CRIME Counterpane Internet Security Vulnerability Alert: Root Compromise Vulnerabilities found in Solaris SNMP components

From: brvarin@private
Date: Fri Jun 07 2002 - 08:26:27 PDT

  • Next message: Mitch Fong: "CRIME Kayak rental info."

    Counterpane Internet Security Vulnerability Alert
    Root Compromise Vulnerabilities found in Solaris SNMP components
    
    Summary
    
    Newly-discovered vulnerabilities in two components of Sun Solaris' SNMP
    implementation permit local and remote root compromise [1].  Solaris
    systems
    running the Sun Solstice Enterprise Master Agent (snmpdx) and the Sun SNMP
    agent (mibiisa), which are parts of the default OS installation, are
    vulnerable.   Patches are available through
    http://www.sunsolve.com/securitypatch: Solaris 8, Patch ID 108869-16;
    Solaris 8_x86, 108870-16; Solaris 7, 107709-19; Solaris 7_x86, 107710_19;
    Solaris 2.6, 106787-18; Solaris 2.6_x86, 106872-18.
    
    Technical Details
    
    Sinan Eren, a member of Entercept Security Technology's Ricochet Team,
    discovered a buffer overflow in the Solaris SNMP agent and a format string
    vulnerability in the Sun Solstice Enterprise Master Agent [2].  All Solaris
    install levels include this software by default; the applications run with
    root privileges.  The vulnerabilities may be exploited by local or remote
    users to execute arbitrary code on unpatched systems.
    
    These new vulnerabilities are NOT related to the SNMP vulnerabilities
    announced by the University of Oulu's PROTOS team and CERT on February 12,
    2002 ([3] and references therein).
    
    Ricochet has not released proof-of-concept code for the two vulnerabilities
    to anyone other than Sun.  However, since the vulnerability has been made
    public, it is safest to assume that malicious parties can reproduce the
    root
    exploit.
    
    Countermeasures:
    
    - Disable snmpdx and mibiisa if they are not required for your network
    monitoring and management.  These daemons are both started via the script
    /etc/rc3.d/S76snmpdx.  To stop them and prevent them from starting when the
    system reboots:
    
    # /etc/rc3.d/S76snmpdx stop
    # mv /etc/rc3.d/S76snmpdx /etc/rc3.d/do_not_start_S76snmpdx
    
    Be aware that patching your Solaris system may cause the startup script to
    revert to its original name, or something similar, and thereby re-activate
    the non-essential daemons.  In that case you'll need to repeat this
    procedure.
    
    Alternatively, you can remove the offending applications from your system
    altogether using pkgrm(1M).  The list of packages related to the Solaris
    SNMP suite are: SUNWmibii, SUNWsacom, SUNWsadmi, SUNWsadmx, SUNWsasnm, and
    SUNWsasnx.  Another, more conservative option is to rename the binaries and
    remove all read, write and execute permissions, so they are unavailable to
    any user or group. The binaries are located in /usr/lib/snmp.
    
    - Install the appropriate patches (listed in the Summary section) on
    Solaris
    systems required to run snmpdx and mibiisa.
    
    References:
    
    [1] Sun Security Bulletin #219:
    http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/219&typ
    
    e=0&nav=sec.sba
    
    [2] SEA SNMP - Buffer Overflow and Format String Vulnerabilities in Sun
    Solaris: http://www.entercept.com/news/uspr/06-03-02.asp
    
    [3] Multiple SNMP Vulnerabilities:
    http://www.counterpane.com/alert-snmp.html
    



    This archive was generated by hypermail 2b30 : Fri Jun 07 2002 - 09:46:57 PDT