topic Re: SNMP vulnerabilities in Operating System - HP-UX

SNMP vulnerabilities

Fenglin — Wed, 26 Nov 2008 03:22:17 GMT

I have received the following vulnerabilities

1)SNMPv1Discovery: SNMP version 1 detected
2)SNMPv2Discovery: SNMP version 2 detected

Details are as follows
SNMP (Simple Network Management Protocol) is the primary standard for Internet network management. SNMP services are included
in almost every operating system, router, switch, cable or DSL modem, and firewall. Various implementations of SNMPv1 are vulnerable
to a wide range of attacks. Incorrectly formatted input in SNMP messages can crash the operating systems and devices that use SNMP.
These vulnerabilities may be possible to exploit remotely, allowing an attacker to compromise remote systems and devices. SNMP
packets containing invalid fields or data lengths can indicate an attack against SNMP.

What are the solutions available?I got referred to CERT Advisory CA-2002-03 but not sure what needs to be done.

Thanks a lot.

Re: SNMP vulnerabilities

TTr — Wed, 26 Nov 2008 18:33:37 GMT

I assume this is in your HP network printers with jetdirect printservers. If you look in the CERT advisory under the vendor section you will see the following
JetDirect Firmware Version State
========================== =====
-->> X.08.32 and lower VULNERABLE
-->> (where X = A through K)
-->> X.21.00 and higher NOT vulnerable
-->> (where X = L through P)

You can upgrade the firmware on your printservers to version L.21.00 or higher.

If you don't use the SNMP service, you can disable it. Connect to the jetdirect printserver via telnet or a web browser and disable it. Not that not all jetdirect models allow you to disable it.

Re: SNMP vulnerabilities

Fenglin — Thu, 27 Nov 2008 02:13:27 GMT

Hi

It has nothing to do with network printers. Our environments host websites. So we are mainly concerned with people who can hack into our systems. The vulnerabilities indicated are what need to be resolved.

For your necessary advice.

Regards
Feng Lin

Re: SNMP vulnerabilities

TTr — Thu, 27 Nov 2008 12:21:13 GMT

You posted your question in the "prinservers" forum without any details.

So do you have SNMP running anywhere? SNMP could be running on any network device such as a server, a network printer, a network switch, a fiber switch, a disk array etc. You need to find out if you have it running and upgrade it as per the CERT alert and each vendor's recommendation. If you do not use the snmp service to get status information on each device you should turn it off.

Re: SNMP vulnerabilities

Fenglin — Fri, 28 Nov 2008 10:21:37 GMT

Sorry..

SNMP version 2 is installed on the HP-UX servers and we have received the vulnerabilities indicated in my first post.

Does this mean I need to upgrade to version 3? Are there other alternatives? Any patches will solve this issue in SNMP version 2? We need snmp for monitoring purposes.

Regards
Feng Lin

Re: SNMP vulnerabilities

TTr — Fri, 28 Nov 2008 14:15:56 GMT

What HP-UX version do you have? There are patches available and are mentioned in the advisory under the "Hewlett Packard" section.
http://www.cert.org/advisories/CA-2002-03.html

SOLUTION: Apply patches or implement workarounds. See below.
For HP-UX releases:
PHSS_26137 s700_800 HP-UX 10.20 OV EMANATE14.2 Agent
PHSS_26138 s700_800 HP-UX 11.X OV EMANATE14.2 Agent
PSOV_03087 Solaris 2.X EMANATE Release 14.2
For systems running OV NNM:
PHSS_26286 s700_800 HP-UX 10.20 ovtrapd large trap fix
PHSS_26287 s700_800 HP-UX 11.X ovtrapd large trap fix
PSOV_03100 Solaris 2.X ovtrapd large trap fix
NNM_00857 NT 4.X/Windows 2000 ovtrapd large trap fix

Re: SNMP vulnerabilities

Dennis Handly — Sat, 29 Nov 2008 06:48:40 GMT

I have asked the moderators to move this to HP-UX > security.

Re: SNMP vulnerabilities

Bill Hassell — Sat, 29 Nov 2008 23:39:48 GMT

Do you actually use SNMP on these systems? If not, just turn off all the SNMP settings in the files: /etc/rc.config.d/Snmp*

Re: SNMP vulnerabilities

Fenglin — Mon, 01 Dec 2008 05:46:45 GMT

Hi

Does patch PHSS_26138 solve the following vulnerabilitie

1) snmp: SNMP can reveal possibly sensitive information about hosts
2) Snmp Get Public Community: SNMP_Get able to retrieve Public Community Name
3) SnmpSysdescr: SNMP SysDescr variable can be returned from remote system

If no, what are the patches that solve the above errors?

FYI, my HP_UX servers are B.11.23.

Thanks a lot.

Re: SNMP vulnerabilities

Dennis Handly — Mon, 01 Dec 2008 08:43:27 GMT

>Does patch PHSS_26138 solve the following vulnerabilities?

It isn't for 11.23.

>what are the patches that solve the above errors?

Have you looked up CA-2002-03 so see what patches it suggests for HP-UX?

Re: SNMP vulnerabilities

Fenglin — Mon, 01 Dec 2008 10:24:02 GMT

Hi Dennis

I didnt find them on the CA-2002-03. That's why I am asking help from you.

Does PHSS_27858 help? need confirmation from you.

Thanks in advance.

Re: SNMP vulnerabilities

TTr — Mon, 01 Dec 2008 13:38:24 GMT

PHSS_27858 is not for 11.23 either. I would think that your HP-UX 11.23 is newer than 2002 Q3 which is when this CERT alert came out.
Going back to your original question,
> 1)SNMPv1Discovery: SNMP version 1 detected
> 2)SNMPv2Discovery: SNMP version 2 detected
I assume these were reported during a security scan. But were these two reported as actual vulnerabilities or as warnings? These security scans will report if certain services are running even if there is no vulnerability in them. Typically they report alerts if telnet, ftp, SMTP, SNMP and other common services that connect with outside the server.
So the question is, is there really a vulnerability in these two SNMP servers or simply a warning?

On another note installing the latest 11.23 patches for SNMP is always a good idea.

Re: SNMP vulnerabilities

Dennis Handly — Tue, 02 Dec 2008 01:05:29 GMT

>I didn't find them on the CA-2002-03.

If your security bulletin doesn't say how to fix it, it is next to useless.

>Does PHSS_27858 help?

As I mentioned before, no. It isn't for 11.23.

You should be using SWA to do your security checking:
http://www.hp.com/go/swa

You should also sign up for "ITRC security bulletins and patches sign-up":
https://h30046.www3.hp.com/subchoice/country/us/en/subscribe.aspx?subs=ITRC

Here are some other lld threads:
http://forums.itrc.hp.com/service/forums/questionanswer.do?threadId=124304
http://forums.itrc.hp.com/service/forums/questionanswer.do?threadId=123208

Re: SNMP vulnerabilities

Fenglin — Tue, 02 Dec 2008 02:16:26 GMT

hi TTr and dennis

What TTr say is correct. The SNMP version 1 and 2 are reported as vulnerabilities by our security team. Criticalities are high for them. Based on the CERT Advisory CA-2002-03,I don't find the right info useful to fix the issue.

Where to download the patches 11.23 snmp?I have been trying to look for them. How to search for them?

Thanks
Feng Lin

Re: SNMP vulnerabilities

Johnson Punniyalingam — Tue, 02 Dec 2008 02:57:06 GMT

Hi,

>>CERT Advisory CA-2002-03>>

have they mentioned what patch need's to be patched..? if yes

you can follow the below Link, type-in the Patch_name and download

http://search.hp.com/query.html?charset=iso-8859-1&lk=1&la=en&nh=10&rf=0&qs=&hpvc=sitewide&uf=1&st=1&qt=PHCO_35524

Thanks,
JOhnson

Re: SNMP vulnerabilities

Dennis Handly — Tue, 02 Dec 2008 07:07:42 GMT

>The SNMP version 1 and 2 are reported as vulnerabilities by our security team. Based on the CERT Advisory CA-2002-03, I don't find the right info useful to fix the issue.

Because 11.23 doesn't have this problem. It isn't listed on TTr's CERT URL.

>Where to download the patches 11.23 snmp?

There isn't any. Searching the HP-UX patch database for snmpd and 11.23 doesn't find any.

Re: SNMP vulnerabilities

Fenglin — Tue, 02 Dec 2008 07:27:50 GMT

Hi Dennis

Then how come the security team come up with these vulnerabilities on the HP-UX B.11.23 servers? Or how I should prove that these vulnerabilities are not harmful to our B.11.23 servers?

Regards
Feng Lin

Re: SNMP vulnerabilities

Dennis Handly — Tue, 02 Dec 2008 07:54:13 GMT

>Then how come the security team come up with these vulnerabilities on the HP-UX B.11.23 servers?

No clue. Where is a CERT URL that says this?

>Or how I should prove that these vulnerabilities are not harmful to our B.11.23 servers?

Isn't that their job?

Your initial text says:
Various implementations of SNMPv1 are vulnerable

This isn't one of the "various".

Re: SNMP vulnerabilities

TTr — Wed, 03 Dec 2008 17:06:16 GMT

The CA-2002-03 is the latest CERT alert that has to do with SNMP. As Dennis said it does not apply to 11.23.

On another thought is it possible you are NOT using the HP-UX snmp agents and you have installed some other SNMP agents from another monitoring system's software? Where do the SNMP agents that you have running on your 11.23 HP-UX server connect to? Check the snmp processes that you have running on the HP-UX server and verify which ones they are.

Re: SNMP vulnerabilities

Fenglin — Thu, 04 Dec 2008 02:55:08 GMT

May I know how do you prove that it does not apply to B.11.23 servers?

Can I assume that there are firewall rules that restrict the SNMP access? The objective is to prove that these vulnerabilities won't affect my system.