Very Computer

This is in regard to the recent SNMP vulnerabilities mentioned
in: http://www.cert.org/advisories/CA-2002-03.html

I've updated all my Linux systems with ucd-snmp-4.2.3-1.7.2.3
which is supposed to explicitly fix the problems found. But,
I have some "other" systems which I haven't been able to find
updates for (yet.)  Most of these systems are set up only to
process requests (read only) from one or two specific managers.

Could someone who knows more about this comment on whether or
not controlling the "authorized" managers provides *any* protection
whatever from the vulnerabilities found (mainly the buffer overflow
problem.)

I guess this basically amounts to asking whether the buffer overflow
problems found happen before or after the logic that screens for
"authorized" managers. I realize that this depends on the specific
code, but as most of these are all ports of the same few SNMP
implementations I thought that some knowledgeable person might
be able to make some generic comments.

2nd question: I have a computer running Microsoft Windows 2001 on
which I'd like to put an SNMP agent that is capable of reporting on the
interface statistics for the Ethernet (an Intel Pro/100 VE card if that
matters)

I'm not at all familiar which SNMP Agents (or much else) on Microsoft
Windows platforms. Can anyone recommend a good implementation, which
hopefully addresses the recent SNMP vulnerabilities, and has the
ability to control which managers can query?

Thanks!

-Mike

Quote:> This is in regard to the recent SNMP vulnerabilities mentioned
> in: http://www.cert.org/advisories/CA-2002-03.html

> I've updated all my Linux systems with ucd-snmp-4.2.3-1.7.2.3
> which is supposed to explicitly fix the problems found. But,
> I have some "other" systems which I haven't been able to find
> updates for (yet.)  Most of these systems are set up only to
> process requests (read only) from one or two specific managers.

> Could someone who knows more about this comment on whether or
> not controlling the "authorized" managers provides *any* protection
> whatever from the vulnerabilities found (mainly the buffer overflow
> problem.)

> I guess this basically amounts to asking whether the buffer overflow
> problems found happen before or after the logic that screens for
> "authorized" managers. I realize that this depends on the specific
> code, but as most of these are all ports of the same few SNMP
> implementations I thought that some knowledgeable person might
> be able to make some generic comments.

> 2nd question: I have a computer running Microsoft Windows 2001 on
> which I'd like to put an SNMP agent that is capable of reporting on the
> interface statistics for the Ethernet (an Intel Pro/100 VE card if that
> matters)

> I'm not at all familiar which SNMP Agents (or much else) on Microsoft
> Windows platforms. Can anyone recommend a good implementation, which
> hopefully addresses the recent SNMP vulnerabilities, and has the
> ability to control which managers can query?

> Thanks!

> -Mike

Really, the only advantage using an authorised manager list gives you is
that
you force the attacker to work out a valid address before you can be
exploited. Once a valid address is harvested, an exploit can be sent using
that address. The exploit code could Buffer-overflow, and the attached code
could
initiate an outbound email or connection......uhoh!

Okay, I'm an idiot. I guess Microsoft doesn't exactly do the they
way I'm used to. I thought because I searched the Microsoft site and
didn't find any reference to the CERT advisory it meant that they
didn't have an update for their SNMP agent. But after a little
research it turns out that they just have their own "tracking system"
as it were, and you kind of have to find their update by doing
this "Windows Update" thing from the system in question. Anyway,
never mind "2nd question"

-Mike