Re: [sans@sans.org: SANS FLASH ALERT: Widespread SNMP Vulnerability]

Hi Ray,

We use dbsnmp on the production server. How it will affect us? Our system people sent us the same article to us and very concerned the security.

Joan

Ray Stell wrote:
>
> Oracle does not seem to be listed, but you got to wonder what code
> they based their snmp stuff on. You may want to nudge you sysadmin
> in the ribs, also.
>
> ----- Forwarded message from The SANS Institute <sans_at_sans.org> -----
>
> Date: Tue, 12 Feb 2002 12:30:06 -0700 (MST)
> To: Ray Stell <stellr_at_vt.edu>(SD569668)
>
> SANS FLASH ALERT: Widespread SNMP Vulnerability
> 1:30 PM EST 12 February, 2002
>
> To: Ray Stell (SD569668)
>
> Note: This is preliminary data! If you have additional information,
> please send it to us at snmp_at_sans.org
>
> In a few minutes wire services and other news sources will begin
> breaking a story about widespread vulnerabilities in SNMP (Simple
> Network Management Protocol). Exploits of the vulnerability cause
> systems to fail or to be taken over. The vulnerability can be found in
> more than a hundred manufacturers' systems and is very widespread -
> millions of routers and other systems are involved.
>
> As one of the SANS alumni, your leadership is needed in making sure that
> all systems for which you have any responsibility are protected. To do
> that, first ensure that SNMP is turned off. If you absolutely must run
> SNMP, get the patch from your hardware or software vendor. They are all
> working on patches right now. It also makes sense for you to filter
> traffic destined for SNMP ports (assuming the system doing the filtering
> is patched).
>
> To block SNMP access, block traffic to ports 161 and 162 for tcp and
> udp. In addition, if you are using Cisco, block udp for port 1993.
>
> The problems were caused by programming errors that have been in the
> SNMP implementations for a long time, but only recently discovered.
>
> CERT/CC is taking the lead on the process of getting the vendors to get
> their patches out. Additional information is posted at
> http://www.cert.org/advisories/CA-2002-03.html
>
> A final note.
>
> Turning off SNMP was one of the strong recommendations in the Top 20
> Internet Security Threats that the FBI's NIPC and SANS and the Federal
> CIO Council issued on October 1, 2001. If you didn't take that action
> then, now might be a good time to correct the rest of the top 20 as well
> as the SNMP problem. The Top 20 document is posted at
> http://www.sans.org/top20.htm
>
> ----- End forwarded message -----
>
> --
> ===============================================================
> Ray Stell stellr_at_vt.edu (540) 231-4109 KE4TJC 28^D
> --
> Please see the official ORACLE-L FAQ: http://www.orafaq.com
> --
> Author: Ray Stell
> INET: stellr_at_cns.vt.edu
>
> Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
> San Diego, California -- Public Internet access / Mailing Lists
> --------------------------------------------------------------------
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> the message BODY, include a line containing: UNSUB ORACLE-L
> (or the name of mailing list you want to be removed from). You may
> also send the HELP command for other information (like subscribing).

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- 
Author: Joan Hsieh
  INET: joan.hsieh_at_tufts.edu

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).