多家厂商SNMP实现中SNMPv1请求处理存在多个安全漏洞-一一网

漏洞信息详情

多家厂商SNMP实现中SNMPv1请求处理存在多个安全漏洞

CNNVD编号：CNNVD-200202-004

危害等级：超危
CVE编号：
CVE-2002-0013
漏洞类型：

权限许可和访问控制
发布时间：

2002-02-13
威胁类型：

远程
更新时间：

2005-10-20
厂商：

snmp
漏洞来源：
Oulu University Se…

漏洞简介

SNMP请求是管理系统给代理系统发送的消息，它们通常询问代理系统当前性能和配置信息，请求Management Information Base (MIB)的下一个SNMP对象，或者修改代理的配置。
许多SNMP的实现被发现了多个漏洞。这些漏洞发生在SNMP信息的解码和解释的处理上。
PROTOS小组开发的c06-SNMPv1测试工具已经发现众多厂商的SNMP实现中对SNMP请求的处理中存在大量的安全问题，攻击者可能通过GetRequest、GetNextRequest、SetRequest命令来使远程SNMP服务器崩溃甚至以SNMP服务器运行权限执行任意代码。各种受影响产品各自的影响程度各不一致。

漏洞公告

临时解决方法：
如果您不能立刻安装补丁或者升级，CNNVD建议您采取以下措施以降低威胁：

* 暂时关闭SNMP服务。如果您不需要SNMP服务，您应该立刻关闭它。

* 在边界路由器或者防火墙上限制对受保护网络的SNMP服务端口的访问。

通常需要限制的端口是：

snmp 161/udp # Simple Network Management Protocol (SNMP)

snmp 162/udp # SNMP system management messages

在某些受影响产品中，下列服务也需要进行限制：

snmp 161/tcp # Simple Network Management Protocol (SNMP)

snmp 162/tcp # SNMP system management messages

smux 199/tcp # SNMP Unix Multiplexer

smux 199/udp # SNMP Unix Multiplexer

synoptics-relay 391/tcp # SynOptics SNMP Relay Port

synoptics-relay 391/udp # SynOptics SNMP Relay Port

agentx 705/tcp # AgentX

snmp-tcp-port 1993/tcp # cisco SNMP TCP port

snmp-tcp-port 1993/udp # cisco SNMP TCP port

另外，某些和SNMP相关的RPC服务也可能需要限制：

snmp 100122 na.snmp snmp-cmc snmp-synoptics snmp-unisys snmp-utk

snmpv2 100138 na.snmpv2 # SNM Version 2.2.2

snmpXdmid 100249

* 禁止来自未经授权的内部主机的SNMP访问。

由于通常只有少数管理主机需要进行SNMP访问，您可以在SNMP Agent主机上进行访问控制，禁止来自未经授权的内部主机的SNMP访问请求。

* 改变缺省SNMP口令。

改变缺省的只读和可写口令，例如”public”、”private”，可以防止部分的攻击。但是仍然有一些攻击甚至无需有效的口令。
厂商补丁：
3Com
—-
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

3com PS Hub 40 :

3com Upgrade psh02_16.exe

ftp://ftp.3com.com/pub/superstack-ii/superstack-ii-ps-hub-40/psh02_16.exe

3com PS Hub 50 :

3com Upgrade psf02_16.exe

ftp://ftp.3com.com/pub/superstack-ii/superstack-ii-ps-hub-50/psf02_16.exe

3com Dual Speed Hub :

3com Upgrade dsh02_16.exe

ftp://ftp.3com.com/pub/superstack-ii/superstack-ii-hub-500/dsh02_16.exe

3com Switch 1100 :

3com Upgrade s2s02_68.exe

ftp://ftp.3com.com/pub/superstack-ii/superstack-ii-1100/s2s02_68.exe

3com Switch 4400 :

3com Upgrade s3m02_02.exe

ftp://ftp.3com.com/pub/superstack_3/switch_4400/s3m02_02.exe

3com Switch 4900 :

3com Upgrade s3g02_04.exe

http://www.3com.com/en_US/layer3/register.html” target=”_blank”>
http://www.3com.com/en_US/layer3/register.html

3com Switch 3300 :

3com Upgrade s2s02_68.exe

ftp://ftp.3com.com/pub/superstack-ii/superstack-ii-1100/s2s02_68.exe

3com WebCache 1000 :

3com Upgrade s3b_02_00.bin

ftp://ftp.3com.com/pub/webcache/agents/s3b_02_00.bin

3com WebCache 3000 :

3com Upgrade s3b_02_00.bin

ftp://ftp.3com.com/pub/webcache/agents/s3b_02_00.bin
Caldera
——-
Caldera已经为此发布了一个安全公告(CSSA-2002-SCO.4)以及相应补丁:

CSSA-2002-SCO.4：Open UNIX, UnixWare 7: snmpd memory fault

链接：ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.4

补丁下载：

Caldera UnixWare 7:

Caldera OpenServer 5.0:

Caldera UnixWare 7.1.0:

Caldera Patch erg711937c.Z

ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.4/erg711937c.Z

Caldera UnixWare 7.1.1:

Caldera Patch erg711937b.Z

ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.4/erg711937b.Z

Caldera OpenUnix 8.0:

Caldera Patch erg711937.Z

ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.4/erg711937.Z
Cisco
—–
Cisco已经为此发布了一个安全公告(Cisco-malformed-snmp-msgs-pub)以及相应补丁:

Cisco-malformed-snmp-msgs-pub：Malformed SNMP Message-Handling Vulnerabilities

链接：http://www.cisco.com/warp/public/707/cisco-malformed-snmp-msgs-pub.shtml” target=”_blank”>
http://www.cisco.com/warp/public/707/cisco-malformed-snmp-msgs-pub.shtml
Debian
——
Debian已经为此发布了一个安全公告(DSA-111-1)以及相应补丁:

DSA-111-1：Multiple SNMP vulnerabilities

链接：http://www.debian.org/security/2002/dsa-111” target=”_blank”>
http://www.debian.org/security/2002/dsa-111

补丁下载：

Debian Upgrade libsnmp4.1-dev_4.1.1-2.1_alpha.deb

http://security.debian.org/dists/stable/updates/main/binary-alpha/libsnmp4.1-dev_4.1.1-2.1_alpha.deb” target=”_blank”>
http://security.debian.org/dists/stable/updates/main/binary-alpha/libsnmp4.1-dev_4.1.1-2.1_alpha.deb

Debian Upgrade libsnmp4.1_4.1.1-2.1_alpha.deb

http://security.debian.org/dists/stable/updates/main/binary-alpha/libsnmp4.1_4.1.1-2.1_alpha.deb” target=”_blank”>
http://security.debian.org/dists/stable/updates/main/binary-alpha/libsnmp4.1_4.1.1-2.1_alpha.deb

Debian Upgrade snmp_4.1.1-2.1_alpha.deb

http://security.debian.org/dists/stable/updates/main/binary-alpha/snmp_4.1.1-2.1_alpha.deb” target=”_blank”>
http://security.debian.org/dists/stable/updates/main/binary-alpha/snmp_4.1.1-2.1_alpha.deb

Debian Upgrade snmpd_4.1.1-2.1_alpha.deb

http://security.debian.org/dists/stable/updates/main/binary-alpha/snmpd_4.1.1-2.1_alpha.deb” target=”_blank”>
http://security.debian.org/dists/stable/updates/main/binary-alpha/snmpd_4.1.1-2.1_alpha.deb

Debian Upgrade libsnmp4.1-dev_4.1.1-2.1_arm.deb

http://security.debian.org/dists/stable/updates/main/binary-arm/libsnmp4.1-dev_4.1.1-2.1_arm.deb” target=”_blank”>
http://security.debian.org/dists/stable/updates/main/binary-arm/libsnmp4.1-dev_4.1.1-2.1_arm.deb

Debian Upgrade libsnmp4.1_4.1.1-2.1_arm.deb

http://security.debian.org/dists/stable/updates/main/binary-arm/libsnmp4.1_4.1.1-2.1_arm.deb” target=”_blank”>
http://security.debian.org/dists/stable/updates/main/binary-arm/libsnmp4.1_4.1.1-2.1_arm.deb

Debian Upgrade snmp_4.1.1-2.1_arm.deb

http://security.debian.org/dists/stable/updates/main/binary-arm/snmp_4.1.1-2.1_arm.deb” target=”_blank”>
http://security.debian.org/dists/stable/updates/main/binary-arm/snmp_4.1.1-2.1_arm.deb

Debian Upgrade snmpd_4.1.1-2.1_arm.deb

http://security.debian.org/dists/stable/updates/main/binary-arm/snmpd_4.1.1-2.1_arm.deb” target=”_blank”>
http://security.debian.org/dists/stable/updates/main/binary-arm/snmpd_4.1.1-2.1_arm.deb

Debian Upgrade libsnmp4.1-dev_4.1.1-2.1_i386.deb

http://security.debian.org/dists/stable/updates/main/binary-i386/libsnmp4.1-dev_4.1.1-2.1_i386.deb” target=”_blank”>
http://security.debian.org/dists/stable/updates/main/binary-i386/libsnmp4.1-dev_4.1.1-2.1_i386.deb

Debian Upgrade libsnmp4.1_4.1.1-2.1_i386.deb

http://security.debian.org/dists/stable/updates/main/binary-i386/libsnmp4.1_4.1.1-2.1_i386.deb” ta=”” <=”” p=””>

参考网址

来源:US-CERT Vulnerability Note: VU#854306
名称: VU#854306
链接:http://www.kb.cert.org/vuls/id/854306

来源:CERT/CC Advisory: CA-2002-03
名称: CA-2002-03
链接:http://www.cert.org/advisories/CA-2002-03.html

来源: MS
名称: MS02-006
链接:http://www.microsoft.com/technet/security/bulletin/MS02-006.asp

来源: SUNALERT
名称: 57404
链接:http://sunsolve.sun.com/search/document.do?assetkey=1-26-57404-1

来源: SGI
名称: 20020201-01-A
链接:ftp://patches.sgi.com/support/free/security/advisories/20020201-01-A

来源: REDHAT
名称: RHSA-2001:163
链接:http://www.redhat.com/support/errata/RHSA-2001-163.html

来源: ISS
名称: 20020212 PROTOS Remote SNMP Attack Tool
链接:http://www.iss.net/security_center/alerts/advise110.php

来源: www.ee.oulu.fi
链接:http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html

来源: US Government Resource: oval:org.mitre.oval:def:87
名称: oval:org.mitre.oval:def:87
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:87

来源: US Government Resource: oval:org.mitre.oval:def:298
名称: oval:org.mitre.oval:def:298
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:298