Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: [sans@sans.org: SANS FLASH ALERT: Widespread SNMP Vul

Re: [sans@sans.org: SANS FLASH ALERT: Widespread SNMP Vul

From: Ray Stell <stellr_at_cns.vt.edu>
Date: Thu, 14 Feb 2002 15:31:15 -0800
Message-ID: <F001.0041059F.20020214144132@fatcity.com> 








I hadn't seen this text, where did you get it?
They still have not responded to Doc ID: 189174.995






On Thu, Feb 14, 2002 at 01:26:57PM -0800, Joan Hsieh wrote:


> Hello,

> 

> This is what oracle responsed;

> 

> 1. EM does not use SNMP at all for its own functionality -- therefore

> EM

> proper is not affected by these findings.

> 

> 2. The EM agent can be optionally used as an SNMP subagent that

> services

> the public and Oracle-specific database MIBs. 

> 

> 3. Intensive testing on this vulnerability has determined that there

> is

> minimal

> risk involved to EM users. EM does not require SNMP out-of-box -- use

> of

> SNMP with the agent is optional. The worst case scenario is a denial

> of

> service attack against the Agent, resulting in an Agent core dump.

> This

> risk is

> only apparent when the Agent is configured to use SNMP. 

> 

> Please note that the Agent installation is typically behind a

> firewall

> and the Agent does not listen

> to Internet traffic, further reducing the likelihood of external

> tampering.

> Additionally, there does not seem to be any potential for

> unauthorized

> privilege access, any capability to run external code, or an affect

> on

> other services on the node.

> 

> Oracle will be releasing a formal Oracle Security Alert this week

> with

> information regarding patching, backporting, etc. 

> 

> Ray Stell wrote:

> > 

> > Dick, does this mean that you have firsthand knowledge that

> > the oracle's snmp code is free from the underlying vulnerabilities?

> > There was no mention of Oracle in the advisory.  This could mean

> > that they did not respond or they are not vulnerable.

> > 

> > I posted to the Oracle Networking Technical Forum yesterday on this

> > issue, but there has been no Oracle Corp response.  You can search

> > for SNMP to follow their response.

> > 

> > Joan, Dick is certainly correct here with respect to the the system snmp

> > agent.  The sysadmins need to address this by either patching or disabling

> > snmpd.  However, unless Oracle confirms they did not use the old flawed code,

> > I don't see any reason to assume their product is not vulnerable.  Until

> > they do, I will:

> > 

> > 1) be nervous,

> > 2) bug oracle corp,

> > 3) confirm ip filter rules,

> > 4) study dbsnmp

> > 

> > On Thu, Feb 14, 2002 at 09:53:37AM -0800, dgoulet_at_vicr.com wrote:

> > > Joan,

> > >

> > >     The Oracle intelligent agent which uses dbsnmp is not the problem here.  The

> > > real problem is the snmp agent that is running on the computer and owned by

> > > root.  Therefore your SA needs to do something, not you.

> > >

> > > Dick Goulet

> > >

> > > ____________________Reply Separator____________________

> > > Author: Joan Hsieh <joan.hsieh_at_tufts.edu>

> > > Date:       2/14/2002 7:48 AM

> > >

> > > Hi Ray,

> > >

> > > We use dbsnmp on the production server. How it will affect us? Our

> > > system people sent us the same article to us and very concerned the

> > > security.

> > >

> > > Joan

> > >

> > > Ray Stell wrote:

> > > >

> > > > Oracle does not seem to be listed, but you got to wonder what code

> > > > they based their snmp stuff on.  You may want to nudge you sysadmin

> > > > in the ribs, also.

> > > >

> > > > ----- Forwarded message from The SANS Institute <sans_at_sans.org> -----

> > > >

> > > > Date: Tue, 12 Feb 2002 12:30:06 -0700 (MST)

> > > > To: Ray Stell <stellr_at_vt.edu>(SD569668)

> > > >

> > > > SANS FLASH ALERT: Widespread SNMP Vulnerability

> > > > 1:30 PM EST 12 February, 2002

> > > >

> > > > To: Ray Stell (SD569668)

> > > >

> > > > Note: This is preliminary data! If you have additional information,

> > > > please send it to us at snmp_at_sans.org

> > > >

> > > > In a few minutes wire services and other news sources will begin

> > > > breaking a story about widespread vulnerabilities in SNMP (Simple

> > > > Network Management Protocol).  Exploits of the vulnerability cause

> > > > systems to fail or to be taken over.  The vulnerability can be found in

> > > > more than a hundred manufacturers' systems and is very widespread -

> > > > millions of routers and other systems are involved.

> > > >

> > > > As one of the SANS alumni, your leadership is needed in making sure that

> > > > all systems for which you have any responsibility are protected. To do

> > > > that, first ensure that SNMP is turned off. If you absolutely must run

> > > > SNMP, get the patch from your hardware or software vendor. They are all

> > > > working on patches right now. It also makes sense for you to filter

> > > > traffic destined for SNMP ports (assuming the system doing the filtering

> > > > is patched).

> > > >

> > > > To block SNMP access, block traffic to ports 161 and 162 for tcp and

> > > > udp.  In addition, if you are using Cisco, block udp for port 1993.

> > > >

> > > > The problems were caused by programming errors that have been in the

> > > > SNMP implementations for a long time, but only recently discovered.

> > > >

> > > > CERT/CC is taking the lead on the process of getting the vendors to get

> > > > their patches out.  Additional information is posted at

> > > > http://www.cert.org/advisories/CA-2002-03.html

> > > >

> > > > A final note.

> > > >

> > > > Turning off SNMP was one of the strong recommendations in the Top 20

> > > > Internet Security Threats that the FBI's NIPC and SANS and the Federal

> > > > CIO Council issued on October 1, 2001.  If you didn't take that action

> > > > then, now might be a good time to correct the rest of the top 20 as well

> > > > as the SNMP problem.  The Top 20 document is posted at

> > > > http://www.sans.org/top20.htm

> > > >

> > > > ----- End forwarded message -----

> > > >

> > > > --

> > > > ===============================================================

> > > > Ray Stell   stellr_at_vt.edu     (540) 231-4109     KE4TJC    28^D

> > > > --

> > > > Please see the official ORACLE-L FAQ: http://www.orafaq.com

> > > > --

> > > > Author: Ray Stell

> > > >   INET: stellr_at_cns.vt.edu

> > > >

> > > > Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051

> > > > San Diego, California        -- Public Internet access / Mailing Lists

> > > > --------------------------------------------------------------------

> > > > To REMOVE yourself from this mailing list, send an E-Mail message

> > > > to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in

> > > > the message BODY, include a line containing: UNSUB ORACLE-L

> > > > (or the name of mailing list you want to be removed from).  You may

> > > > also send the HELP command for other information (like subscribing).

> > > --

> > > Please see the official ORACLE-L FAQ: http://www.orafaq.com

> > > --

> > > Author: Joan Hsieh

> > >   INET: joan.hsieh_at_tufts.edu

> > >

> > > Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051

> > > San Diego, California        -- Public Internet access / Mailing Lists

> > > --------------------------------------------------------------------

> > > To REMOVE yourself from this mailing list, send an E-Mail message

> > > to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in

> > > the message BODY, include a line containing: UNSUB ORACLE-L

> > > (or the name of mailing list you want to be removed from).  You may

> > > also send the HELP command for other information (like subscribing).

> > > --

> > > Please see the official ORACLE-L FAQ: http://www.orafaq.com

> > > --

> > > Author:

> > >   INET: dgoulet_at_vicr.com

> > >

> > > Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051

> > > San Diego, California        -- Public Internet access / Mailing Lists

> > > --------------------------------------------------------------------

> > > To REMOVE yourself from this mailing list, send an E-Mail message

> > > to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in

> > > the message BODY, include a line containing: UNSUB ORACLE-L

> > > (or the name of mailing list you want to be removed from).  You may

> > > also send the HELP command for other information (like subscribing).

> > 

> > --

> > ===============================================================

> > Ray Stell   stellr_at_vt.edu     (540) 231-4109     KE4TJC    28^D

> > --

> > Please see the official ORACLE-L FAQ: http://www.orafaq.com

> > --

> > Author: Ray Stell

> >   INET: stellr_at_cns.vt.edu

> > 

> > Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051

> > San Diego, California        -- Public Internet access / Mailing Lists

> > --------------------------------------------------------------------

> > To REMOVE yourself from this mailing list, send an E-Mail message

> > to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in

> > the message BODY, include a line containing: UNSUB ORACLE-L

> > (or the name of mailing list you want to be removed from).  You may

> > also send the HELP command for other information (like subscribing).

> -- 

> Please see the official ORACLE-L FAQ: http://www.orafaq.com

> -- 

> Author: Joan Hsieh

>   INET: joan.hsieh_at_tufts.edu

> 

> Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051

> San Diego, California        -- Public Internet access / Mailing Lists

> --------------------------------------------------------------------

> To REMOVE yourself from this mailing list, send an E-Mail message

> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in

> the message BODY, include a line containing: UNSUB ORACLE-L

> (or the name of mailing list you want to be removed from).  You may

> also send the HELP command for other information (like subscribing).



-- 
===============================================================
Ray Stell   stellr_at_vt.edu     (540) 231-4109     KE4TJC    28^D
-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- 
Author: Ray Stell
  INET: stellr_at_cns.vt.edu

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).


Received on Thu Feb 14 2002 - 17:31:15 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US