CITES > news > 2002 > SNMP
Table of contents
For more information and a complete list of affected systems, see CERT's
advisory alert at:
http://www.cert.org/advisories/CA-2002-03.html
CERT has identified major vulnerabilities in the Simple Network Management
Protocol (SNMP), which is commonly used in a networked environment. Attackers
using these vulnerabilities could produce effects ranging from instability
to denial of service to remote control of the system.
A partial list of vulnerable systems
includes:
- Many hubs, routers and switches
(including Cisco, 3Com, and other networking equipment manufacturers)
- Many network printers
(including Hewlett Packard JetDirect printers and other printer manufacturers)
- Systems with SNMP enabled
(including Solaris, which enables SNMP by default)
- Systems with or without SNMP which have had UCD-SNMP pre-4.2.3 installed
In response to this vulnerability, UIUC is taking the following steps:
- All network traffic entering the campus on SNMP ports 161 and 162
has been temporarily blocked at the campus firewalls. This block will
continue until it has been established that UIUC campus systems have
been suitably protected from SNMP vulnerabilities.
- Over the next week (February 19th to 25th), all network administrators
should patch any affected switches and routers for which they
are responsible.
(Directions for Cisco and HP switches follow.)
- Also over the next week (February 19th to 25th), all printer administrators
should patch any affected JetDirect or other networked printers
for which they are responsible.
(Resources for printer managers are being assembled by the Security Group and stored at http://www.cio.uiuc.edu/security/.)
Resources for UIUC network administrators
In general, switch administrators will need to log into their switches and use the console to direct the switches to download their updates from the TFTP server on cub.cso.uiuc.edu (130.126.113.5). Note that TFTP information given below is case-sensitive.
Additional vendor information is also linked here for convenience.
Switch model and notes TFTP software on Cub Documentation Hewlett-Packard: HP Procurve 2512 switches (J4812A) and 2524 switches (J4813A) hp2524/F_04_08.swi Cisco Catalyst 5000 and 5500 series switches: Supervisor Engine I and II models with 16 MB DRAM or less cat5000/cat5000-sup.4-5-13a.bin Version 4.5.13a release notes Supervisor Engine II models with 32 MB DRAM or more cat5000/cat5000-sup.5-5-13a.bin Version 5.5.13a release notes Supervisor Engine III models with 32 MB DRAM or more cat5000/cat5000-sup3.5-5-13a.bin Refer to version 5.5.13a release notes above Cisco Catalyst 4006 series switches: All Cisco Catalyst 4006 series switches cat4000/cat4000.5-5-13a.bin Refer to version 5.5.13a release notes above Foundry: Foundry switches are not affected. No modifications are necessary. If a network administrator has a switch that is not listed in this table, see the Contacts information for information on how the network administrator can open a trouble ticket to get update information for that switch.
If your printer is directly attached to a computer (via a serial, parallel, or USB connection), then your printer is not open to the SNMP vulnerability. However, if your printer is attached directly to the network via its own Ethernet connection (as JetDirect printers are), and if the printer does not depend on a computer to control network access to it, it is likely to be vulnerable to this SNMP issue.
Since there are so many variations on printers, JetDirect cards, and firmware patches, your best point of reference is the CERT website and vendor documentation. One particularly useful location (for HP JetDirect users) is http://www.hp.com/cposupport/networking/support_doc/bpj05999.html#P67_7491, which describes JetDirect security measures.
In order to assist campus printer administrators as possible, the Security Group is assembling information about systems that are used on this campus at http://www.cio.uiuc.edu/security/. If you have any information you can contribute to these lists, please send them to security@uiuc.edu.
For other affected systems, including Solaris machines and UCD-SNMP pre-4.2.3 systems, see the CERT web page for the latest available information.
General assistance with securing Solaris and other Unix systems is also available from the Introduction to Unix Security page, including links to several campus groups' step-by-step Unix security pages.
Please continue to monitor the CERT and vendor Web pages for patch availability for your systems. CERT's advisory, list of affected vendors, and their responses are available at:
http://www.cert.org/advisories/CA-2002-03.html
If you have any questions, contact the Security Group at 265-0000 or security@uiuc.edu.
If you have difficulty in upgrading your systems, contact the Operations Center at 244-1000 or net-trouble@uiuc.edu. Ask for a trouble ticket to be created and placed in the LAN Maintenance group's work queue.
Note: Due to the number of campus systems that will need to be upgraded in the next week, the LAN Maintenance group's response may not be immediate. However, we will try to reply to all requests within two days to determine what work is required and estimate a scheduled date and time.
CITES welcomes comments about our services and comments about our web site.
Return to the top of this page.
Last modified December 30, 2003