ISS Advisory: Remote Buffer Overflow Vulnerability in IRIX SNMP Daemon

[X-Force <xforce () iss net>]

-----BEGIN PGP SIGNED MESSAGE-----

Internet Security Systems Security Advisory
April 3, 2002

Remote Buffer Overflow Vulnerability in IRIX SNMP Daemon

Synopsis:

Internet Security Systems (ISS) X-Force has discovered a buffer overflow
in the SNMP (Simple Network Management Protocol) daemon in the SGI IRIX
operating system. The SNMP daemon, or snmpd executable, runs with
superuser privilege. The buffer overflow vulnerability in snmpd may
allow remote attackers to execute arbitrary commands on a target system
with elevated privileges.

Affected Versions:

SGI IRIX 6.5-6.5.15m and 6.5.15f

Note: Versions prior to version 6.5 may be vulnerable, but these
versions are no longer supported by SGI.

Description:

SNMP is a widely used protocol used to remotely manage computers,
networking devices, and applications. Many popular operating systems
also contain SNMP functionality so computers can be managed over the
network. SNMP is a lightweight, extensible protocol designed to
facilitate remote management of devices. Most commonly, SNMP is used to
monitor parameters of managed devices, such as determining a device’s
performance, if it is operational, or the general health of the device.

A vulnerability exists in the SGI IRIX implementation of snmpd that may
allow remote attackers to submit a specially-crafted SNMP request to
cause a buffer overflow fault. This condition may be exploited to
execute arbitrary code or commands on the target system.

The SNMP daemon is enabled by default on the IRIX operating system and
is executed during the start-up sequence by the root user. The SNMP
daemon accepts remote queries by default.

Recommendations:

ISS X-Force encourages affected users to apply vendor-supplied patches
immediately. SGI has made patch 4574 available to remove the
vulnerability described in this advisory. The SGI Software Product
Knowledge Database is available at the following address:
http://support.sgi.com/spk/

To limit access to SNMP at the firewall, filter port 1161 and 161
UDP/TCP. Consider disabling the SNMP daemon completely if it is not
being used.

ISS X-Force will provide specific detection and assessment support for
this vulnerability in upcoming X-Press Updates for RealSecure Network
Sensor and Internet Scanner. ISS will also provide detection support in
an upcoming signature update for BlackICE products.

Additional Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2002-0017 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

Credits:

This vulnerability was discovered and researched by Kris Hunt of the ISS
X-Force.


______

About Internet Security Systems (ISS)
Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a
pioneer and world leader in software and services that protect critical
online resources from an ever-changing spectrum of threats and misuse.
Internet Security Systems is headquartered in Atlanta, GA, with
additional operations throughout the Americas, Asia, Australia, Europe
and the Middle East.

Copyright (c) 2002 Internet Security Systems, Inc. All rights reserved
worldwide.

Permission is hereby granted for the electronic redistribution of this
document. It is not to be edited or altered in any way without the
express written consent of the Internet Security Systems X-Force. If you
wish to reprint the whole or any part of this document in any other
medium excluding electronic media, please email xforce () iss net for
permission.

Disclaimer: The information within this paper may change without notice.
Use of this information constitutes acceptance for use in an AS IS
condition. There are NO warranties, implied or otherwise, with regard to
this information or its use. Any use of this information is at the
user's risk. In no event shall the author/distributor (Internet Security
Systems X-Force) be held liable for any damages whatsoever arising out
of or in connection with the use or spread of this information.

X-Force PGP Key available on MIT's PGP key server and PGP.com's key
server, as well as at http://www.iss.net/security_center/sensitive.php

Please send suggestions, updates, and comments to: X-Force
xforce () iss net of Internet Security Systems, Inc.


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBPKttZzRfJiV99eG9AQF39gQAiybC/P4HpVOmgB1w02h1WdjU2ms1QkNs
dzXp5MYJaAt3g9OnvTKSRAc+z0ioNlYA0cFWOnTf9oJgzeOK2nnRaDLdaeheFOMD
3dt6hYCzNRYQtMzOUsxX9DA7EgnwldseVC5vEpAUOrfA9VTDd8BaZxG1Ivrj/bEt
AvLsQi0Zg24=
=dK28
-----END PGP SIGNATURE-----