CVE-2002-0012
CVSS10.0
发布时间 :2002-02-13 00:00:00
修订时间 :2008-09-10 15:11:03
NMCOS    

[原文]Vulnerabilities in a large number of SNMP implementations allow remote attackers to cause a denial of service or gain privileges via SNMPv1 trap handling, as demonstrated by the PROTOS c06-SNMPv1 test suite. NOTE: It is highly likely that this candidate will be SPLIT into multiple candidates, one or more for each vendor. This and other SNMP-related candidates will be updated when more accurate information is available.


[CNNVD]多个厂商SNMP实现中事件响应处理存在安全漏洞(CNNVD-200202-007)

        
        SNMP事件响应(traps)是代理系统给管理系统发送的消息,它们一般通知管理系统发生了什么事情或提供代理情况的信息。
        许多厂商的SNMP实现中存在多个安全漏洞。这些漏洞发生在SNMP Trap信息解码和解释的处理上。
        这些漏洞可能引起拒绝服务攻击而且攻击者可能破坏目标系统。各种受影响产品各自的影响程度各不一致。
        Microsoft已经确认如果启动了SNMP服务,远程攻击者可以在目标主机上执行任意代码。
        HP已经确认一个巨大的事件响应(traps)可以让OpenView Network Node Manager崩溃,这可能是缓冲溢出引起的。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-264 [权限、特权与访问控制]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:161Windows NT SNMPv1 Trap Handling DoS and Privilege Escalation
oval:org.mitre.oval:def:144Windows 2000 SNMPv1 Trap Handling DoS and Privilege Escalation (Test 1)
oval:org.mitre.oval:def:1048SNMP Trap Handling Vulnerability
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0012
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0012
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200202-007
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/107186
(VENDOR_ADVISORY)  CERT-VN  VU#107186
http://www.cert.org/advisories/CA-2002-03.html
(VENDOR_ADVISORY)  CERT  CA-2002-03
http://www.securityfocus.com/bid/5043
(PATCH)  BID  5043
http://www.securityfocus.com/advisories/4211
(VENDOR_ADVISORY)  HP  HPSBMP0206-015
http://www.microsoft.com/technet/security/bulletin/MS02-006.asp
(VENDOR_ADVISORY)  MS  MS02-006
ftp://patches.sgi.com/support/free/security/advisories/20020201-01-A
(VENDOR_ADVISORY)  SGI  20020201-01-A
http://www.redhat.com/support/errata/RHSA-2001-163.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2001:163
http://www.iss.net/security_center/alerts/advise110.php
(VENDOR_ADVISORY)  ISS  20020212 PROTOS Remote SNMP Attack Tool
http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html
(UNKNOWN)  MISC  http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html

- 漏洞信息

多个厂商SNMP实现中事件响应处理存在安全漏洞
危急 设计错误
2002-02-13 00:00:00 2005-10-20 00:00:00
远程  
        
        SNMP事件响应(traps)是代理系统给管理系统发送的消息,它们一般通知管理系统发生了什么事情或提供代理情况的信息。
        许多厂商的SNMP实现中存在多个安全漏洞。这些漏洞发生在SNMP Trap信息解码和解释的处理上。
        这些漏洞可能引起拒绝服务攻击而且攻击者可能破坏目标系统。各种受影响产品各自的影响程度各不一致。
        Microsoft已经确认如果启动了SNMP服务,远程攻击者可以在目标主机上执行任意代码。
        HP已经确认一个巨大的事件响应(traps)可以让OpenView Network Node Manager崩溃,这可能是缓冲溢出引起的。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 暂时关闭SNMP服务。如果您不需要SNMP服务,您应该立刻关闭它。
        * 在边界路由器或者防火墙上限制对受保护网络的SNMP服务端口的访问。
        通常需要限制的端口是:
        snmp 161/udp # Simple Network Management Protocol (SNMP)
        snmp 162/udp # SNMP system management messages
        在某些受影响产品中,下列服务也需要进行限制:
        snmp 161/tcp # Simple Network Management Protocol (SNMP)
        snmp 162/tcp # SNMP system management messages
        smux 199/tcp # SNMP Unix Multiplexer
        smux 199/udp # SNMP Unix Multiplexer
        synoptics-relay 391/tcp # SynOptics SNMP Relay Port
        synoptics-relay 391/udp # SynOptics SNMP Relay Port
        agentx 705/tcp # AgentX
        snmp-tcp-port 1993/tcp # cisco SNMP TCP port
        snmp-tcp-port 1993/udp # cisco SNMP TCP port
        另外,某些和SNMP相关的RPC服务也可能需要限制:
        snmp 100122 na.snmp snmp-cmc snmp-synoptics snmp-unisys snmp-utk
        snmpv2 100138 na.snmpv2 # SNM Version 2.2.2
        snmpXdmid 100249
        * 禁止来自未经授权的内部主机的SNMP访问。
        由于通常只有少数管理主机需要进行SNMP访问,您可以在SNMP Agent主机上进行访问控制,禁止来自未经授权的内部主机的SNMP访问请求。
        * 改变缺省SNMP口令。
        改变缺省的只读和可写口令,例如"public"、"private",可以防止部分的攻击。但是仍然有一些攻击甚至无需有效的口令。
        厂商补丁:
        3Com
        ----
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        3com PS Hub 40 :
        3com Upgrade psh02_16.exe
        ftp://ftp.3com.com/pub/superstack-ii/superstack-ii-ps-hub-40/psh02_16.exe
        3com PS Hub 50 :
        3com Upgrade psf02_16.exe
        ftp://ftp.3com.com/pub/superstack-ii/superstack-ii-ps-hub-50/psf02_16.exe
        3com Dual Speed Hub :
        3com Upgrade dsh02_16.exe
        ftp://ftp.3com.com/pub/superstack-ii/superstack-ii-hub-500/dsh02_16.exe
        3com Switch 1100 :
        3com Upgrade s2s02_68.exe
        ftp://ftp.3com.com/pub/superstack-ii/superstack-ii-1100/s2s02_68.exe
        3com Switch 4400 :
        3com Upgrade s3m02_02.exe
        ftp://ftp.3com.com/pub/superstack_3/switch_4400/s3m02_02.exe
        3com Switch 4900 :
        3com Upgrade s3g02_04.exe
        
        http://www.3com.com/en_US/layer3/register.html

        3com Switch 3300 :
        3com Upgrade s2s02_68.exe
        ftp://ftp.3com.com/pub/superstack-ii/superstack-ii-1100/s2s02_68.exe
        3com WebCache 1000 :
        3com Upgrade s3b_02_00.bin
        ftp://ftp.3com.com/pub/webcache/agents/s3b_02_00.bin
        3com WebCache 3000 :
        3com Upgrade s3b_02_00.bin
        ftp://ftp.3com.com/pub/webcache/agents/s3b_02_00.bin
        Caldera
        -------
        Caldera已经为此发布了一个安全公告(CSSA-2002-004.0)以及相应补丁:
        CSSA-2002-004.0:Linux - Various security problems in ucd-snmp
        链接:
        http://www.caldera.com/support/security/advisories/CSSA-2002-004.0.txt

        Cisco
        -----
        Cisco已经为此发布了一个安全公告(Cisco-malformed-snmp-msgs-pub)以及相应补丁:
        Cisco-malformed-snmp-msgs-pub:Malformed SNMP Message-Handling Vulnerabilities
        链接:
        http://www.cisco.com/warp/public/707/cisco-malformed-snmp-msgs-pub.shtml

        补丁下载:
        Debian
        ------
        Debian已经为此发布了一个安全公告(DSA-111-1)以及相应补丁:
        DSA-111-1:Multiple SNMP vulnerabilities
        链接:
        http://www.debian.org/security/2002/dsa-111

        补丁下载:
        Debian Upgrade libsnmp4.1-dev_4.1.1-2.1_alpha.deb
        
        http://security.debian.org/dists/stable/updates/main/binary-alpha/libsnmp4.1-dev_4.1.1-2.1_alpha.deb

        Debian Upgrade libsnmp4.1_4.1.1-2.1_alpha.deb
        
        http://security.debian.org/dists/stable/updates/main/binary-alpha/libsnmp4.1_4.1.1-2.1_alpha.deb

        Debian Upgrade snmp_4.1.1-2.1_alpha.deb
        
        http://security.debian.org/dists/stable/updates/main/binary-alpha/snmp_4.1.1-2.1_alpha.deb

        Debian Upgrade snmpd_4.1.1-2.1_alpha.deb
        
        http://security.debian.org/dists/stable/updates/main/binary-alpha/snmpd_4.1.1-2.1_alpha.deb

        Debian Upgrade libsnmp4.1-dev_4.1.1-2.1_arm.deb
        
        http://security.debian.org/dists/stable/updates/main/binary-arm/libsnmp4.1-dev_4.1.1-2.1_arm.deb

        Debian Upgrade libsnmp4.1_4.1.1-2.1_arm.deb
        
        http://security.debian.org/dists/stable/updates/main/binary-arm/libsnmp4.1_4.1.1-2.1_arm.deb

        Debian Upgrade snmp_4.1.1-2.1_arm.deb
        
        http://security.debian.org/dists/stable/updates/main/binary-arm/snmp_4.1.1-2.1_arm.deb

        Debian Upgrade snmpd_4.1.1-2.1_arm.deb
        
        http://security.debian.org/dists/stable/updates/main/binary-arm/snmpd_4.1.1-2.1_arm.deb

        Debian Upgrade libsnmp4.1-dev_4.1.1-2.1_i386.deb
        
        http://security.debian.org/dists/stable/updates/main/binary-i386/libsnmp4.1-dev_4.1.1-2.1_i386.deb

        Debian Upgrade libsnmp4.1_4.1.1-2.1_i386.deb
        
        http://security.debian.org/dists/stable/updates/main/binary-i386/libsnmp4.1_4.1.1-2.1_i386.deb

        Debian Upgrade snmp_4.1.1-2.1_i386.deb
        
        http://security.debian.org/dists/stable/updates/main/binary-i386/snmp_4.1.1-2.1_i386.deb

        Debian Upgrade snmpd_4.1.1-2.1_i386.deb
        
        http://security.debian.org/dists/stable/updates/main/binary-i386/snmpd_4.1.1-2.1_i386.deb

        Debian Upgrade libsnmp4.1-dev_4.1.1-2.1_m68k.deb
        

- 漏洞信息

810
Multiple Vendor Malformed SNMP Trap Handling DoS
Remote / Network Access Denial of Service, Input Manipulation
Loss of Availability
Exploit Public

- 漏洞描述

Many SNMP implementations contain flaws that may allow a remote denial of service. The issue is triggered by exploiting flaws in the way the SNMPv1 protocol processes traps, and will result in loss of availability for the platform.

- 时间线

2002-02-12 Unknow
2002-02-12 Unknow

- 解决方案

Refer to vendor-specific advisory for upgrades and workarounds on affected products.

- 相关参考

- 漏洞作者

- 漏洞信息

HP MPE/iX Malformed SNMP Vulnerability
Failure to Handle Exceptional Conditions 5043
Yes No
2002-06-18 12:00:00 2009-07-11 01:56:00
Discovered by the Oulu University Secure Programming Group.

- 受影响的程序版本

HP MPE/iX 7.0
HP MPE/iX 6.5
HP MPE/iX 6.0
HP MPE/iX 5.5
HP MPE/iX 5.0
HP MPE/iX 4.5
HP MPE/iX 4.0

- 漏洞讨论

MPE/iX is an Internet-ready operating system for the HP e3000 class servers.

A problem with MPE/iX may allow remote attackers to exploit the SNMP protocol implementation.

Multiple vulnerabilities have been discovered in a number of SNMP implementations. This vulnerability entry is for the HP MPE/iX implementation, identifying the "Multiple Vendor SNMP Trap Handling Vulnerabilities" described in BID 4088, and "Multiple Vendor SNMP Request Handling Vulnerabilities" discussed in BID 4089.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 解决方案

Patches are available:


HP MPE/iX 6.0
  • HP SNMGDL9A
    This patch is dependant on the following patches: NMSGDF2A or later NMS patch (NMSGDF2A is GR) NMCGDF3A or later NMC patch (NMCGDM4A is GR)
    http://itrc.hp.com


HP MPE/iX 6.5
  • HP SNMGDM0A
    This patch is dependant on the following patches: NMSGDD3A or later NMS patch (NMSGDD3A is GR) NMCGDD2A or later NMC patch (NMCGDM5A is GR)
    http://itrc.hp.com


HP MPE/iX 7.0
  • HP SNMGDM1A
    This patch is dependant on the following patches: NMSGDD6A or later NMS patch (NMSGDD6A is GR) NMCGDD5A or later NMC patch (NMCGDD5A is GR)
    http://itrc.hp.com

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站