Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

nCipher Security Advisory #2: SNMP vulnerabilities

From: nCipher Support <support () ncipher com>
Date: Wed, 27 Feb 2002 18:00:21 +0000 (GMT)
SUMMARY
=======

SNMP agents supplied by nCipher, as well as those required to run other
nCipher SNMP aupport software, could be vulnerable to buffer overflow
attacks including denial of service and privilege elevation.



BACKGROUND
==========

nCipher supplies a range of Hardware Security Modules (HSMs) and a range
of cryptographic accelerators.  These modules have the ability to return
statistics about current operational conditions (running temperature,
free memory, etc.) as well as information about the number of commands
processed and various other parameters.

To facilitate remote monitoring of nCipher-supplied modules, nCipher 
supplies an SNMP agent and SNMP support software that can be installed 
on the host system, if required.  The SNMP agent is able to return 
management information and statistics for all modules connected to that 
server.

The software supplied with the nShield, nForce and some nFast modules
is a self-contained SNMP agent.  The newer nFast 800 range comes with
support software that is installed alongside the standard operating
system SNMP agent.



ISSUE DESCRIPTION
=================

1. Cause
--------

A recent CERT advisory highlighted research by the Oulu University
Secure Programming Group (OUSPG) showing that various vulnerabilities
exist in many SNMP implementations from many different vendors.

The SNMP agent used as the basis for customisation of the nCipher SNMP
agent is the NET-SNMP agent version 4.2.1.  The NET-SNMP programming
group claim that the vulnerabilities are fixed in the current version
(4.2.3, at the time of writing).

An inspection of the code and change log between this version and the
current version at the time of writing (4.2.3) shows that the following
vulnerabilities have been fixed: 

* Buffer overflow in the ASN.1 handling code
* Buffer overflow in the incoming packet handling code
* Various buffer overflows in logging code
* Lack of error checking in the command-line parser that determines
  which user/group the agent runs as
* Various memory leaks in the main agent code.

In addition, the SNMP agents that the nFast 800 support software require
for correct operation may also be vulnerable to the problems
highlighted by CERT: 

* on Linux and Solaris systems the agent used is a pre-packaged version
  of the NET-SNMP agent, which is vulnerable as described above.
* on Windows systems the agent used is the Microsoft SNMP agent.
  Microsoft has released a security advisory of their own highlighting
  the vulnerabilities in their agent and providing a patch.

2. Impact
---------

An attacker who is able to send malformed SNMP packets to an affected
machine may be able to cause a denial-of-service or execute arbitrary
code with the same privileges as the SNMP agent.

In addition, anyone who can alter the SNMP agent startup script on the
server may be able to modify the user that the SNMP agent is running as
and cause a denial-of-service or privilege elevation.  The default
nCipher installation allows only root or local administrator users to
edit the SNMP agent startup script.

Note that these vulnerabilities only affect the host the SNMP agent is
running on, and not the HSM.  The security of the HSM is unaffected.
However, the ability to execute code as a user of the server may enable
greater access to security information than would otherwise be
available.

3. Who May Be Affected
----------------------

This problem affects users: 

* that are using nForce, nShield or nFast modules (excluding the 
  nFast 800) and are running an unpatched version of the nCipher SNMP
  agent

* that are using nFast 800 modules on Linux or Solaris and have
  installed the nCipher SNMP support software alongside a NET-SNMP
  version older than 4.2.2

* that are using nFast 800 modules on Windows and have installed the
  nCipher SNMP support software alongside an unpatched version of the
  Microsoft SNMP agent.

This problem does not affect users:

* that have installed the software from the nCipher CD but not run the
  post-install step to set up the nCipher SNMP agent.  The nCipher SNMP
  agent does not run by default, needing further configuration and
  setup 

* that are using nFast 800 modules and have installed the nCipher SNMP
  support software alongside a new version of the appropriate SNMP
  agent supplied by the OS vendor.

4. How To Tell If You Are Affected
----------------------------------

If you are using an nShield, nForce or nFast module (excluding the nFast
800) and running the nCipher SNMP agent: 

* from the server the agent is running on: type 'snmpd -v'.  If the
  NET-SNMP version number reported is less that 4.2.2, you are
  affected 
  
* from a client machine: request the value of the
  enterprises.nCipher.agentVersion.0 node.  If the nCipher version
  number is less than 0.1.39, you are affected.  As an example, you can
  do this with the NET-SNMP command-line tools by running 
  'snmpget <host name> <community string> agentVersion.0'.

If you are using an nFast 800 and running the nCipher SNMP support
software on a Linux or Solaris server:

* from the server the agent is running on: type 'snmpd -v'.  If the
  NET-SNMP version number reported is less that 4.2.2, you are
  affected
   
* request the version of the UCD-SNMP or NET-SNMP installation from the 
  package manager; if you are running a version less that 4.2.2 you are
  affected.

If you are using an nFast 800 and running the nCipher SNMP support
software on a Windows 2000 server:

* If you are running the SNMP agent on Windows 2000 and have not
  installed the patch available from Microsoft Security Bulletin
  MS02-006 you may be vulnerable.



REMEDY
======

1. Users running the nCipher SNMP agent:
----------------------------------------

nCipher has upgraded its SNMP agent to version 4.2.3 of the NET-SNMP
agent, which fixes the vulnerabilities outlined here.

* Obtain the latest version of the SNMP agent for your operating system 
  by following the links on http://www.ncipher.com/support/advisories/ 

* Follow the install instructions supplied in Appendix C of the user
  guide (also available from the above link).  The patch includes a new
  version of the nCipher SNMP component that will install over the top
  of the original.



2. Users running the nCipher SNMP support software (nFast 800 only):
-------------------------------------------------------------------

Customers using the nCipher SNMP support software must ensure that
their operating system has a suitably new version of the SNMP agent
software installed.

If the server is running Linux or Solaris, a release updating the
NET-SNMP software to version 4.2.3 should be available from the vendor.

If the server is running Windows 2000, a patch from Microsoft is
available from
http://www.microsoft.com/technet/security/bulletin/MS02-006.asp.  If you
have not applied this patch, Microsoft advises customers to disable the
SNMP service.



SECURITY USAGE NOTES
====================

We reproduce here some information from the User Guide, concerning
recommended security practices:

The nCipher SNMP Agent enables other computers on the network to
connect to it and make requests for information.

The nCipher agent is based on the NET-SNMP kit, which has been tested
but not fully reviewed by nCipher.

nCipher strongly recommends that the nCipher agent is deployed only on a
private network, or protected from the global Internet by an appropriate
firewall.



SOFTWARE DISTRIBUTION AND REFERENCES
====================================

You can obtain copies of this advisory, patch kits for all nCipher
supported platforms, and supporting documentation, from the nCipher
updates site:

    http://www.ncipher.com/support/advisories/

Further information
-------------------

The CERT advisory on vulnerabilities of multiple implementations of
the SNMP protocol: 
    http://www.cert.org/advisories/CA-2002-03.html

The NET-SNMP project pages:
    http://www.net-snmp.org/

Microsoft Security Bulletin MS002-006, with details of the patch:
    http://www.microsoft.com/technet/security/bulletin/MS02-006.asp 

Solaris Users: Sun Microsystems SunSolve Home Page:
    http://sunsolve.sun.com/ 

General information about nCipher products:
    http://www.ncipher.com/


nCipher Support
---------------

nCipher customers who require support or further information regarding
this problem should contact support () ncipher com.

(c) nCipher Corporation Ltd. 2002

$Id: advisory2.txt,v 1.6 2002/02/26 17:06:44 james Exp $
Previous By Date Next
Previous By Thread Next

Current thread: