Next Page >>
Simple Network Management Protocol
Summary
=======
Multiple Cisco products contain either of two authentication
vulnerabilities in the Simple Network Management Protocol version 3
(SNMPv3) feature. These vulnerabilities can be exploited when
processing a malformed SNMPv3 message. These vulnerabilities could
allow the disclosure of network information or may enable an attacker
to perform configuration changes to vulnerable devices. The SNMP
server is an optional service that is disabled by default in Cisco
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Hard-Coded SNMP Community Names in Cisco
Industrial Ethernet 3000 Series Switches Vulnerability
Advisory ID: cisco-sa-20100707-snmp
Revision 1.0
Cisco Unified Communications Manager services are affected:
* Certificate Trust List (CTL) Provider
* Certificate Authority Proxy Function (CAPF)
* Session Initiation Protocol (SIP)
* Simple Network Management Protocol (SNMP) Trap
Cisco has released free software updates that address these
vulnerabilities. Workarounds that mitigate some of these
vulnerabilities are available.
Cisco Unified Communications Manager services are affected:
* Certificate Trust List (CTL) Provider
* Certificate Authority Proxy Function (CAPF)
* Session Initiation Protocol (SIP)
* Simple Network Management Protocol (SNMP) Trap
Cisco has released free software updates that address these
vulnerabilities. Workarounds that mitigate some of these
vulnerabilities are available.
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02735590
Version: 3
HPSBMA02661 SSRT100408 rev.3 - HP SNMP Agents Running on Linux and HP Insight Management Agents Running on Windows, Remote Cross Site Scripting (XSS), URL Redirection, Information Disclosure
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2011-04-19
Last Updated: 2011-05-11
Summary
=======
Cisco uBR10012 series devices automatically enable Simple Network
Management Protocol (SNMP) read/write access to the device if
configured for linecard redundancy. This can be exploited by an
attacker to gain complete control of the device. Only Cisco uBR10012
series devices that are configured for linecard redundancy are
affected.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SNMP Injection: Achieving Persistent HTML Injection via SNMP on Embedded
Devices
Introduction
In our earlier "ZyXEL Gateways Vulnerability Research" paper[1], we
introduced a new technique: SNMP injection a.k.a. persistent HTML
That's a good question, and here is my answer from the draft version of
an upcoming paper I'm working on:
"
Gaining SNMP write access to a device is already a compromise on its own
and usually considered a potential high risk security issue. Therefore,
one could argue that there is no point in launching a SNMP injection
attack when we can already change system settings via the SNMP write
community string. You might be wondering: why bother injecting a
HTML/JavaScript payload on the web console through SNMP when I can
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
PR08-24: Proxim Tsunami MP.11 2411 vulnerable to SNMP Injection
Vulnerability found: 2 May 2008
Vendor informed: 2 May 2008, 1st August 2008
Vulnerability fixed: no response was received from the vendor. A
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02757867
Version: 1
HPSBMA02647 SSRT100383 rev.1 - HP Discovery & Dependency Mapping Inventory (DDMI) Running on Windows, Insecure SNMP Configuration
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2011-03-21
Last Updated: 2011-03-21
| | All versions | All versions |
| Crafted SSH Packet Vulnerability | prior to A3 | prior to A2 |
| | (2.1) | (1.3) |
|-------------------------------------+--------------+--------------|
| Crafted Simple Network Management | All versions | All versions |
| Protocol version 2 (SNMPv2) Packet | prior to A3 | prior to A2 |
| Vulnerability | (2.1) | (1.3) |
|-------------------------------------+--------------+--------------|
| | All versions | All versions |
| Crafted SNMPv3 Packet Vulnerability | prior to A1 | prior to A2 |
| | (8.0) | (1.2) |
Dear all,
after informing Netgear about the unsafe handling of passwords on their WG102 Access Points nothing happened for several weeks. To inform other users about the potential threat to their networks I decided to share my findings.
WG102 offers the the typical SNMP write & SNMP read community password 'protection'. SNMPv2 is already known for weak security, yet NETGEAR goes one step further:
the SNMP write community (password) is accessible in cleartext via the MIB which is readable via the SNMP read community.
Affected Versions:
- Netgear WG102
PR07-40: Authentication Bypass, Passwords Leakage and SNMP Injection on
3Com AP 8760
Vulnerability Found: 6th November 2007
Vendor Informed: 2nd May 2008
Date Public: 14th November 2008
Severity: Medium
======================================================================
Secunia Research 20/10/2008
- HP SiteScope SNMP Trap Script Insertion -
======================================================================
Table of Contents
Affected Software....................................................1
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Net-SNMP: Multiple vulnerabilities
Date: August 06, 2008
Bugs: #222265, #225105
ID: 200808-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
identify and detect a hung, extended, or indefinite TCP connection
that is caused by this vulnerability. The policy allows
administrators to monitor TCP connections on a Cisco IOS device. When
Cisco IOS EEM detects potential exploitation of this vulnerability,
the policy can trigger a response by sending a syslog message or a
Simple Network Management Protocol (SNMP) trap to clear the TCP
connection. The example policy provided in this document is based on
a Tcl script that monitors and parses the output from two commands at
defined intervals, produces a syslog message when the monitor
threshold reaches its configured value, and can reset the TCP
connection.
Hi,
> WG102 offers the the typical SNMP write & SNMP read community password 'protection'.
SNMP communities are a safety, not a security measure. I know of very few
SNMP implementations that have protections against brute force or
dictionary attacks.
> Proposed fixes:
> do not enable SNMP at all. vendor fix required.
Description
===========
Wei Wang (McAfee AVERT Research) discovered an integer underflow in the
asn1_get_string() function of the SNMP backend, leading to a
stack-based buffer overflow when handling SNMP responses
(CVE-2007-5849). Elias Pipping (Gentoo) discovered that the alternate
pdftops filter creates temporary files with predictable file names when
reading from standard input (CVE-2007-6358). Furthermore, the
resolution of a Denial of Service vulnerability covered in GLSA
* hosted products are VMware Workstation, Player, ACE, Server, Fusion.
b. Updated Service Console package net-snmp
Net-SNMP is an implementation of the Simple Network Management
Protocol (SNMP). SNMP is used by network management systems to
monitor hosts.
A denial-of-service flaw was found in the way Net-SNMP processes
SNMP GETBULK requests. A remote attacker who issued a specially-
crafted request could cause the snmpd server to crash.
Aruba Mobility Controller SNMP Community String Disclosure
Product:
Aruba Mobility Controller
http://www.arubanetworks.com/products/mobility_controllers.php
Aruba mobility controller can be monitored via SNMP. It is possible to learn all configured SNMP community strings as long as at least one of them is known to the attacker. This can be accomplished by walking OID branch SNMP-COMMUNITY-MIB::snmpCommunityName (1.3.6.1.6.3.18.1.1.1.2) or SNMP-VIEW-BASED-ACM-MIB::vacmGroupName (1.3.6.1.6.3.16.1.2.1.3).
Wireshark 1.4.0 Malformed SNMP V1 Packet Denial of Service
------------------------------------------------------------------
I. Summary
A flaw has been identified in Wireshark 1.4.0 concerning the ASN.1/BER dissector that will cause a denial of service (stack overflow and null pointer dereference in exception handling code).
------------------------------------------------------------------
II. Description
===========================================================
Ubuntu Security Notice USN-685-1 December 03, 2008
net-snmp vulnerabilities
CVE-2008-0960, CVE-2008-2292, CVE-2008-4309
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 7.10
Cisco IOS SNMP Message Processing Denial Of Service Vulnerability
------------------------------------------------------------------
I. Summary
Cisco Internetwork Operating System (IOS) 15.0 attempts to process SNMP solicited operations on improper ports (UDP 161,162), which allows remote attackers to cause a denial of service when SNMP is disabled.
------------------------------------------------------------------
II. Description
Debian-specific: no
CVE Id(s) : CVE-2008-0960 CVE-2008-2292 CVE-2008-4309
Debian Bugs : 485945 482333 504150
Several vulnerabilities have been discovered in NET SNMP, a suite of
Simple Network Management Protocol applications. The Common
Vulnerabilities and Exposures project identifies the following problems:
CVE-2008-0960
Wes Hardaker reported that the SNMPv3 HMAC verification relies on
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01757418
Version: 2
HPSBMA02439 SSRT080082 rev.2 - HP OpenView SNMP Emanate Master Agent Running on HP-UX, Linux, Solaris, and Windows, Remote Unauthorized Access
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2009-06-15
Last Updated: 2010-06-22
It is possible to detect blocked interface queues with a Cisco IOS
Embedded Event Manager (EEM) policy. EEM provides event detection and
reaction capabilities on a Cisco IOS device. EEM can alert
administrators of blocked interfaces with email, a syslog message, or
a Simple Network Management Protocol (SNMP) trap.
A sample EEM policy that uses syslog to alert administrators of
blocked interfaces is available at Cisco Beyond, an online community
dedicated to EEM. A sample script is available at the following link:
1. General information
PRTG Traffic Grapher is a network monitoring solution, which helps
manage and classify bandwidth usage of a network by providing accurate
results about network traffic and usage trends in graphs and tables. The
software also supports SNMP (Simple Network Management Protocol). PRTG
Traffic Grapher is available at http://www.paessler.com.
In April 2009, Bkis discovered a vulnerability in PRTG Traffic Grapher.
A hacker might exploit this hole to insert malicious codes into links to
be executed in the user’ browsers, resulting in the loss of cookies,
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01757418
Version: 3
HPSBMA02439 SSRT080082 rev.3 - HP OpenView SNMP Emanate Master Agent Running on HP-UX, Linux, Solaris, and Windows, Remote Unauthorized Access
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2009-06-15
Last Updated: 2010-07-14
Dear lee.e.rian@census.gov,
Why do you think you can't do it with SNMP? An examples are settings DNS
server option via DHCP (or DNS domain name for proxy server
autodiscovery protocol) or even configuring a VPN tunnel for all
traffic. I'm not sure about Tsunami, for Orinoco these settings are
read/write:
http://support.ipmonitor.com/mibs/ORINOCO-MIB/oids.aspx
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01754877
Version: 1
HPSBMA02430 SSRT080094 rev.1 - HP OpenView Network Node Manager (OV NNM) Running SNMP and MIB, Remote Execution of Arbitrary Code, Denial of Service (DoS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2009-06-09
Last Updated: 2009-06-09
Next Page>>
|
