On Wed, 20 Feb 2002, Wes Hardaker wrote: > >>>>> On Tue, 19 Feb 2002 09:39:29 +0000, "david evlis reign" <davidreignat_private> said: > > david> http://www.phrack.org/show.php?p=50&a=7 > > david> four years old and you think this is a *new* problem, exploit > david> code/exploit tools/exploit inormation has been floating around for > david> years. > > Oh please, that's just describing the vulnerabilities everyone knows > exists with SNMPv1. Switch a secure version of the protocol (like it > even suggests in the document) and everything stated there goes away. > The document describes none of the problems that everyone is talking > about this month. Would not a more secure version of snmp be snmpv2 or snmpv3? If so, then the cert advisory is dealing with snmpv1 from what I read: ... CERT Advisory CA-2002-03 Multiple Vulnerabilities in Many Implemen (p5 of 120) Version 1 of the protocol (SNMPv1) defines several types of SNMP messages that are used to request information or configuration changes, respond to requests, enumerate SNMP objects, and send unsolicited alerts. The Oulu University Secure Programming Group (OUSPG, http://www.ee.oulu.fi/research/ouspg/) has reported numerous vulnerabilities in SNMPv1 implementations from many different vendors. More information about SNMP and OUSPG can be found in Appendix C OUSPG's research focused on the manner in which SNMPv1 agents and managers handle request and trap messages. By applying the PROTOS c06-snmpv1 test suite ... Afterall, most vendors still impliment snmpv1 for compatability issues do they not? Especially those hardcoded implementations such as those coming out on old HP directjet cards and such, yes? Perhaps I'm as wrong as David in this, and am certainly up to being corrected. Thanks, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything.
This archive was generated by hypermail 2b30 : Thu Feb 21 2002 - 16:10:26 PST