[Top] [All Lists]

[nv-l] vulnerabilities in SNMPv1 trap handling

To: "'nv-l@lists.tivoli.com'" <nv-l@lists.tivoli.com>
Subject: [nv-l] vulnerabilities in SNMPv1 trap handling
From: "Qureshi, Fawad" <Fawad.Qureshi@ssa.gov>
Date: Tue, 23 Sep 2003 16:13:49 -0400
Delivered-to: mailing list nv-l@lists.tivoli.com
Delivery-date: Tue, 23 Sep 2003 21:14:47 +0100
Envelope-to: nv-l-archive@lists.skills-1st.co.uk
List-help: <mailto:nv-l-help@lists.tivoli.com>
List-post: <mailto:nv-l@lists.tivoli.com>
List-subscribe: <mailto:nv-l-subscribe@lists.tivoli.com>
List-unsubscribe: <mailto:nv-l-unsubscribe@lists.tivoli.com>
Mailing-list: contact nv-l-help@lists.tivoli.com; run by ezmlm

Following information was passed to me requesting comments on how Netview handles these vulnerabilities. I would appreciate any comments and / or feedback regarding this.


Multiple vulnerabilities in SNMPv1 trap handling


Multiple vendor SNMPv1 Trap handling implementations contain vulnerabilities that may allow unauthorized privileged access, denial-of-service conditions, or unstable behavior . If your site uses SNMP in any capacity, please read the following.


The Oulu University Secure Programming Group (OUSPG) has reported numerous vulnerabilities in multiple vendor SNMPv1 implementations. By applying the PROTOS c06-SNMPv1 test suite to a variety of popular SNMPv1-enabled products, the OUSPG revealed a number of vulnerabilities across a wide range of products. This vulnerability note focuses on vulnerabilities occurring in code responsible for SNMPv1 trap handling. SNMPv1 supports five different types of messages: GetRequest, SetRequest, GetNextRequest, GetResponse, and Trap. A single SNMP message is referred to as a Protocol Data Unit (PDU). These messages are described using Abstract Syntax Notation One (ASN.1) and translated into binary format using Basic Encoding Rules (BER). SNMP trap messages are sent from agents to managers. Trap messages are unsolicited (the manager does not issue a request message) and may indicate a warning or error condition or otherwise notify the manager about the agent's state. SNMP managers should reliably decode trap messages and process the resulting application data. OUSPG performed two sets of tests of SNMP trap message handling: one test focused on ASN.1 decoding, the second looked for exceptions in the processing of the decoded data.


The results yielded multiple vulnerabilities in both the ASN.1 decoding and the subsequent processing of SNMP trap messages by many different SNMP managers. Vulnerabilities include denial-of-service conditions, format string vulnerabilities, and buffer overflows. Some vulnerabilities do not require the request message to use the correct SNMP community string.


<Prev in Thread] Current Thread [Next in Thread>

Archive operated by Skills 1st Ltd

See also: The NetView Web