Re: [nv-l] vulnerabilities in SNMPv1 trap handling

[James Shanks <jshanks@us.ibm.com>]

This is VERY OLD news.  

CERT issued it's warnings based on the OUSPG studies back in 2001.  All vulnerabilities in NetView were addressed in APARs which were incorporated into in 6.0.3 and 7.1.1.  We refer to these from time to time as the CERT fixes.  The most notable effect to the user is in the implementation of the AdditionalLegalTrapCharacters environment variable you find mentioned in the trapd.log, the ovactiond.log, and the nvaction  logs, and the fact that the dots in hostnames are now escaped when they are passed to a script.  These external indications prove that your code has the fixes in place.
netmon, snmpCollect, and MLM were also tested, and where required, fixed.

OUSPG delivered test routines in the form of Java executables which were downloadable from the CERT website.  We have them in house and we run them as a matter of course when we are regression testing fixes or new code before release. 

Bottom line: Current NetView code is immune from these issues

James Shanks
Level 3 Support  for Tivoli NetView for UNIX and Windows
Tivoli Software / IBM Software Group

"Qureshi, Fawad" <Fawad.Qureshi@ssa.gov> 09/23/2003 04:13 PM

To:        "'nv-l@lists.tivoli.com'" <nv-l@lists.tivoli.com>         cc:                 Subject:        [nv-l] vulnerabilities in SNMPv1 trap handling

Following information was passed to me requesting comments on how Netview handles these vulnerabilities. I would appreciate any comments and / or feedback regarding this. 
 
Multiple vulnerabilities in SNMPv1 trap handling
 
Multiple vendor SNMPv1 Trap handling implementations contain vulnerabilities that may allow unauthorized privileged access, denial-of-service conditions, or unstable behavior . If your site uses SNMP in any capacity, please read the following.
  
The Oulu University Secure Programming Group (OUSPG) has reported numerous vulnerabilities in multiple vendor SNMPv1 implementations. By applying the PROTOS c06-SNMPv1 test suite to a variety of popular SNMPv1-enabled products, the OUSPG revealed a number of vulnerabilities across a wide range of products. This vulnerability note focuses on vulnerabilities occurring in code responsible for SNMPv1 trap handling. SNMPv1 supports five different types of messages: GetRequest, SetRequest, GetNextRequest, GetResponse, and Trap. A single SNMP message is referred to as a Protocol Data Unit (PDU). These messages are described using Abstract Syntax Notation One (ASN.1) and translated into binary format using Basic Encoding Rules (BER). SNMP trap messages are sent from agents to managers. Trap messages are unsolicited (the manager does not issue a request message) and may indicate a warning or error condition or otherwise notify the manager about the!
  agent's state. SNMP managers should reliably decode trap messages and process the resulting application data. OUSPG performed two sets of tests of SNMP trap message handling: one test focused on ASN.1 decoding, the second looked for exceptions in the processing of the decoded data.
 
The results yielded multiple vulnerabilities in both the ASN.1 decoding and the subsequent processing of SNMP trap messages by many different SNMP managers. Vulnerabilities include denial-of-service conditions, format string vulnerabilities, and buffer overflows. Some vulnerabilities do not require the request message to use the correct SNMP community string.