Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: [sans@sans.org: SANS FLASH ALERT: Widespread SNMP Vul

Re: [sans@sans.org: SANS FLASH ALERT: Widespread SNMP Vul

From: Joan Hsieh <joan.hsieh_at_tufts.edu>
Date: Thu, 14 Feb 2002 13:31:26 -0800
Message-ID: <F001.004104C4.20020214132656@fatcity.com> 






Hello,



This is what oracle responsed;



    
  
  1.   EM does not use SNMP at all for its own functionality -- therefore
EM
proper is not affected by these findings.

  
  2.   The EM agent can be optionally used as an SNMP subagent that
services
the public and Oracle-specific database MIBs. 

  
  3.   Intensive testing on this vulnerability has determined that there
is
minimal
risk involved to EM users. EM does not require SNMP out-of-box -- use
of
SNMP with the agent is optional. The worst case scenario is a denial
of
service attack against the Agent, resulting in an Agent core dump.
This
risk is
only apparent when the Agent is configured to use SNMP. 






Please note that the Agent installation is typically behind a
firewall


and the Agent does not listen


to Internet traffic, further reducing the likelihood of external
tampering.


Additionally, there does not seem to be any potential for
unauthorized


privilege access, any capability to run external code, or an affect
on


other services on the node.



Oracle will be releasing a formal Oracle Security Alert this week
with


information regarding patching, backporting, etc. 



Ray Stell wrote:


> 

> Dick, does this mean that you have firsthand knowledge that

> the oracle's snmp code is free from the underlying vulnerabilities?

> There was no mention of Oracle in the advisory.  This could mean

> that they did not respond or they are not vulnerable.

> 

> I posted to the Oracle Networking Technical Forum yesterday on this

> issue, but there has been no Oracle Corp response.  You can search

> for SNMP to follow their response.

> 

> Joan, Dick is certainly correct here with respect to the the system snmp

> agent.  The sysadmins need to address this by either patching or disabling

> snmpd.  However, unless Oracle confirms they did not use the old flawed code,

> I don't see any reason to assume their product is not vulnerable.  Until

> they do, I will:

> 

> 1) be nervous,

> 2) bug oracle corp,

> 3) confirm ip filter rules,

> 4) study dbsnmp

> 

> On Thu, Feb 14, 2002 at 09:53:37AM -0800, dgoulet_at_vicr.com wrote:

> > Joan,

> >

> >     The Oracle intelligent agent which uses dbsnmp is not the problem here.  The

> > real problem is the snmp agent that is running on the computer and owned by

> > root.  Therefore your SA needs to do something, not you.

> >

> > Dick Goulet

> >

> > ____________________Reply Separator____________________

> > Author: Joan Hsieh <joan.hsieh_at_tufts.edu>

> > Date:       2/14/2002 7:48 AM

> >

> > Hi Ray,

> >

> > We use dbsnmp on the production server. How it will affect us? Our

> > system people sent us the same article to us and very concerned the

> > security.

> >

> > Joan

> >

> > Ray Stell wrote:

> > >

> > > Oracle does not seem to be listed, but you got to wonder what code

> > > they based their snmp stuff on.  You may want to nudge you sysadmin

> > > in the ribs, also.

> > >

> > > ----- Forwarded message from The SANS Institute <sans_at_sans.org> -----

> > >

> > > Date: Tue, 12 Feb 2002 12:30:06 -0700 (MST)

> > > To: Ray Stell <stellr_at_vt.edu>(SD569668)

> > >

> > > SANS FLASH ALERT: Widespread SNMP Vulnerability

> > > 1:30 PM EST 12 February, 2002

> > >

> > > To: Ray Stell (SD569668)

> > >

> > > Note: This is preliminary data! If you have additional information,

> > > please send it to us at snmp_at_sans.org

> > >

> > > In a few minutes wire services and other news sources will begin

> > > breaking a story about widespread vulnerabilities in SNMP (Simple

> > > Network Management Protocol).  Exploits of the vulnerability cause

> > > systems to fail or to be taken over.  The vulnerability can be found in

> > > more than a hundred manufacturers' systems and is very widespread -

> > > millions of routers and other systems are involved.

> > >

> > > As one of the SANS alumni, your leadership is needed in making sure that

> > > all systems for which you have any responsibility are protected. To do

> > > that, first ensure that SNMP is turned off. If you absolutely must run

> > > SNMP, get the patch from your hardware or software vendor. They are all

> > > working on patches right now. It also makes sense for you to filter

> > > traffic destined for SNMP ports (assuming the system doing the filtering

> > > is patched).

> > >

> > > To block SNMP access, block traffic to ports 161 and 162 for tcp and

> > > udp.  In addition, if you are using Cisco, block udp for port 1993.

> > >

> > > The problems were caused by programming errors that have been in the

> > > SNMP implementations for a long time, but only recently discovered.

> > >

> > > CERT/CC is taking the lead on the process of getting the vendors to get

> > > their patches out.  Additional information is posted at

> > > http://www.cert.org/advisories/CA-2002-03.html

> > >

> > > A final note.

> > >

> > > Turning off SNMP was one of the strong recommendations in the Top 20

> > > Internet Security Threats that the FBI's NIPC and SANS and the Federal

> > > CIO Council issued on October 1, 2001.  If you didn't take that action

> > > then, now might be a good time to correct the rest of the top 20 as well

> > > as the SNMP problem.  The Top 20 document is posted at

> > > http://www.sans.org/top20.htm

> > >

> > > ----- End forwarded message -----

> > >

> > > --

> > > ===============================================================

> > > Ray Stell   stellr_at_vt.edu     (540) 231-4109     KE4TJC    28^D

> > > --

> > > Please see the official ORACLE-L FAQ: http://www.orafaq.com

> > > --

> > > Author: Ray Stell

> > >   INET: stellr_at_cns.vt.edu

> > >

> > > Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051

> > > San Diego, California        -- Public Internet access / Mailing Lists

> > > --------------------------------------------------------------------

> > > To REMOVE yourself from this mailing list, send an E-Mail message

> > > to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in

> > > the message BODY, include a line containing: UNSUB ORACLE-L

> > > (or the name of mailing list you want to be removed from).  You may

> > > also send the HELP command for other information (like subscribing).

> > --

> > Please see the official ORACLE-L FAQ: http://www.orafaq.com

> > --

> > Author: Joan Hsieh

> >   INET: joan.hsieh_at_tufts.edu

> >

> > Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051

> > San Diego, California        -- Public Internet access / Mailing Lists

> > --------------------------------------------------------------------

> > To REMOVE yourself from this mailing list, send an E-Mail message

> > to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in

> > the message BODY, include a line containing: UNSUB ORACLE-L

> > (or the name of mailing list you want to be removed from).  You may

> > also send the HELP command for other information (like subscribing).

> > --

> > Please see the official ORACLE-L FAQ: http://www.orafaq.com

> > --

> > Author:

> >   INET: dgoulet_at_vicr.com

> >

> > Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051

> > San Diego, California        -- Public Internet access / Mailing Lists

> > --------------------------------------------------------------------

> > To REMOVE yourself from this mailing list, send an E-Mail message

> > to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in

> > the message BODY, include a line containing: UNSUB ORACLE-L

> > (or the name of mailing list you want to be removed from).  You may

> > also send the HELP command for other information (like subscribing).

> 

> --

> ===============================================================

> Ray Stell   stellr_at_vt.edu     (540) 231-4109     KE4TJC    28^D

> --

> Please see the official ORACLE-L FAQ: http://www.orafaq.com

> --

> Author: Ray Stell

>   INET: stellr_at_cns.vt.edu

> 

> Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051

> San Diego, California        -- Public Internet access / Mailing Lists

> --------------------------------------------------------------------

> To REMOVE yourself from this mailing list, send an E-Mail message

> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in

> the message BODY, include a line containing: UNSUB ORACLE-L

> (or the name of mailing list you want to be removed from).  You may

> also send the HELP command for other information (like subscribing).


-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- 
Author: Joan Hsieh
  INET: joan.hsieh_at_tufts.edu

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).


Received on Thu Feb 14 2002 - 15:31:26 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US