Re[2]: [sans@sans.org: SANS FLASH ALERT: Widespread SNMP Vul
Joan, The Oracle intelligent agent which uses dbsnmp is not the problem here. The real problem is the snmp agent that is running on the computer and owned by root. Therefore your SA needs to do something, not you. Dick Goulet Reply Separator Author: Joan Hsieh [EMAIL PROTECTED] Date: 2/14/2002 7:48 AM Hi Ray, We use dbsnmp on the production server. How it will affect us? Our system people sent us the same article to us and very concerned the security. Joan Ray Stell wrote: Oracle does not seem to be listed, but you got to wonder what code they based their snmp stuff on. You may want to nudge you sysadmin in the ribs, also. - Forwarded message from The SANS Institute [EMAIL PROTECTED] - Date: Tue, 12 Feb 2002 12:30:06 -0700 (MST) To: Ray Stell [EMAIL PROTECTED](SD569668) SANS FLASH ALERT: Widespread SNMP Vulnerability 1:30 PM EST 12 February, 2002 To: Ray Stell (SD569668) Note: This is preliminary data! If you have additional information, please send it to us at [EMAIL PROTECTED] In a few minutes wire services and other news sources will begin breaking a story about widespread vulnerabilities in SNMP (Simple Network Management Protocol). Exploits of the vulnerability cause systems to fail or to be taken over. The vulnerability can be found in more than a hundred manufacturers' systems and is very widespread - millions of routers and other systems are involved. As one of the SANS alumni, your leadership is needed in making sure that all systems for which you have any responsibility are protected. To do that, first ensure that SNMP is turned off. If you absolutely must run SNMP, get the patch from your hardware or software vendor. They are all working on patches right now. It also makes sense for you to filter traffic destined for SNMP ports (assuming the system doing the filtering is patched). To block SNMP access, block traffic to ports 161 and 162 for tcp and udp. In addition, if you are using Cisco, block udp for port 1993. The problems were caused by programming errors that have been in the SNMP implementations for a long time, but only recently discovered. CERT/CC is taking the lead on the process of getting the vendors to get their patches out. Additional information is posted at http://www.cert.org/advisories/CA-2002-03.html A final note. Turning off SNMP was one of the strong recommendations in the Top 20 Internet Security Threats that the FBI's NIPC and SANS and the Federal CIO Council issued on October 1, 2001. If you didn't take that action then, now might be a good time to correct the rest of the top 20 as well as the SNMP problem. The Top 20 document is posted at http://www.sans.org/top20.htm - End forwarded message - -- === Ray Stell [EMAIL PROTECTED] (540) 231-4109 KE4TJC28^D -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Ray Stell INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Joan Hsieh INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re[2]: [sans@sans.org: SANS FLASH ALERT: Widespread SNMP Vul
Ray, No, but I do have a SA who believes that to be true. I'll try to explain it as he did. The DBSNMP agent registers a MIB with the snmp agent. It is the snmp agent that has the interface to the world. As he put it, it's not the back end that has the problem, but the front end that faces the network, namely the snmp agent. As to your nervousness, our facilities folks are using the back of my chair as a paint shaker. Dick Goulet Reply Separator Author: Ray Stell [EMAIL PROTECTED] Date: 2/14/2002 12:18 PM Dick, does this mean that you have firsthand knowledge that the oracle's snmp code is free from the underlying vulnerabilities? There was no mention of Oracle in the advisory. This could mean that they did not respond or they are not vulnerable. I posted to the Oracle Networking Technical Forum yesterday on this issue, but there has been no Oracle Corp response. You can search for SNMP to follow their response. Joan, Dick is certainly correct here with respect to the the system snmp agent. The sysadmins need to address this by either patching or disabling snmpd. However, unless Oracle confirms they did not use the old flawed code, I don't see any reason to assume their product is not vulnerable. Until they do, I will: 1) be nervous, 2) bug oracle corp, 3) confirm ip filter rules, 4) study dbsnmp On Thu, Feb 14, 2002 at 09:53:37AM -0800, [EMAIL PROTECTED] wrote: Joan, The Oracle intelligent agent which uses dbsnmp is not the problem here. The real problem is the snmp agent that is running on the computer and owned by root. Therefore your SA needs to do something, not you. Dick Goulet Reply Separator Author: Joan Hsieh [EMAIL PROTECTED] Date: 2/14/2002 7:48 AM Hi Ray, We use dbsnmp on the production server. How it will affect us? Our system people sent us the same article to us and very concerned the security. Joan Ray Stell wrote: Oracle does not seem to be listed, but you got to wonder what code they based their snmp stuff on. You may want to nudge you sysadmin in the ribs, also. - Forwarded message from The SANS Institute [EMAIL PROTECTED] - Date: Tue, 12 Feb 2002 12:30:06 -0700 (MST) To: Ray Stell [EMAIL PROTECTED](SD569668) SANS FLASH ALERT: Widespread SNMP Vulnerability 1:30 PM EST 12 February, 2002 To: Ray Stell (SD569668) Note: This is preliminary data! If you have additional information, please send it to us at [EMAIL PROTECTED] In a few minutes wire services and other news sources will begin breaking a story about widespread vulnerabilities in SNMP (Simple Network Management Protocol). Exploits of the vulnerability cause systems to fail or to be taken over. The vulnerability can be found in more than a hundred manufacturers' systems and is very widespread - millions of routers and other systems are involved. As one of the SANS alumni, your leadership is needed in making sure that all systems for which you have any responsibility are protected. To do that, first ensure that SNMP is turned off. If you absolutely must run SNMP, get the patch from your hardware or software vendor. They are all working on patches right now. It also makes sense for you to filter traffic destined for SNMP ports (assuming the system doing the filtering is patched). To block SNMP access, block traffic to ports 161 and 162 for tcp and udp. In addition, if you are using Cisco, block udp for port 1993. The problems were caused by programming errors that have been in the SNMP implementations for a long time, but only recently discovered. CERT/CC is taking the lead on the process of getting the vendors to get their patches out. Additional information is posted at http://www.cert.org/advisories/CA-2002-03.html A final note. Turning off SNMP was one of the strong recommendations in the Top 20 Internet Security Threats that the FBI's NIPC and SANS and the Federal CIO Council issued on October 1, 2001. If you didn't take that action then, now might be a good time to correct the rest of the top 20 as well as the SNMP problem. The Top 20 document is posted at http://www.sans.org/top20.htm - End forwarded message - -- === Ray Stell [EMAIL PROTECTED] (540) 231-4109 KE4TJC28^D -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Ray Stell INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the
Re: Re[2]: [sans@sans.org: SANS FLASH ALERT: Widespread SNMP Vul
As I have done a bit of networking and set up stuff to monitor equipment with SNMP I will confirm that SNMP uses a port that the snmpd or equivalent listens to and then passes the request to the appropriate process depending on what is registered with the snmpd. This is usually done on unix if I remember using /etc/.snmp/conf. If really interested start looking in man snmpd Yes Oracle itself may not be vunerable but depending on the OS and system patches snmpd on that system may be vunerable so if your network engineers that did your firewalling are less than you hoped for you probably will have trouble. If your firewall is sound then I cant see this being a problem. your biggest worry in any site is the perimeter router as it nearly always has SNMP turned on for monitoring purposes and tools such as HP Openview to manage these. and you will have snmp open over the firewall between this router and the monitoring station /Openview system. Good firewall rules should protect you, but that is for your network engineers to decide. HTH Cheers -- = Peter McLarty E-mail: [EMAIL PROTECTED] Technical ConsultantWWW: http://www.mincom.com APAC Technical Services Phone: +61 (0)7 3303 3461 Brisbane, AustraliaMobile: +61 (0)402 094 238 Facsimile: +61 (0)7 3303 3048 = A great pleasure in life is doing what people say you cannot do. - Walter Bagehot (1826-1877 British Economist) = Mincom The People, The Experience, The Vision = [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 15/02/2002 08:41 AM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Fax to: Subject:Re[2]: [[EMAIL PROTECTED]: SANS FLASH ALERT: Widespread SNMP Vul Ray, No, but I do have a SA who believes that to be true. I'll try to explain it as he did. The DBSNMP agent registers a MIB with the snmp agent. It is the snmp agent that has the interface to the world. As he put it, it's not the back end that has the problem, but the front end that faces the network, namely the snmp agent. As to your nervousness, our facilities folks are using the back of my chair as a paint shaker. Dick Goulet Reply Separator Author: Ray Stell [EMAIL PROTECTED] Date: 2/14/2002 12:18 PM Dick, does this mean that you have firsthand knowledge that the oracle's snmp code is free from the underlying vulnerabilities? There was no mention of Oracle in the advisory. This could mean that they did not respond or they are not vulnerable. I posted to the Oracle Networking Technical Forum yesterday on this issue, but there has been no Oracle Corp response. You can search for SNMP to follow their response. Joan, Dick is certainly correct here with respect to the the system snmp agent. The sysadmins need to address this by either patching or disabling snmpd. However, unless Oracle confirms they did not use the old flawed code, I don't see any reason to assume their product is not vulnerable. Until they do, I will: 1) be nervous, 2) bug oracle corp, 3) confirm ip filter rules, 4) study dbsnmp On Thu, Feb 14, 2002 at 09:53:37AM -0800, [EMAIL PROTECTED] wrote: Joan, The Oracle intelligent agent which uses dbsnmp is not the problem here. The real problem is the snmp agent that is running on the computer and owned by root. Therefore your SA needs to do something, not you. Dick Goulet Reply Separator Author: Joan Hsieh [EMAIL PROTECTED] Date: 2/14/2002 7:48 AM Hi Ray, We use dbsnmp on the production server. How it will affect us? Our system people sent us the same article to us and very concerned the security. Joan Ray Stell wrote: Oracle does not seem to be listed, but you got to wonder what code they based their snmp stuff on. You may want to nudge you sysadmin in the ribs, also. - Forwarded message from The SANS Institute [EMAIL PROTECTED] - Date: Tue, 12 Feb 2002 12:30:06 -0700 (MST) To: Ray Stell [EMAIL PROTECTED](SD569668) SANS FLASH ALERT: Widespread SNMP Vulnerability 1:30 PM EST 12 February, 2002 To: Ray Stell (SD569668) Note: This is preliminary data! If you have additional information, please send it to us at [EMAIL PROTECTED] In a few minutes wire services and other news sources will begin breaking a story about widespread vulnerabilities in SNMP (Simple Network Management Protocol). Exploits of the vulnerability cause systems to fail or to be taken over. The vulnerability can be found in more than a hundred manufacturers' systems and is very widespread - millions of routers and