Bugtraq mailing list archives
Re: AIX SNMP Defaults
From: troy () AUSTIN IBM COM (Troy Bollinger)
Date: Mon, 21 Feb 2000 16:14:42 -0600
Quoting Michal Zalewski (lcamtuf () DIONE IDS PL):
On Tue, 15 Feb 2000, harikiri wrote:It appears that on the above releases of AIX, the SNMP daemon is enabled by default and two community names are enabled with read/write privileges. The community names are "private" and "system", but are only allowed from localhost connections. Nevertheless, a local user may install an SNMP client, and modify sensitive variables.SNMP requests with no authentication except for source-IP comparsion, are spoofable.
All recent versions of AIX discard packets with a source address of loopback when the packet comes in on an external interface. The following APARs have been available for over 2 years: Abstract: SECURITY: discard loopback packets on external interfaces 4.1.x APAR: IX71366 4.2.x APAR: IX71405 4.3.x APAR: included in 4.3.0 initial release -- Troy Bollinger troy () austin ibm com AIX Security Development security-alert () austin ibm com PGP keyid: 1024/0xB7783129 Troy's opinions are not IBM policy
Current thread:
- UPDATED: NetBSD Security Advisory 2000-001, (continued)
- UPDATED: NetBSD Security Advisory 2000-001 Daniel Carosone (Feb 18)
- Re: AUTORUN.INF Vulnerability Nick FitzGerald (Feb 19)
- Re: AUTORUN.INF Vulnerability Valentin Pletzer (Feb 20)
- MMDF Ran Atkinson (Feb 18)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Brock Sides (Feb 18)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Bennett Todd (Feb 18)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Dennis Taylor (Feb 18)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Kevin Hillabolt (Feb 14)
- AIX SNMP Defaults harikiri (Feb 15)
- Re: AIX SNMP Defaults Michal Zalewski (Feb 17)
- Re: AIX SNMP Defaults Troy Bollinger (Feb 21)
- riched32.dll buffer overflow Pauli Ojanpera (Feb 21)
- Re: AIX SNMP Defaults Troy Bollinger (Feb 17)
- Security Bulletins Digest Aleph One (Feb 17)
- AIX SNMP Defaults harikiri (Feb 15)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Jordan Ritter (Feb 15)