From xforce@iss.net Thu Apr 4 23:12:53 2002 From: X-Force To: vulnwatch@vulnwatch.org Date: Wed, 3 Apr 2002 16:01:11 -0500 (EST) Subject: [VulnWatch] ISS Advisory: Remote Buffer Overflow Vulnerability in IRIX SNMP Daemon -----BEGIN PGP SIGNED MESSAGE----- Internet Security Systems Security Advisory April 3, 2002 Remote Buffer Overflow Vulnerability in IRIX SNMP Daemon Synopsis: Internet Security Systems (ISS) X-Force has discovered a buffer overflow in the SNMP (Simple Network Management Protocol) daemon in the SGI IRIX operating system. The SNMP daemon, or snmpd executable, runs with superuser privilege. The buffer overflow vulnerability in snmpd may allow remote attackers to execute arbitrary commands on a target system with elevated privileges. Affected Versions: SGI IRIX 6.5-6.5.15m and 6.5.15f Note: Versions prior to version 6.5 may be vulnerable, but these versions are no longer supported by SGI. Description: SNMP is a widely used protocol used to remotely manage computers, networking devices, and applications. Many popular operating systems also contain SNMP functionality so computers can be managed over the network. SNMP is a lightweight, extensible protocol designed to facilitate remote management of devices. Most commonly, SNMP is used to monitor parameters of managed devices, such as determining a device^Òs performance, if it is operational, or the general health of the device. A vulnerability exists in the SGI IRIX implementation of snmpd that may allow remote attackers to submit a specially-crafted SNMP request to cause a buffer overflow fault. This condition may be exploited to execute arbitrary code or commands on the target system. The SNMP daemon is enabled by default on the IRIX operating system and is executed during the start-up sequence by the root user. The SNMP daemon accepts remote queries by default. Recommendations: ISS X-Force encourages affected users to apply vendor-supplied patches immediately. SGI has made patch 4574 available to remove the vulnerability described in this advisory. The SGI Software Product Knowledge Database is available at the following address: http://support.sgi.com/spk/ To limit access to SNMP at the firewall, filter port 1161 and 161 UDP/TCP. Consider disabling the SNMP daemon completely if it is not being used. ISS X-Force will provide specific detection and assessment support for this vulnerability in upcoming X-Press Updates for RealSecure Network Sensor and Internet Scanner. ISS will also provide detection support in an upcoming signature update for BlackICE products. Additional Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2002-0017 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. Credits: This vulnerability was discovered and researched by Kris Hunt of the ISS X-Force. ______ About Internet Security Systems (ISS) Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a pioneer and world leader in software and services that protect critical online resources from an ever-changing spectrum of threats and misuse. Internet Security Systems is headquartered in Atlanta, GA, with additional operations throughout the Americas, Asia, Australia, Europe and the Middle East. Copyright (c) 2002 Internet Security Systems, Inc. All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this document. It is not to be edited or altered in any way without the express written consent of the Internet Security Systems X-Force. If you wish to reprint the whole or any part of this document in any other medium excluding electronic media, please email xforce@iss.net for permission. Disclaimer: The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information. X-Force PGP Key available on MIT's PGP key server and PGP.com's key server, as well as at http://www.iss.net/security_center/sensitive.php Please send suggestions, updates, and comments to: X-Force xforce@iss.net of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBPKttZzRfJiV99eG9AQF39gQAiybC/P4HpVOmgB1w02h1WdjU2ms1QkNs dzXp5MYJaAt3g9OnvTKSRAc+z0ioNlYA0cFWOnTf9oJgzeOK2nnRaDLdaeheFOMD 3dt6hYCzNRYQtMzOUsxX9DA7EgnwldseVC5vEpAUOrfA9VTDd8BaZxG1Ivrj/bEt AvLsQi0Zg24= =dK28 -----END PGP SIGNATURE-----