HPE Community
Operating System - HP-UX
1819791 Members
3166 Online
109607 Solutions
New Discussion юеВ

SNMP vulnerabilities

 
SOLVED
Go to solution
Fenglin
Regular Advisor

тАО11-25-2008 07:22 PM

тАО11-25-2008 07:22 PM

SNMP vulnerabilities

I have received the following vulnerabilities

1)SNMPv1Discovery: SNMP version 1 detected
2)SNMPv2Discovery: SNMP version 2 detected

Details are as follows
SNMP (Simple Network Management Protocol) is the primary standard for Internet network management. SNMP services are included
in almost every operating system, router, switch, cable or DSL modem, and firewall. Various implementations of SNMPv1 are vulnerable
to a wide range of attacks. Incorrectly formatted input in SNMP messages can crash the operating systems and devices that use SNMP.
These vulnerabilities may be possible to exploit remotely, allowing an attacker to compromise remote systems and devices. SNMP
packets containing invalid fields or data lengths can indicate an attack against SNMP.

What are the solutions available?I got referred to CERT Advisory CA-2002-03 but not sure what needs to be done.

Thanks a lot.
0 Kudos
Reply
21 REPLIES 21
TTr
Honored Contributor

тАО11-26-2008 10:33 AM

тАО11-26-2008 10:33 AM

Re: SNMP vulnerabilities

I assume this is in your HP network printers with jetdirect printservers. If you look in the CERT advisory under the vendor section you will see the following
JetDirect Firmware Version State
========================== =====
-->> X.08.32 and lower VULNERABLE
-->> (where X = A through K)
-->> X.21.00 and higher NOT vulnerable
-->> (where X = L through P)

You can upgrade the firmware on your printservers to version L.21.00 or higher.

If you don't use the SNMP service, you can disable it. Connect to the jetdirect printserver via telnet or a web browser and disable it. Not that not all jetdirect models allow you to disable it.
0 Kudos
Reply
Fenglin
Regular Advisor

тАО11-26-2008 06:13 PM

тАО11-26-2008 06:13 PM

Re: SNMP vulnerabilities

Hi

It has nothing to do with network printers. Our environments host websites. So we are mainly concerned with people who can hack into our systems. The vulnerabilities indicated are what need to be resolved.

For your necessary advice.

Regards
Feng Lin
0 Kudos
Reply
TTr
Honored Contributor

тАО11-27-2008 04:21 AM

тАО11-27-2008 04:21 AM

Re: SNMP vulnerabilities

You posted your question in the "prinservers" forum without any details.

So do you have SNMP running anywhere? SNMP could be running on any network device such as a server, a network printer, a network switch, a fiber switch, a disk array etc. You need to find out if you have it running and upgrade it as per the CERT alert and each vendor's recommendation. If you do not use the snmp service to get status information on each device you should turn it off.
0 Kudos
Reply
Fenglin
Regular Advisor

тАО11-28-2008 02:21 AM

тАО11-28-2008 02:21 AM

Re: SNMP vulnerabilities

Sorry..

SNMP version 2 is installed on the HP-UX servers and we have received the vulnerabilities indicated in my first post.

Does this mean I need to upgrade to version 3? Are there other alternatives? Any patches will solve this issue in SNMP version 2? We need snmp for monitoring purposes.

Regards
Feng Lin
0 Kudos
Reply
TTr
Honored Contributor

тАО11-28-2008 06:15 AM

тАО11-28-2008 06:15 AM

Re: SNMP vulnerabilities

What HP-UX version do you have? There are patches available and are mentioned in the advisory under the "Hewlett Packard" section.
http://www.cert.org/advisories/CA-2002-03.html

SOLUTION: Apply patches or implement workarounds. See below.
For HP-UX releases:
PHSS_26137 s700_800 HP-UX 10.20 OV EMANATE14.2 Agent
PHSS_26138 s700_800 HP-UX 11.X OV EMANATE14.2 Agent
PSOV_03087 Solaris 2.X EMANATE Release 14.2
For systems running OV NNM:
PHSS_26286 s700_800 HP-UX 10.20 ovtrapd large trap fix
PHSS_26287 s700_800 HP-UX 11.X ovtrapd large trap fix
PSOV_03100 Solaris 2.X ovtrapd large trap fix
NNM_00857 NT 4.X/Windows 2000 ovtrapd large trap fix
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

тАО11-28-2008 10:48 PM

тАО11-28-2008 10:48 PM

Re: SNMP vulnerabilities

I have asked the moderators to move this to HP-UX > security.
0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО11-29-2008 03:39 PM

тАО11-29-2008 03:39 PM

Re: SNMP vulnerabilities

Do you actually use SNMP on these systems? If not, just turn off all the SNMP settings in the files: /etc/rc.config.d/Snmp*


Bill Hassell, sysadmin
0 Kudos
Reply
Fenglin
Regular Advisor

тАО11-30-2008 09:46 PM

тАО11-30-2008 09:46 PM

Re: SNMP vulnerabilities

Hi

Does patch PHSS_26138 solve the following vulnerabilitie

1) snmp: SNMP can reveal possibly sensitive information about hosts
2) Snmp Get Public Community: SNMP_Get able to retrieve Public Community Name
3) SnmpSysdescr: SNMP SysDescr variable can be returned from remote system

If no, what are the patches that solve the above errors?

FYI, my HP_UX servers are B.11.23.

Thanks a lot.
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

тАО12-01-2008 12:43 AM

тАО12-01-2008 12:43 AM

Re: SNMP vulnerabilities

>Does patch PHSS_26138 solve the following vulnerabilities?

It isn't for 11.23.

>what are the patches that solve the above errors?

Have you looked up CA-2002-03 so see what patches it suggests for HP-UX?
0 Kudos
Reply
Fenglin
Regular Advisor

тАО12-01-2008 02:24 AM

тАО12-01-2008 02:24 AM

Re: SNMP vulnerabilities

Hi Dennis

I didnt find them on the CA-2002-03. That's why I am asking help from you.

Does PHSS_27858 help? need confirmation from you.

Thanks in advance.
0 Kudos
Reply
TTr
Honored Contributor

тАО12-01-2008 05:38 AM

тАО12-01-2008 05:38 AM

Re: SNMP vulnerabilities

PHSS_27858 is not for 11.23 either. I would think that your HP-UX 11.23 is newer than 2002 Q3 which is when this CERT alert came out.
Going back to your original question,
> 1)SNMPv1Discovery: SNMP version 1 detected
> 2)SNMPv2Discovery: SNMP version 2 detected
I assume these were reported during a security scan. But were these two reported as actual vulnerabilities or as warnings? These security scans will report if certain services are running even if there is no vulnerability in them. Typically they report alerts if telnet, ftp, SMTP, SNMP and other common services that connect with outside the server.
So the question is, is there really a vulnerability in these two SNMP servers or simply a warning?

On another note installing the latest 11.23 patches for SNMP is always a good idea.
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

тАО12-01-2008 05:05 PM

тАО12-01-2008 05:05 PM

Re: SNMP vulnerabilities

>I didn't find them on the CA-2002-03.

If your security bulletin doesn't say how to fix it, it is next to useless.

>Does PHSS_27858 help?

As I mentioned before, no. It isn't for 11.23.

You should be using SWA to do your security checking:
http://www.hp.com/go/swa

You should also sign up for "ITRC security bulletins and patches sign-up":
https://h30046.www3.hp.com/subchoice/country/us/en/subscribe.aspx?subs=ITRC

Here are some other lld threads:
http://forums.itrc.hp.com/service/forums/questionanswer.do?threadId=124304
http://forums.itrc.hp.com/service/forums/questionanswer.do?threadId=123208
0 Kudos
Reply
Fenglin
Regular Advisor

тАО12-01-2008 06:16 PM

тАО12-01-2008 06:16 PM

Re: SNMP vulnerabilities

hi TTr and dennis

What TTr say is correct. The SNMP version 1 and 2 are reported as vulnerabilities by our security team. Criticalities are high for them. Based on the CERT Advisory CA-2002-03,I don't find the right info useful to fix the issue.

Where to download the patches 11.23 snmp?I have been trying to look for them. How to search for them?

Thanks
Feng Lin
0 Kudos
Reply
Johnson Punniyalingam
Honored Contributor

тАО12-01-2008 06:57 PM

тАО12-01-2008 06:57 PM

Re: SNMP vulnerabilities

Hi,

>>CERT Advisory CA-2002-03>>

have they mentioned what patch need's to be patched..? if yes

you can follow the below Link, type-in the Patch_name and download

http://search.hp.com/query.html?charset=iso-8859-1&lk=1&la=en&nh=10&rf=0&qs=&hpvc=sitewide&uf=1&st=1&qt=PHCO_35524

Thanks,
JOhnson
Problems are common to all, but attitude makes the difference
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

тАО12-01-2008 11:07 PM

тАО12-01-2008 11:07 PM

Re: SNMP vulnerabilities

>The SNMP version 1 and 2 are reported as vulnerabilities by our security team. Based on the CERT Advisory CA-2002-03, I don't find the right info useful to fix the issue.

Because 11.23 doesn't have this problem. It isn't listed on TTr's CERT URL.

>Where to download the patches 11.23 snmp?

There isn't any. Searching the HP-UX patch database for snmpd and 11.23 doesn't find any.

0 Kudos
Reply
Fenglin
Regular Advisor

тАО12-01-2008 11:27 PM

тАО12-01-2008 11:27 PM

Re: SNMP vulnerabilities

Hi Dennis

Then how come the security team come up with these vulnerabilities on the HP-UX B.11.23 servers? Or how I should prove that these vulnerabilities are not harmful to our B.11.23 servers?

Regards
Feng Lin
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

тАО12-01-2008 11:54 PM

тАО12-01-2008 11:54 PM

Re: SNMP vulnerabilities

>Then how come the security team come up with these vulnerabilities on the HP-UX B.11.23 servers?

No clue. Where is a CERT URL that says this?

>Or how I should prove that these vulnerabilities are not harmful to our B.11.23 servers?

Isn't that their job?

Your initial text says:
Various implementations of SNMPv1 are vulnerable

This isn't one of the "various".
0 Kudos
Reply
TTr
Honored Contributor

тАО12-03-2008 09:06 AM

тАО12-03-2008 09:06 AM

Solution

Re: SNMP vulnerabilities

The CA-2002-03 is the latest CERT alert that has to do with SNMP. As Dennis said it does not apply to 11.23.

On another thought is it possible you are NOT using the HP-UX snmp agents and you have installed some other SNMP agents from another monitoring system's software? Where do the SNMP agents that you have running on your 11.23 HP-UX server connect to? Check the snmp processes that you have running on the HP-UX server and verify which ones they are.
Reply
Fenglin
Regular Advisor

тАО12-03-2008 06:55 PM

тАО12-03-2008 06:55 PM

Re: SNMP vulnerabilities

May I know how do you prove that it does not apply to B.11.23 servers?

Can I assume that there are firewall rules that restrict the SNMP access? The objective is to prove that these vulnerabilities won't affect my system.

0 Kudos
Reply
TTr
Honored Contributor

тАО12-03-2008 07:18 PM

тАО12-03-2008 07:18 PM

Re: SNMP vulnerabilities

HP-UX 11.23 came out for the first time in October 2003. The cert advisory CA-2002-03 is from Q3 of 2002 and there were no other advisories about snmp after that one. You still did not answer if the snmp agents that were detected running on your 11.23 server are the native HP-UX ones (came with HP-UX) or some add-on snmp agents that were supplied by your monitoring system. Also I am not convinced from your answers that the network scan really detected the SNMP vulnerability or simply detected that you run SNMP.
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

тАО12-03-2008 07:57 PM

тАО12-03-2008 07:57 PM

Re: SNMP vulnerabilities

>May I know how do you prove that it does not apply to B.11.23 servers?

Because the CERN URL doesn't mention B.11.23.

And using improper circular reasoning, because there is no patch for it. :-)

>Can I assume that there are firewall rules that restrict the SNMP access?

I assume that the fix was to check for garbage SNMP requests.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.