affects TSNM's ability to monitor outband events via
SNMP traps. TSNM is capable of managing SANs via both outband mechanisms
(SNMP queries to FC switches for topology discovery and receives SNMP traps
for outband event detection) and inband mechanisms (managed hosts connected
to the SAN via FC HBAs for topology and attribute discovery, and inband FC
event detection). Outband discovery, inband discovery, and inband event
detection are not affected by this condition.<br>
<br>
STATUS<br>
<br>
This will be fixed in the next version of TSNM.<br>
<br>
PREVENTION<br>
<br>
In addition to the prevention noted above, customers should configure at
least one Windows or SUN managed host per SAN to allow inband detection of
SAN events.<br>
<br>
Fix Locations<br>
Service fixes to those products that have identified the issue will post
the files in the following 2 locations:<br>
<br>
Web - <a href="http://www.tivoli.com/secure/support/documents/security/ca-2002-03.html">
http://www.tivoli.com/secure/support/documents/security/ca-2002-03.html</a><br>
<br>
FTP - <a href="ftp.tivoli.com/support/Support_Notes/SecurityBulletins/">ftp.tivoli.com/support/Support_Notes/SecurityBulletins/</a><br>
<br>
Questions <br>
For any questions, please contact your local call center or open a PMR through
the online support page <a href="http://www.tivoli.com/support/reporting/">
http://www.tivoli.com/support/reporting/</a>.
</p>
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="Consultoria">
<H4><a href="http://www.tmp.com.br/">TMP Consultoria S/C</a></H4>
<blockquote>
<p>
The Computer Emergency Response Team (CERT) has issued last week an
advisory regarding numerous vulnerabilities affecting most vendors'
SNMP implementations. This advisory, which can be accessed on
http://www.cert.org/advisories/CA-2002-03.html, specifically addressed
vulnerabilities on the implementations' handling of SNMPv1 trap and
request PDUs (more specifically, the handling of the Trap, Get, Set,
and GetNext PDUs).<br>
<br>
TMP would like to state that we have evaluated the impact of those
vulnerabilities on our WANView line of network management solutions,
and that we are in NO WAY vulnerable to any of the issues reported,
as follows:<br>
<br>
VU#854306 - Multiple Vulnerabilities in SNMPv1 Request Handling: This
advisory is not applicable to WANView, because WANView does not accept
or process in any way SNMP Get/Set/GetNext PDUs; rather, WANView sends
those requests to the monitored equipment, and process subsequent
responses.<br>
<br>
VU#107186 - Multiple Vulnerabilities in SNMPv1 Trap Handling: This
advisory is not applicable to WANView either, because WANView currently
does not accept SNMP traps (this has been a product design decision)
WANView can be configured to send SNMP traps to other systems, and is
not affected in this regard.<br>
<br>
In case you have any questions or need further assistance regarding
these matters, please contact us at <wanview@tmp.com.br>.
</p>
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="toplayernetworks">
<H4><a href="http://www.toplayer.com/">Top Layer Networks</a></H4>
<blockquote>
<p>
Both of Top Layer's focused security appliances, the IDS Balancer and the
Attack Mitigator, do not exhibit the SNMP vulnerabilite(s) Outlined by CERT
Advisory CA-2002-03.<br>
<br>
Neither of these products require any modification at all in order to be
protected. The AppSwitch/AppSafe product is also capable of being so protected,
but it may require that one configuration change be made to ensure total
protection based on the TopPath version of firmware it is running.<br>
<br>
The detail of the configuration change required in the AppSwitch/AppSafe
product is discussed below.<br>
<br>
CERT's recommended restrictions are as follows:<br>
<br>
1. Disable SNMP V1 access to all applicable network devices<br>
2. Filter SNMP traffic from non-authorized internal hosts<br>
3. Segregate SNMP traffic onto a separate management network<br>
<br>
Top Layer is well positioned to provide immediate solutions for our customers.
There are two options that users can immediately choose from to protect their
TLN security systems from SNMP V1 attacks:<br>
<br>
OPTION 1<br>
All currently shipping Top Layer products come pre-configured from the factory
or can be configured to meet CERT restriction # 1. For example, Top
Layer's focused security appliances, the IDS Balancer and the upcoming Attack
Mitigator products have, as their factory default settings, Access Restrictions
for SNMP set to -Denied- thus meeting CERT restriction # 1.<br>
<br>
NOTE: The AppSwitch/AppSafe Release 4.1 factory default is for SNMP disabled.
Models running Release 3.55 must be explicitly configured to deny access
as described above.<br>
<br>
<br>
OPTION 2<br>
Option #2 is to implement restrictions # 2 and # 3 simultaneously<br>
<br>
Restriction # 2<br>
To meet CERT restriction # 2, network managers can set access restrictions
for SNMP to an allowed IP host address range via the Web Management Interface
supplied with the AppSwitch/AppSafe 3500, the IDS Balancer, and upon general
release, the Attack Mitigator. Existing customers can implement this protection
themselves in the field today.<br>
<br>
Restriction #3<br>
The currently shipping AppSwitch/AppSafe 3500 security device can be configured
to restrict SNMP to a single management port via its web management interface.
This meets CERT restriction # 3.<br>
<br>
Both the IDS Balancer and the Attack Mitigator are designed with separate
management ports for that exclusive use. These management ports cannot
be accessed via "outside" (public network) or "inside" (internal network)
LAN connections for greater security and management system integrity. These
products meet CERT restriction # 3 -out of the box-.<br>
<br>
BOTTOM LINE<br>
<br>
Top Layer's standard offerings meet the criteria that allow users to protect
against SNMP V1 vulnerability exploits. This is all part of Top Layer's continued
commitment to provide our customers with improved performance and greater
security against cyber threats.
</p>
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="toshiba">
<H4><a href="http://www.tic.toshiba.com/">Toshiba International Corporation</a></H4>
<blockquote>
<p>
Toshiba International Corporation<br>
SNMPv1 Request and Trap Handling Vulnerabilities<br>
<br>
This is in reference to the CERT Advisory CA 2002-03 regarding security vulnerabilities
that may exist in network devices using SNMPv1 such as the TIC SNMP enabled
product, RemotEye & RemotEyeII.<br>
<br>
Patches are being developed to repair these vulnerabilities. Please visit
the RemotEyeII web site at <a href="http://RemotEye.Tic.Toshiba.com">http://RemotEye.Tic.Toshiba.com</a>
for the expected date for patch availability.
</p>
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="trendmicro">
<H4><a href="http://www.antivirus.com/">Trend Micro</a></H4>
<blockquote>
<p>
Trend Micro R&D has determined that Interscan Messaging
Services Suite, Scan Mail for Lotus Notes and Scan Mail for Exchange, which
all use Simple Network Management Protocol (SNMP) are not affected by SNMP
vulnerabilities listed in the CERT® Advisory CA-2002-03 Multiple
Vulnerabilities bulletin of February 27.
</p>
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="unispherenetworks">
<H4><a href="http://www.unispherenetworks.com/">Unisphere Networks</a></H4>
<blockquote>
<p>
CUSTOMER SERVICE TECHNICAL BULLETIN<br>
<br>
SUBJECT: CERT Advisory CA-2002-03: Vulnerability in SNMP
Implementation<br>
BULLETIN NUMBER: ERX_PSN-005<br>
BULLETIN TYPE: Product Support Notification<br>
AFFECTED PRODUCTS: ERX<br>
ISSUE DATE: 03/08/2002<br>
REVISION: 2.0<br>
<br>
PROBLEM DESCRIPTION:<br>
The CERT ® Coordination Center released an advisory on February 12,
2002 entitled, "CERT ® Advisory CA-2002-03 Multiple Vulnerabilities
in Many Implementations of the Simple Network Management Protocol
(SNMP)". The URL for the full text of the advisory can be found at:<br>
<br>
http://www.cert.org/advisories/CA-2002-03.html<br>
<br>
AFFECTED PRODUCT(S):<br>
ERX 700/705/1400/1440<br>
<br>
SOLUTION:<br>
The following releases of software have been found to suffer no
negative effects from execution of the PROTOS c06-SNMPv1 test suite
authored by OUSPG, as outlined in CERT Advisory CA-2002-03:<br>
<br>
2-9-1p15-0<br>
2-10-1p1-0<br>
3-0-6p6-0<br>
3-2-3p1-0<br>
3-3-2p1-0<br>
3-4-0 REL<br>
<br>
Subsequent patches (e.g. 3-0-6p7-0 and greater) and maintenance
releases (3-4-1) to those listed above have also tested successfully.
All future releases will have been tested against PROTOS c06-SNMPv1
as well. Earlier releases of software will experience higher than
average SRP CPU utilization resulting in potential SNMP timeouts
while the test suite is running, but recover immediately upon test
completion. Packet forwarding during the test is not affected.
Affected releases include:<br>
<br>
2-0-0 ­ 2-9-1p14-0<br>
2-10-0 ­ 2-10-1p0-3<br>
3-0-0 ­ 3-0-6p5-0<br>
3-1-0 ­ 3-1-0p2-0<br>
3-2-0 ­ 3-2-3<br>
3-3-0 ­ 3-3-2<br>
<br>
This Product Support Notification is publicly viewable on the Web at:<br>
<br>
<a href="http://support.unispherenetworks.com/websupport/CERT/erx_psn-005.pdf">
http://support.unispherenetworks.com/websupport/CERT/erx_psn-005.pdf</a>
<br>
<br>
If you have any questions concerning this notice, or to obtain the
latest patch release, please contact Unisphere Networks Customer
Service.<br>
<br>
Inside the U.S. call: (800) 424-2344<br>
Outside the U.S. call: (978) 589-9000<br>
Via the Web @ <a href="http://support.unispherenetworks.com">
http://support.unispherenetworks.com</a>
<br>
Via e-mail @ support@unispherenetworks.com
</p>
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="uptimedevices">
<H4><a href="http://www.uptimedevices.com/">Uptime Devices, Inc.</a></H4>
<blockquote>
<p>
Our engineering group downloaded the test suite and ran it against the our
products. Our products passed all tests.
</p>
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="verilink">
<H4><a href="http://www.verilink.com/">Verilink Corporation</a></H4>
<blockquote>
<p>
Verilink is aware of the CERT/CC advisory related to security
vulnerabilities that may exist in network devices using SNMPv1 as the
management protocol, issued February 12, 2002. Verilink has implemented
measures to assess which products may be affected by this advisory and is
working closely with its customers to identify the impact and possible
solutions.
</p>
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="veritas">
<H4><a href="http://www.veritas.com/">VERITAS Software</a></H4>
<blockquote>
<p>
Is VERITAS SANPoint Control affected by the Simple Network Management<br>
Protocol vulnerabilities cited in CERT Advisory CA-2002-03?<br>
<br>
<br>
TechNote ID: 245634 Last Updated: April 03 2002 01:37 AM GMT<br>
Email this document to a colleague<br>
<br>
Caution! The information in this TechNote is based upon certain<br>
assumptions, including product, operating system and platform<br>
versions. You can review this information in the<br>
TechNote Summary portion of this document.<br>
This document (245634) is provided subject to the disclaimer at the<br>
end of this document.<br>
<br>
<br>
---------------------------------------------------------------------------------<br>
<br>
<br>
Symptom:<br>
<br>
Is VERITAS SANPoint Control affected by the Simple Network Management<br>
Protocol vulnerabilities cited in CERT Advisory CA-2002-03?<br>
<br>
<br>
Solution:<br>
<br>
<br>
On February 12, the CERT Coordination Center issued a CERT advisory<br>
citing vulnerabilities with multiple vendors Simple Network<br>
Management Protocol (SNMP) implementations. VERITAS SANPoint Control<br>
(SPC) was tested against the CERT SNMPv1 test suite and it was<br>
determined that SPC was affected by VU#107186 having to do with<br>
SNMPv1 Trap handling. If SPC is installed on a machine outside of a<br>
firewall, or inside of a firewall that does not properly block SNMP<br>
traffic, it could be open to a denial-of-service attack from the<br>
outside.<br>
<br>
<br>
<br>
This problem has been fixed in SPC 2.1.1. For information on how<br>
download the latest release, refer to technote 235218 (link in the<br>
Related sections of this TechNote).<br>
<br>
<br>
<br>
If it is not possible to upgrade, but you feel that your SPC hosts<br>
are at risk, then it will be necessary to disable SNMP traps which<br>
will affect SPC monitoring and reporting capabilities. Disabling<br>
traps will also affect some array monitoring that is done through<br>
traps and may slightly delay status notifications if hardware is<br>
being monitored through SNMP polls. For more information on SPC<br>
monitoring capabilities, refer to the Monitoring and Resolving<br>
Problems on the SAN guide in your SPC documentation set. To disable<br>
SNMP traps, modify the sal.conf file as shown here:<br>
<br>
<br>
<br>
[Exp.SNMPTRAP]<br>
<br>
DisableTrap=1<br>
<br>
<br>
<br>
In addition to disabling SNMP traps through the sal.conf file, it is<br>
also necessary to disable the VERITAS Trap Processor.<br>
<br>
On Windows:<br>
<br>
1. Go to Control Panel>Administrative Tools>Services<br>
<br>
2. Double-click on VERITAS Trap Service<br>
<br>
3. If the Service Status shows "Started", click the stop button.<br>
<br>
4. Change the Startup Type to Disabled<br>
<br>
5. Click OK<br>
<br>
<br>
<br>
On Solaris:<br>
<br>
Modify the /opt/VRTSspcs/vxspcs script as follows to keep the vxtrapd<br>
daemon from starting (location of this file may vary depending on the<br>
installation directory of the VRTSspcs package):<br>
<br>
<br>
<br>
start_trap ()<br>
<br>
{<br>
<br>
SAVEDIR=´pwd´<br>
<br>
# cd $BASE_DIR/VRTSspcs/trap/bin<br>
<br>
# ./vxtrapdstart.sh > /dev/null<br>
<br>
cd $SAVEDIR<br>
<br>
}<br>
<br>
<br>
<br>
For any additional information on CERT Advisory CA-2002-03, go to the<br>
following link: http://www.cert.org/advisories/CA-2002-03.html<br>
<br>
<br>
<br>
----------------------------------------------------------------------------------<br>
TechNote Summary:<br>
TechNote Title: Is VERITAS SANPoint Control affected by the Simple<br>
Network Management Protocol vulnerabilities cited in CERT Advisory<br>
CA-2002-03?<br>
TechNote ID: 245634<br>
Last Updated: April 03 2002 01:37 AM GMT<br>
Related Documents: TechNote: 235218 - What is the latest version of<br>
VERITAS SANPoint Control?<br>
TechPDF: 242640 - VERITAS SANPoint Control 2.1 - Monitoring and<br>
Resolving Problems on the SAN with SANPoint Control 2.1<br>
<br>
This information in this TechNote applies to:<br>
Products: SANPoint Control (UNIX Platforms) 1.0, 1.0.1, 2.0,<br>
2.0.1, 2.1, 2.1.1<br>
SANPoint Control for Windows 2000<br>
<br>
Subject: SANPoint Control (UNIX Platforms) - Application -<br>
Informational<br>
<br>
Languages: English<br>
<br>
Operating Systems: Windows 2000 Professional 5.00.2195<br>
Windows 2000 Server 5.00.2195, 5.00.2195 SP 1, 5.00.2195 SP
2,<br>
Windows Powered, Windows Powered SP1, Windows Powered SP2<br>
Windows 2000 Advanced Server 5.00.2195, 5.00.2195 SP 1, 5.00.2195<br>
SP 2, Windows Powered, Windows Powered SP1, Windows Powered SP2<br>
Windows 2000 Datacenter Server 5.00.2195, 5.00.2195 SP 1,<br>
5.00.2195 SP 2<br>
Solaris 2.6, 7, 8<br>
Windows NT 4.0 Serv SP4, 4.0 Serv SP5, 4.0 Serv SP6a<br>
<br>
<br>
----------------------------------------------------------------------------------<br>
<br>
<br>
VERITAS Software, 1600 Plymouth Street, Mountain View, California<br>
94043 World Wide Web: http://www.veritas.com<br>
Tech Support Web: http://support.veritas.com<br>
E-Mail for Classic VERITAS Products: support@veritas.com<br>
E-Mail for Classic Seagate Software Products:<br>
helpdesk@support.veritas.com<br>
FTP:ftp://ftp.support.veritas.com or http://ftp.support.veritas.com<br>
<br>
<br>
<br>
THE INFORMATION PROVIDED IN THE VERITAS SOFTWARE KNOWLEDGE BASE IS<br>
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. VERITAS SOFTWARE<br>
DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE<br>
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.<br>
IN NO EVENT SHALL VERITAS SOFTWARE OR ITS SUPPLIERS BE LIABLE FOR ANY<br>
DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,<br>
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF<br>
VERITAS SOFTWARE OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE<br>
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION<br>
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO<br>
THE FOREGOING LIMITATION MAY NOT APPLY.
</p>
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="vinatech">
<H4><a href="http://www.verticalnetworks.com/index.html">Vertical Networks, Inc.</a></H4>
<blockquote>
<p>
The Vertical Networks InstantOffice product was vulnerable to the SNMP
issues VU#854306 and VU#107186. This problem was first corrected in
InstantOffice version 4.0 Service Pack 1.
</p>
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="vinatech">
<H4><a href="http://www.vina-tech.com/">VINA Technologies</a></H4>
<blockquote>
<p>
Vina is addressing the CERT advisory & evaluating the impact over all
its products. Security of our customers networks is of prime
importance to us. Integrator 300 & eLink family products have
verified no vulnerability with the fix put in place effective
4/08/2002. Testing is still in progress for MX 500/550/600 & MBX
1000 products. Initial results have shown that customers running
Frame Relay as WAN protocol are not affected. Action is being taken
to evaluate & fix if any PPP or Cisco HDLC encapsulation
vulnerabilities are found by running the 'PROTOS c06-snmpv1 test
suite' mentioned in the advisory . VINA will continue to update its
statement on this site as additional info becomes available.
</p>
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="westhawk">
<H4><a href="http://www.westhawk.co.uk/">Westhawk, Ltd.</a></H4>
<blockquote>
<p>
Westhawk has tested their SNMP stack in Java against the VU#107186
vulnerabilities (Multiple vulnerabilities in SNMPv1 trap handling).
<p>
A number of Java exceptions occurred causing possible denial-of-service,
but no unauthorized privileged access.
These exceptions have been fixed in release 6.0 of our stack and can be
found at <a
href="http://snmp.westhawk.co.uk/snmp6_0.zip?cert">http://snmp.westhawk.co.uk/snmp6_0.zip?cert</a>.
<p>
The stack is capable of receiving request PDUs and sending a response.
However it has no support for building the response (it lacks MIB
functionality), so running the request test suite for the
VU#854306 (Multiple vulnerabilities in SNMPv1 request handling) is
currently not applicable.
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="windriver">
<H4><a href="http://www.windriver.com/">Wind River Systems, Inc.</a></H4>
<blockquote>
<p>
<u>Envoy SNMP Agent Source Code v9.0+:</u><br>
After extensive testing against the PROTOS c06-snmpv1 test suite, we have
not been able to reproduce any of the SNMPv1 security problems VU#854306
and
VU#107186 in our current SNMP Source Code products: Envoy SNMP v9.0, v9.1,
v9.2, and v9.3 Beta. We ran the tests without seeing any impact on
system
memory or any other unusual behavior. We encourage all customers to
upgrade
to the current version of Envoy SNMP Source Code Agent.<br>
<br>
<u>WindNet SNMP Agent Binary Objects v2.0:</u><br>
Testing against the PROTOS c06-snmpv1 test suite has revealed a
vulnerability in the current version of WindNet SNMP v2.0. The specific
impact is a memory leak caused by the exceptional element E-01. This
vulnerability can be demonstrated by test #1421 (among others) in the
req-enc test suite. A fix is currently available from Wind River support
and on WindSurf for customers with valid maintenance contracts. WindNet
SNMP Binary v2.0 customers under maintenance can also eliminate the
vulnerability by upgrading to Envoy SNMP Source v9.2. This vulnerability
was previously
fixed as a "potential leak" in the Envoy v9.0 Agent Source Code release.
WindNet SNMP v2.0 is a binary distribution of Envoy v8.0, so it did not
include this fix. No current Envoy Source release (v9.0+) is effected
by this
vulnerability.<br>
<br>
Note: As Wind River's Envoy SNMP is a source code product, customer's
modifying Envoy MAY introduce vulnerability to VU#854306 and VU#107186.
We are especially seeing problems with buffer overruns in customer community
string validation routines. Wind River recommends individual testing
against the test suite of any customer product incorporating a SNMP agent,
particularly
MODIFIED Envoy SNMP source code.<br>
<br>
Wind River customers under support and maintenance have received the current
product releases. Supported customers should Contact Wind River support
at
support@windriver.com or call (800) 458-7767 with any test reports related
to VU#854306 and VU#107186, or for more information. Customers who
need to
renew support or wish to upgrade to a supported version (Envoy v9.0+ and
WindNet SNMP v2.0) should contact their Wind River Account Manager, or
1-800-545-WIND (1-800-545-9463) if they do not have an Account Manager.
</p>
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="worldwidepackets">
<H4><a href="http://www.worldwidepackets.com/">World Wide Packets</a></H4>
<blockquote>
<p>
World Wide Packets<br>
Product notes and recommendations:<br>
<br>
LE-2X and 3X portals, LE-2XX and LE-4XX concentrators<br>
Future software releases of WWP Products will address the vulnerabilities
identified in the following CERT vulnerability advisories. Current
target is to provide patch builds by Q2 ’02 that permanently address
these issues. Please contact support@wwp.com for details and status.<br>
<br>
VU#854306 (Multiple vulnerabilities in SNMPv1 request handling)<br>
VU#107186 (Multiple vulnerabilities in SNMPv1 trap handling) <br>
Until these releases become available, we recommend that the following steps
may be taken to help reduce exposure to these vulnerabilities.<br>
In all concentrators:<br>
*Disable SNMP from interfaces through which SNMP commands should not be received,
such as those providing connection from the Internet or Extranets.<br>
<br>
*Use management VLANs or out-of-band management to contain SNMP traffic and
multicasts. These do not prevent an attacker from exploiting these vulnerabilities,
but they may make it more difficult to initiate the attacks.<br>
In the snmp.cfg file of all devices, define the community with the IP address
of the Management Station.<br>
Example: <br>
Instead of <br>
!snmp_cs_1=1, public, 0.0.0.0, read<br>
!snmp_cs_2=1, private, 0.0.0.0, write<br>
Use<br>
!snmp_cs_1=1, <new public string>, <Mgmt Station Ip Address>,
read<br>
!snmp_cs_2=1, <new private string>, <Mgmt Station Ip Address>,
write<br>
Note: Even when community strings are changed from their defaults, they will
still be passed in plaintext and are therefore subject to packet sniffing
attacks. SNMPv3 offers additional capabilities to ensure authentication and
privacy as described in RFC2574.<br>
LE-3700 Distributor<br>
*Disable SNMP from interfaces through which SNMP commands should not be received,
such as those providing connection from the Internet or Extranets <br>
*Use Access Control Lists at the access edge to prevent SNMP traffic from
unauthorized internal hosts from entering the network. <br>
*Use management VLANs or out-of-band management to contain SNMP traffic and
multicasts. These do not prevent an attacker from exploiting these vulnerabilities,
but they may make it more difficult to initiate the attacks. <br>
*Enable 802.1X port-locking and RADIUS to prevent unauthenticated users from
attaching to the network.
</p>
</blockquote>
<!-- end vendor -->
<!-- begin vendor -->
<A NAME="xerox">
<H4><a href="http://www.xerox.com/">Xerox Corporation</a></H4>
<blockquote>
<p>
Xerox is aware of this advisory. A response regarding all Xerox
products that use SNMPv1 is available from our web site: <a
href="http://www.xerox.com/security"> www.xerox.com/security</a>.
</p>
</blockquote>
<!-- end vendor -->
<a name="references"></a>
<H2>Appendix B. - References</H2>
<OL>
<li><A HREF="http://www.ee.oulu.fi/research/ouspg/protos/">http://www.ee.oulu.fi/research/ouspg/protos/</A>
<li><A HREF="http://www.kb.cert.org/vuls/id/854306">http://www.kb.cert.org/vuls/id/854306</A>
<li><A HREF="http://www.kb.cert.org/vuls/id/107186">http://www.kb.cert.org/vuls/id/107186</A>
<li><A HREF="http://www.cert.org/tech_tips/denial_of_service.html">http://www.cert.org/tech_tips/denial_of_service.html</A>
<li><A HREF="http://www.ietf.org/rfc/rfc1067.txt">http://www.ietf.org/rfc/rfc1067.txt</A>
<li><A HREF="http://www.ietf.org/rfc/rfc1089.txt">http://www.ietf.org/rfc/rfc1089.txt</A>
<li><A HREF="http://www.ietf.org/rfc/rfc1140.txt">http://www.ietf.org/rfc/rfc1140.txt</A>
<li><A HREF="http://www.ietf.org/rfc/rfc1155.txt">http://www.ietf.org/rfc/rfc1155.txt</A>
<li><A HREF="http://www.ietf.org/rfc/rfc1156.txt">http://www.ietf.org/rfc/rfc1156.txt</A>
<li><A HREF="http://www.ietf.org/rfc/rfc1215.txt">http://www.ietf.org/rfc/rfc1215.txt</A>
<li><A HREF="http://www.ietf.org/rfc/rfc1270.txt">http://www.ietf.org/rfc/rfc1270.txt</A>
<li><A HREF="http://www.ietf.org/rfc/rfc1352.txt">http://www.ietf.org/rfc/rfc1352.txt</A>
</OL>
<P>
<a name="background"></a>
<H2>Appendix C. - Background Information</H2>
<A NAME="ouspg"></a>
<H4>Background Information on the OUSPG</H4>
OUSPG is an academic research group located at <A
HREF="http://www.oulu.fi/Welcome.html">Oulu University</A> in Finland. The
purpose of this research group is to test software for
vulnerabilities.
<p>
History has shown that the techniques used by the OUSPG have
discovered a large number of previously undetected problems in the
products and protocols they have tested.
In 2001, the OUSPG produced a comprehensive test suite for evaluating
implementations of the Lightweight Directory Access Protocol
(LDAP). This test suite was developed with the strategy of abusing the
protocol in unsupported and unexpected ways, and it was very effective
in uncovering a wide variety of vulnerabilities across several
products. This approach can reveal vulnerabilities that would not
manifest themselves under normal conditions.
<p>
After completing its work on LDAP, OUSPG moved its focus to SNMPv1. As
with LDAP, they designed a custom test suite, began testing a
selection of products, and found a number of vulnerabilities. Because
OUSPG's work on LDAP was similar in procedure to its current work on
SNMP, you may wish to review the <A
HREF="http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/ldapv3/">LDAP
Test Suite</a> and <A
HREF="http://www.cert.org/advisories/CA-2001-18.html">CERT Advisory
CA-2001-18</a>, which outlined results of application of the test
suite.
<p>
In order to test the security of protocols like SNMPv1, the <A
HREF="http://www.ee.oulu.fi/research/ouspg/protos/">PROTOS</A> project
presents a server with a wide variety of sample packets containing
unexpected values or illegally formatted data. As a member of the
PROTOS project consortium, the OUSPG used the <A
HREF="http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/0100.html">
PROTOS c06-snmpv1 test suite</A> to study several implementations of
the SNMPv1 protocol. Results of the test suites run against SNMP
indicate that there are many different vulnerabilities on many
different implementations of SNMP.
<A NAME="snmp"></a>
<H4>Background Information on the Simple Network Management Protocol</H4>
<P>
The Simple Network Management Protocol (SNMP) is the most popular
protocol in use to manage networked devices. SNMP was designed in the
late 80's to facilitate the exchange of management information between
networked devices, operating at the application layer of the ISO/OSI
model. The SNMP protocol enables network and system administrators to
remotely monitor and configure devices on the network (devices such as
switches and routers). Software and firmware products designed for
networks often make use of the SNMP protocol. SNMP runs on a multitude
of devices and operating systems, including, but not limited to,
<UL>
<LI>Core Network Devices (Routers, Switches, Hubs, Bridges, and Wireless Network Access Points)
<br>
<LI>Operating Systems
<br>
<LI>Consumer Broadband Network Devices (Cable Modems and DSL Modems)
<br>
<LI>Consumer Electronic Devices (Cameras and Image Scanners)
<br>
<LI>Networked Office Equipment (Printers, Copiers, and FAX Machines)
<br>
<LI>Network and Systems Management/Diagnostic Frameworks (Network Sniffers and Network Analyzers)
<br>
<LI>Uninterruptible Power Supplies (UPS)
<br>
<LI>Networked Medical Equipment (Imaging Units and Oscilloscopes)
<br>
<LI>Manufacturing and Processing Equipment
<br>
</UL>
<p>The SNMP protocol is formally defined in <A
HREF="http://www.ietf.org/rfc/rfc1157.txt">RFC1157</A>. Quoting from
that RFC:
<P>
<DL><DD>
<i>Implicit in the SNMP architectural model is a collection of network
management stations and network elements. Network management stations
execute management applications which monitor and control network
elements. Network elements are devices such as hosts, gateways,
terminal servers, and the like, which have management agents
responsible for performing the network management functions requested
by the network management stations. The Simple Network Management
Protocol (SNMP) is used to communicate management information between
the network management stations and the agents in the network
elements.</i>
</DL></DD>
<P>
Additionally, SNMP is discussed in a number of other RFC documents:
<UL>
<LI><A HREF="http://www.ietf.org/rfc/rfc3000.txt">RFC 3000</A>
<i>Internet Official Protocol Standards</i></LI>
<LI><A HREF="http://www.ietf.org/rfc/rfc1212.txt">RFC 1212</A>
<i>Concise MIB Definitions</i></LI>
<LI><A HREF="http://www.ietf.org/rfc/rfc1213.txt">RFC 1213</A>
<i>Management Information Base for Network Management of TCP/IP-based
Internets: MIB-II</i></LI>
<LI><A HREF="http://www.ietf.org/rfc/rfc1215.txt">RFC 1215</A> <i>A
Convention for Defining Traps for use with the SNMP</i></LI>
<LI><A HREF="http://www.ietf.org/rfc/rfc1270.txt">RFC 1270</A> <i>SNMP
Communications Services</i></LI>
<LI><A HREF="http://www.ietf.org/rfc/rfc2570.txt">RFC 2570</A>
<i>Introduction to Version 3 of the Internet-standard Network
Management Framework</i></LI>
<LI><A HREF="http://www.ietf.org/rfc/rfc2571.txt">RFC 2571</A> <i>An
Architecture for Describing SNMP Management Frameworks</i></LI>
<LI><A HREF="http://www.ietf.org/rfc/rfc2572.txt">RFC 2572</A>
<i>Message Processing and Dispatching for the Simple Network
Management Protocol (SNMP)</i></LI>
<LI><A HREF="http://www.ietf.org/rfc/rfc2573.txt">RFC 2573</A>
<i>SNMP Applications</i></LI>
<LI><A HREF="http://www.ietf.org/rfc/rfc2574.txt">RFC 2574</A>
<i>User-based Security Model (USM) for version 3 of the Simple Network
Management Protocol (SNMPv3)</i></LI>
<LI><A HREF="http://www.ietf.org/rfc/rfc2575.txt">RFC 2575</A>
<i>View-based Access Control Model (VACM) for the Simple Network
Management Protocol (SNMP)</i></LI>
<LI><A HREF="http://www.ietf.org/rfc/rfc2576.txt">RFC 2576</A>
<i>Coexistence between Version 1, Version 2, and Version 3 of the
Internet-standard Network Management Framework</i></LI>
</UL>
<A NAME="thanks"></a>
<HR NOSHADE>
The CERT Coordination Center thanks the Oulu University Secure
Programming Group for reporting these vulnerabilities to us, for providing
detailed technical analyses, and for assisting us in preparing this
advisory.
<P>We also thank Steven M. Bellovin (AT&T Labs -- Research), Wes Hardaker
(Net-SNMP), Steve Moulton (SNMP Research), Tom Reddington (Bell Labs),
Mike Duckett (Bell South), Rob Thomas, Blue Boar (Thievco), Sunil Chitnis
(Foundry Networks), the Cisco Systems Product Security Incident Response
Team (<a href="mailto:psirt@cisco.com">psirt@cisco.com</A>) and the many
others who contributed to this document.
<HR NOSHADE>
<P>Feedback on this document can be directed to the authors, <A
HREF="mailto:cert@cert.org?subject=CA-2002-03%20Feedback%20VU%23617947">Ian
A. Finlay, Shawn V. Hernan, Jason A. Rafail, Chad Dougherty, Allen
D. Householder, Marty Lindner, and Art Manion</A>.
<P></P>
<!--#include virtual="/include/footer_nocopyright.html" -->
<P>Copyright 2002 Carnegie Mellon University.</P>
<P>Revision History
<pre>
Feb 12, 2002: Initial release
Feb 12, 2002: Corrected vendor appendix formatting issues
Feb 12, 2002: Added vendor statement for Inktomi
Feb 12, 2002: Fixed formatting problem in "Disable stack execution" section
Feb 12, 2002: Updated vendor statement for Juniper
Feb 12, 2002: Fixed broken link in Juniper statement
Feb 12, 2002: Updated Public Thanks section
Feb 12, 2002: Updated Covalent statement
Feb 12, 2002: Updated SNMP Research statement
Feb 12, 2002: Updated CVE and Comtek services links
Feb 13, 2002: Updated vendor statement for Cisco Systems
Feb 13, 2002: Updated vendor statement for Enterasys
Feb 13, 2002: Updated vendor statement for FreeBSD
Feb 13, 2002: Updated vendor statement for HP
Feb 13, 2002: Updated vendor statement for Microsoft
Feb 13, 2002: Updated vendor statement for Sun
Feb 13, 2002: Updated vendor statement for Tandberg
Feb 13, 2002: Removed vendor statement for Tivoli
Feb 14, 2002: Added vendor statement for Aprisma
Feb 14, 2002: Added vendor statements for MG-Soft and NetScreen
Feb 14, 2002: Added vendor statement for iTouch Communications
Feb 14, 2002: Added vendor statement for F5 Networks
Feb 14, 2002: Added vendor statement for Sierra Wireless
Feb 15, 2002: Added vendor statement for MICROMUSE
Feb 15, 2002: Updated HP statement
Feb 16, 2002: Updated Nortel Networks statement
Feb 16, 2002: Added vendor statement for Foundry Networks
Feb 18, 2002: Added vendor statement for Tivoli
Feb 18, 2002: Added vendor statement for Radware
Feb 18, 2002: Updated Nortel Networks statement
Feb 19, 2002: Updated Nortel Networks statement
Feb 19, 2002: Updated F5 Networks statement
Feb 19, 2002: Updated Compaq statement
Feb 19, 2002: Updated IBM statement
Feb 19, 2002: Added vendor statement for Dell
Feb 19, 2002: Fixed bad link in Enterasys statement
Feb 19, 2002: Updated IBM statement
Feb 19, 2002: Added vendor statement for BMC Software
Feb 20, 2002: Added vendor statement for Wind River Systems
Feb 20, 2002: Added vendor statement for Concord Communications
Feb 20, 2002: Added vendor statement for CommWorks Corporation (a 3Com company)
Feb 20, 2002: Added vendor statement for Lexmark International
Feb 20, 2002: Added vendor statement for Check Point Software Technologies Inc.
Feb 20, 2002: Added vendor statement for Alcatel
Feb 21, 2002: Added vendor statement for Avici Systems Inc.
Feb 21, 2002: Added vendor statement for NuDesign Team Inc.
Feb 21, 2002: Added vendor statement for ADTRAN, Inc.
Feb 21, 2002: Updated NetScreen vendor statement
Feb 21, 2002: Added vendor statement for TMP Consultoria S/C
Feb 21, 2002: Added vendor statement for Xerox Corporation
Feb 21, 2002: Updated Inktomi vendor statement
Feb 21, 2002: Added vendor statement for nCipher Corp.
Feb 21, 2002: Updated Lucent vendor statement
Feb 21, 2002: Added vendor statement for Spider Software
Feb 21, 2002: Added vendor statement for Riverstone Networks
Feb 21, 2002: Added vendor statement for Standard Networks, Inc.
Feb 21, 2002: Added vendor statement for Openwave Systems Inc.
Feb 21, 2002: Added vendor statement for General DataComm
Feb 22, 2002: Added vendor statement for NETWORK HARMONi, Inc.
Feb 22, 2002: Updated HP vendor statement
Feb 22, 2002: Updated Nortel Networks statement
Feb 25, 2002: Added vendor statement for American Power Conversion
Feb 25, 2002: Added vendor statement for Cambridge Broadband Ltd.
Feb 25, 2002: Added vendor statement for Corsaire Limited
Feb 25, 2002: Added vendor statement for SonicWALL, Inc.
Feb 26, 2002: Added vendor statement for Perle Systems
Feb 26, 2002: Added vendor statement for Sonus Networks
Feb 26, 2002: Added vendor statement for Optical Access
Feb 26, 2002: Added vendor statement for INRANGE Technologies
Feb 26, 2002: Updated vendor statement for Redback Networks, Inc.
Feb 26, 2002: Removed "Disable stack execution" section from Solutions
Feb 26, 2002: Added vendor statement for BinTec Communications AG
Feb 26, 2002: Updated vendor statement for IBM
Feb 27, 2002: Updated HP vendor statement
Feb 27, 2002: Added vendor statement for World Wide Packets
Feb 27, 2002: Added vendor statement for Dart Communications
Feb 27, 2002: Added vendor statement for Quallaby Corporation
Feb 27, 2002: Updated iTouch Communications vendor statement
Feb 27, 2002: Added vendor statement for CipherTrust, Inc.
Feb 27, 2002: Added vendor statement for Ipswitch, Inc.
Feb 27, 2002: Added vendor statement for D-Link Systems, Inc.
Mar 01, 2002: Added vendor statement for iPlanet
Mar 01, 2002: Updated vendor statement for Novell
Mar 01, 2002: Updated vendor statement for nCipher Corp.
Mar 01, 2002: Added vendor statement for Extreme Networks
Mar 04, 2002: Added vendor statement for NetSilicon
Mar 04, 2002: Added vendor statement for SecureWorks, Inc.
Mar 04, 2002: Added vendor statement for Efficient Networks, Inc.
Mar 04, 2002: Updated vendor statement for Novell
Mar 04, 2002: Added vendor statement for Monfox, LLC
Mar 05, 2002: Added vendor statement for Paradyne
Mar 05, 2002: Added vendor statement for Trend Micro
Mar 05, 2002: Updated vendor statement for Dartware, LLC
Mar 05, 2002: Added vendor statement for Quick Eagle Networks
Mar 05, 2002: Added vendor statement for Conectiva
Mar 05, 2002: Added vendor statement for Asante Technologies, Inc.
Mar 05, 2002: Added vendor statement for SolarWinds.Net, Inc.
Mar 06, 2002: Updated vendor statement for Aprisma
Mar 06, 2002: Updated vendor statement for Ipswitch, Inc.
Mar 06, 2002: Added vendor statement for CSCare, Inc.
Mar 06, 2002: Updated vendor statement for iTouch Communications
Mar 06, 2002: Added vendor statement for Uptime Devices, Inc.
Mar 06, 2002: Added vendor statement for Larscom Incorporated
Mar 06, 2002: Added vendor statement for InterNiche Technologies, Inc.
Mar 07, 2002: Added vendor statement for Network Appliance
Mar 07, 2002: Updated vendor statement for Avaya
Mar 07, 2002: Updated vendor statement for Xerox
Mar 07, 2002: Added vendor statement for Sniffer Technologies
Mar 07, 2002: Added vendor statement for Powerware Corporation
Mar 07, 2002: Added vendor statement for Carrier Access
Mar 07, 2002: Added vendor statement for net.com
Mar 07, 2002: Added vendor statement for Oracle Corporation
Mar 11, 2002: Updated vendor statement for Wind River Systems, Inc.
Mar 12, 2002: Added vendor statement for Apple Computer, Inc.
Mar 12, 2002: Updated vendor statement for Xerox Corporation
Mar 12, 2002: Updated vendor statement for Radware
Mar 13, 2002: Added vendor statement for ADVA AG Optical Networking
Mar 13, 2002: Updated vendor statement for Quick Eagle Networks
Mar 15, 2002: Updated vendor statement for F5 Networks
Mar 18, 2002: Added vendor statement for NEC Corporation
Mar 18, 2002: Added vendor statement for Alvarion Ltd.
Mar 19, 2002: Added vendor statement for e-Security, Inc.
Mar 19, 2002: Updated vendor statement for Concord Communications, Inc.
Mar 19, 2002: Added vendor statement for Equinox Systems
Mar 20, 2002: Added vendor statement for Controlware GmbH
Mar 20, 2002: Fixed broken link in NETWORK HARMONi, Inc. vendor statement
Mar 20, 2002: Updated vendor statement for NETWORK HARMONi, Inc.
Mar 21, 2002: Updated vendor statement for Radware
Mar 21, 2002: Added vendor statement for Unisphere Networks
Mar 21, 2002: Added vendor statement for InfoVista
Mar 21, 2002: Updated vendor statement for COMTEK Services, Inc.
Mar 25, 2002: Added vendor statement for ModLink Networks
Mar 25, 2002: Added vendor statement for Kentrox,LLC
Mar 25, 2002: Added vendor statement for KarlNet, Inc.
Mar 25, 2002: Added vendor statement for Hitachi Data Systems (HDS)
Mar 26, 2002: Added vendor statement for NetScout Systems, Inc.
Mar 26, 2002: Added vendor statement for Verilink Corporation
Mar 26, 2002: Added vendor statement for RAD Data Communications Ltd.
Mar 28, 2002: Updated vendor statement for NEC Corporation
Mar 28, 2002: Added vendor statement for Tavve Software Company
Apr 01, 2002: Updated vendor statement for HP (regarding MPE)
Apr 01, 2002: Added vendor statement for Top Layer Networks
Apr 03, 2002: Updated vendor statement for Tivoli Systems
Apr 04, 2002: Added vendor statement for VERITAS Software
Apr 05, 2002: Added vendor statement for Evidian Inc.
Apr 05, 2002: Added vendor statement for AVET Information and Network Security
Apr 05, 2002: Added vendor statement for Entrada Networks
Apr 05, 2002: Added vendor statement for Cray Inc.
Apr 08, 2002: Added vendor statement for CNT
Apr 09, 2002: Updated vendor statement for Dell
Apr 09, 2002: Updated vendor statement for American Power Conversion
Apr 10, 2002: Updated vendor statement for Dell
Apr 10, 2002: Updated vendor statement for Compaq Computer Corporation
Apr 12, 2002: Added vendor statement for Canoga Perkins Corporation
Apr 16, 2002: Added vendor statement for Toshiba International Corporation
Apr 19, 2002: Added vendor statement for VINA Technologies
Apr 19, 2002: Updated vendor statement for Dell
Apr 22, 2002: Updated vendor statement for Entrada Networks
Apr 24, 2002: Updated vendor statement for VERITAS Software
Apr 24, 2002: Added vendor statement for OutBack Resource Group, Inc.
Apr 26, 2002: Added vendor statement for Fluke Corporation
Apr 28, 2002: Updated vendor statement for DMH Software
May 16, 2002: Updated vendor statement for Sun Microsystems
May 23, 2002: Updated vendor statement for Xerox Corporation
Jun 11, 2002: Updated vendor statement for BMC Software
Jun 11, 2002: Updated vendor statement for BinTec Communications AG
Jun 11, 2002: Updated vendor statement for Symantec Corporation
Jul 25, 2002: Added vendor statement for Digital Networks
Aug 14, 2002: Added vendor statement for Astracon, Inc.
Aug 21, 2002: Updated vendor statement for ADVA AG Optical Networking
Aug 28, 2002: Updated vendor statement for iPlanet
Sep 23, 2002: Added vendor statement for Mercury Interactive Corporation
Oct 17, 2002: Added vendor statement for Sinetica Corporation Limited
Nov 05, 2002: Added vendor statement for Future Communications Software
May 14, 2003: Added vendor statement for Metrobility Optical Systems
Jun 11, 2003: Added vendor statement for Muonics
Aug 18, 2003: Added vendor statement for Allied Telesyn International
Jul 27, 2004: Updated vendor statement for NuDesign, Inc.
May 24, 2005: Updated vendor statement for Hitachi, removed extra line before vul note references
November 7, 2007: Closed anchors
February 13, 2008: Added vendor statement for Westhawk
</pre>
|