nv-l
[Top] [All Lists]

Re: [nv-l] After 6.03 patch install

To: nv-l@lists.tivoli.com
Subject: Re: [nv-l] After 6.03 patch install
From: netview@toddh.net (Todd H.)
Date: 04 Mar 2002 13:54:44 -0600
Reply-to: nv-l@lists.tivoli.com
reamd@Nationwide.com writes:
> Hi All,
>           I recently in stalled the 6.03 patch and have came across a
> problem since the install.We currently have scripts defined to execute when
> certain traps are received such as interface up.down traps, and SNMP
> Collection threshold traps.  Netview is configured to pass paramenters to
> these scripts such as
> /usr/local/nwi/scripts/ifthresh $1 $2 "$3" $4 $5.  Prior to the patch, all
> parameters passed through in clear text, included non alpha-numeric
> characters.  After the 6.0.3 upgrade patch was applied, all non
> alpha-numeric characters are being preceded by a "\" character.  For
> example, if $1 is the resource name and it = "a-n-aa-drt01", then the
> paramneter getting passed to the script is "a\-n\-aa\-drt01".  This is
> casuing problems in the scripts. Any Idea's?
> 
> AIX 4.3.3
> Netview 6.03

What you're seeing is the NetView security efix that was released to
address CERT alert
        http://www.cert.org/advisories/CA-2001-24.html

working as designed.     James post explains it all, but I can chime
in to tell you that we feel you pain.  :-)   This one impacted most of
our alerting scripts.

You can't fault Tivoli for this, though--it's an underlying insecurity
in SNMP, so their fix though inconvenient, is really the only thing
that could've been done to adequately protect the server.  It also
creates a good opportunity to rethink your scripts and how they handle
possibly tainted user varbind information. 

If you're not running this 6.02 patch, or running 6.03 wihch includes
it, your server may be vulnerable to a rather trivial root exploit.
All an attacker has to do is send a suitably malformed SNMP trap
varbind to your server (with or without a spoofed IP)... and if your
server be configured to run a shell script in response to that trap,
you're vulnerable.

May this and the most recent SNMP exploit speed the adoption of SNMPv3
in agents and management stations alike.  :-) 

Best Regards,
-- 
Todd H.
http://www.toddh.net/

<Prev in Thread] Current Thread [Next in Thread>

Archive operated by Skills 1st Ltd

See also: The NetView Web