| VID |
20047 |
| Severity |
40 |
| Port |
161 |
| Protocol |
UDP |
| Class |
SNMP |
| Detailed Description |
The HP OpenView EMANATE SNMP Agent uses predictable default SNMP community string.
The implementation of the HP OpenView EMANATE (Enhanced MANagement Agent Through Extensions) SNMP Agent version 14.2 has a security vulnerability. This vulnerability allows anyone who knows a read-only community string of a host running NNM to easily discover the read-write community strings configured on the host. The read-write community strings could be discovered by doing an snmp walk starting from .iso.org.dod.internet.snmpV2.snmpModules (.1.3.6.1.6.3). The Emanate SNMP agent version 14.2 implements a MIB branch called communityMIB (.1.3.6.1.6.3.1133), which contains a table called communityTable, whose entries contain an column called communityGroupName (.1.3.6.1.6.3.1133.2.1.3). Retrieving this column gives you all the community names configured on the NNM host. A remote attacker could exploit this vulnerability to gain unauthorized SNMP access and possibly crash the affected device.
* References:
http://bizforums.itrc.hp.com/cm/QuestionAnswer/0,,0x1d334b3ef09fd611abdb0090277a778c,00.html
* Platforms Affected:
HP OpenView Emanate SNMP Agent 14.2 HP-UX 10.20, 11.x
HP OpenView Emanate SNMP Agent 14.2 Solaris 2.X
HP OpenView Emanate SNMP Agent 14.2 Windows 2000
HP OpenView Emanate SNMP Agent 14.2 Windows NT |
| Recommendation |
Apply the appropriate patch for your system.
hp-ux 11.00, 11.11: PHSS_27850 OV EMANATE14.2 snmpdm - obsolete mib.
hp-ux 11.04: PHSS_28688 (VVOS) OV EMANATE14.2 Agent Consolidated
hp-ux 10.20: PHSS_27849 OV EMANATE14.2 snmpdm - obsolete mib.
Solaris 2.6,7,8: PSOV_03209 OV EMANATE14.2 snmpdm - obsolete mib.
Win NT/2k: NNM_00949 OV EMANATE14.2 snmpdm - obsolete mib.
The patches are available from:
http://support.openview.hp.com/cpe/patches/
-- OR --
Setup a VIEW in snmpd.conf to restrict/deny access to the communityGroup.
The VIEW: qualifier further restricts access using the community name to the sub-set of the agent's supported MIB identified by the space list of "MIB view sub-trees". A view sub-tree may be either the object identifier (1.3.6.1.2.1.1) or object name (system) of the MIB sub-tree to be included. The '-' character may be used to exclude an oid/name from the view.
For example, You can resolve this issue by adding a VIEW: qualifier to each line containing a get-community-name. The least restrictive VIEW: qualifier which denies access to the communityTable is:
get-community-name: yyyyyy VIEW: 1.3.6.1 -communityMIB
Hewlett-Packard Company Security Bulletin HPSBUX0208-208 includes details about the vulnerabilities and patches. This document is available at:
http://www.securityfocus.com/advisories/4360 |
| Related URL |
CVE-2002-1408 (CVE) |
| Related URL |
5428 (SecurityFocus) |
| Related URL |
9814 (ISS) |
|
