Secure Your Network
Knoxville, TN, February 12, 2002 - A research group at the OULU university in Finland (the Oulu University Secure Programming Group, or OUSPG) devised an exhaustive test suite which sends thousands of malformed SNMPv1 packets to an agent. The test suite consists of two programs. The first generates get, getnext and set operations, and the second generates traps.
Some of these packets caused out-of-bound memory references on allocated memory arrays in our agent and manager products. On open systems, this generally has no effect, but in a few systems causes segmentation faults. On some embedded systems, some of these packets have caused system reboots.
Note that SNMP products by all vendors evaluated by this group failed. The range of malformed encodings was beyond that considered by all of the SNMP software designers. In the thirteen years SNMP Research's code has been in the field, none of these vulnerabilities have been encountered until now.
None of the malformed packets are known to create any security issues other than denial of service (through agents restarting or embedded system operating systems rebooting). Currently, there is no known way that these packets can cause, say, privileged access to a system.
We have been aware of these vulnerabilities since the OUSPG downloaded a copy of our CIAgent product for testing. These vulnerabilities were addressed immediately with changes issued shortly thereafter. All SNMP Research products (both source code and binary-only products) starting with release 15.3 or higher have been updated to address the vulnerabilities exposed by the OUSPG test suite and all known vulnerabilities including those not exposed by OUSPG have been addressed. Release 15.3 began shipping last year, i.e., in 2001, and all software support agreement customers have received the 15.3 upgrade or a 15.3 upgrade and a patch set. It is important that all customers apply and deploy the upgrade and patches.
No changes are needed for EMANATE® subagents and BRASSTM clients. Replacing the BRASS server or EMANATE master agent will address these vulnerabilities, unless your application parses SNMP packets from the wire (e.g., in a proxy application).
The CERT (The Computer Emergency Response Team), a semi-governmental organization based at Carnegie-Mellon, has been coordinating responses to this issue. Unfortunately, they requested that we not be proactive with our customers, to reduce public disclosure of the vulnerabilities until they are released by CERT. Many of our customers have been contacted directly either by CERT and OUSPG, and are thus aware of the problem.
We have supplied the following vendor statement to the CERT.
The most recent releases (15.3.1.7 and above) of all SNMP Research products address the vulnerabilities identified in the following CERT vulnerability advisories:
VU#854306 (Multiple vulnerabilities in SNMPv1 request handling)
VU#107186 (Multiple vulnerabilities in SNMPv1 trap handling)
A few of the malformed packets sent in these tests result in out of bound array references in allocated memory and minor memory leaks. No consequences, other than potential denial of service on some platforms, are known.
All customers who maintain a support contract have received either the new release or the appropriate patch sets to their 15.3.1.1 and later source code releases addressing these vulnerabilities. Users maintaining earlier releases should update to the current release if they have not already done so. Up-to-date information is available from support@snmp.com.
In discussions in various forums that have taken place since the CERT advisory was released, there have been issues raised about the security of SNMP, the protocol. SNMPv1 was originally designed in 1988 with little attention paid to security. Security has been a concern in later SNMP specifications. SNMPv3, the current specification of the protocol, is considered to be secure by most security experts for use both in enterprise networks and across the Internet.
While the OUSPG test suite does not test SNMPv3 per se, the packet decoding code exercised by the test suite is common across all versions of SNMP implemented by SNMP Research, and all SNMP Research releases starting with 15.3.1.7 contain changes addressing the issues raised by the OUSPG test suite. SNMP Research products support SNMPv1, SNMPv2C, and SNMPv3.
The primary business of SNMP Research International is creating, licensing, and supporting software for the management of networks, systems, applications, and legacy devices. Our objective is to help companies deploy standards-based management with shorter time-to-market, lower costs, and better fidelity to standards, which results in interoperability and less risk.
SNMP Research provides innovative solutions for extensible agent, manager station, and mid-level manager implementations that are based on SNMPv1, SNMPv2, SNMPv3, HTTP/HTML, and other protocols. SNMP Research provides products and services worldwide to end-users, Original Equipment Manufacturers (OEM), value-added resellers, and system integrators.