Re[2]: [sans@sans.org: SANS FLASH ALERT: Widespread SNMP Vul

Joan,

    The Oracle intelligent agent which uses dbsnmp is not the problem here. The real problem is the snmp agent that is running on the computer and owned by root. Therefore your SA needs to do something, not you.

Dick Goulet

____________________Reply Separator____________________
Author: Joan Hsieh <joan.hsieh_at_tufts.edu>
Date:       2/14/2002 7:48 AM

Hi Ray,

We use dbsnmp on the production server. How it will affect us? Our system people sent us the same article to us and very concerned the security.

Joan

Ray Stell wrote:
>
> Oracle does not seem to be listed, but you got to wonder what code
> they based their snmp stuff on. You may want to nudge you sysadmin
> in the ribs, also.
>
> ----- Forwarded message from The SANS Institute <sans_at_sans.org> -----
>
> Date: Tue, 12 Feb 2002 12:30:06 -0700 (MST)
> To: Ray Stell <stellr_at_vt.edu>(SD569668)
>
> SANS FLASH ALERT: Widespread SNMP Vulnerability
> 1:30 PM EST 12 February, 2002
>
> To: Ray Stell (SD569668)
>
> Note: This is preliminary data! If you have additional information,
> please send it to us at snmp_at_sans.org
>
> In a few minutes wire services and other news sources will begin
> breaking a story about widespread vulnerabilities in SNMP (Simple
> Network Management Protocol). Exploits of the vulnerability cause
> systems to fail or to be taken over. The vulnerability can be found in
> more than a hundred manufacturers' systems and is very widespread -
> millions of routers and other systems are involved.
>
> As one of the SANS alumni, your leadership is needed in making sure that
> all systems for which you have any responsibility are protected. To do
> that, first ensure that SNMP is turned off. If you absolutely must run
> SNMP, get the patch from your hardware or software vendor. They are all
> working on patches right now. It also makes sense for you to filter
> traffic destined for SNMP ports (assuming the system doing the filtering
> is patched).
>
> To block SNMP access, block traffic to ports 161 and 162 for tcp and
> udp. In addition, if you are using Cisco, block udp for port 1993.
>
> The problems were caused by programming errors that have been in the
> SNMP implementations for a long time, but only recently discovered.
>
> CERT/CC is taking the lead on the process of getting the vendors to get
> their patches out. Additional information is posted at
> http://www.cert.org/advisories/CA-2002-03.html
>
> A final note.
>
> Turning off SNMP was one of the strong recommendations in the Top 20
> Internet Security Threats that the FBI's NIPC and SANS and the Federal
> CIO Council issued on October 1, 2001. If you didn't take that action
> then, now might be a good time to correct the rest of the top 20 as well
> as the SNMP problem. The Top 20 document is posted at
> http://www.sans.org/top20.htm
>
> ----- End forwarded message -----
>
> --
> ===============================================================
> Ray Stell stellr_at_vt.edu (540) 231-4109 KE4TJC 28^D
> --
> Please see the official ORACLE-L FAQ: http://www.orafaq.com
> --
> Author: Ray Stell
> INET: stellr_at_cns.vt.edu
>
> Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
> San Diego, California -- Public Internet access / Mailing Lists
> --------------------------------------------------------------------
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> the message BODY, include a line containing: UNSUB ORACLE-L
> (or the name of mailing list you want to be removed from). You may
> also send the HELP command for other information (like subscribing).

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- 
Author: Joan Hsieh
  INET: joan.hsieh_at_tufts.edu

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).
-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- 
Author: 
  INET: dgoulet_at_vicr.com

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).