(Choose a product family to jump right to section.)
Testing and Patches
The vulnerabilities can be used to cause SNMP implementations to behave in an unpredictable manner, resulting in denials of service or system failures. Given the serious nature of these vulnerabilities, Enterasys immediately started testing our product line to determine which products are affected. We have completed this testing.
In general, we intend to provide patches for all our current products that require them. The patches will undergo full Design Assurance testing prior to release.
X-Pedition
The X-Pedition ER-16, SSR8600, SSR8000, and SSR2000, and 6SSRM-02 running E9.0.x.x and E8.3.0.x and E8.2.0.x and E8.1.0.x firmware releases have been tested.
Releases earlier than E8.2.0.0 are not susceptible to the vulnerability. E9.0.1.0 and E8.3.0.8, released March 15, 2002, provide corrections to the vulnerability.
XSR-1805 firmware releases prior to 2.0.0.0 are vulnerable. The 2.0.0.0 release with the vulnerability fix is available today at
http://www.enterasys.com/download/download.cgi?lib=XSR.
Matrix
Technical bulletins have been created that highlight each switch's security capabilities and specifically defines how to implement for maximum effectiveness. The bulletin can be found here (Adobe .pdf, 542K).
The Matrix E1 products have been determined to pass all tests.
Matrix E5 testing has determined that the E5 has a single anomaly. Per the guidance set forth in the OUSPG testing procedures, a delayed response to a SNMP query is to be considered an inconclusive result. A single test exhibited this behavior. The delay was on the order of milliseconds. It should be noted the Matrix E5 did not exhibit any negative or unacceptable characteristics as a result of this test. It has been validated that when implementing the host port into a management VLAN and modifying the community string from default, the Matrix E5 is unaffected by Cert advisory CA-2002-03. As such, a patch is not necessary to address SNMP v1 security concerns.
The Smart Switch 2000/6000 and Matrix E7 2nd Generation (2E2xx-xx, 2H2xx-xx, 6E2xx-xx, and 6H2xx-xx) and 3rd Generation products (6E3xx-xx, 6G3xx-xx, 6H3xx-xx, excluding the 6A100) have updated firmware that will address the SNMP vulnerability issue. There are patches available at no cost for the 5.x and 4.x firmware tracks (5.03.05 and 4.08.43). This firmware is available via the Enterasys Firmware Library web site, and is also available through our Global Technical Assistance Center (GTAC). In addition to the patched firmware, the creation of Access Control Lists for SNMP management, RADIUS authentication of management stations, SNMP frame classification, and rate limiting can be implemented to add an additional level of security.
The Smart Switch 2000/6000 and Matrix E7 1st generation Ethernet based 2000/6000 (2Exx-xx, 2Hxx-xx, 6E1xx-xx, 6H1xx-xx, and 6M1xx-xx) products have been determined to be susceptible. There are patches available at no cost for both SecureFast (6.00.22) and non-SecureFast (4.11.20) images. This firmware is available via the Enterasys Firmware Library web site, and is also available through our Global Technical Assistance Center (GTAC).
The SmartSwitch 9000 (9x4xx-xx, 9x5xx-xx) products have been determined to be susceptible. There are patches available at no cost for these products. This firmware is available via the Enterasys Firmware Library web site, and is also available through our Global Technical Assistance Center (GTAC). The 1st generation of modules for the SmartSwitch 9000, a.k.a. MMAC Plus, identified by the model number 9x1xx-xx, have been determined to pass all tests. There are no firmware upgrades necessary for 9x1xx-xx modules.
Vertical Horizon
The VH-2402-L3 and VH-8G-L3 have passed the test suite and
thus do not have any issues with SNMP vulnerability. The VH-2402S, VH-4802,
VH-8G and VH-8TX1UM/MF failed the trap tests under specific circumstances. The
issues will be, or have been addressed as outlined below:
·
VH-2402S
All known SNMP vulnerability issues have been corrected in firmware
release: 2.05.02.31
·
VH-4802
All known SNMP vulnerability issues have been corrected in firmware
release: 02.05.05
·
VH-8G
All known SNMP vulnerability issues will be corrected in the next major
release of firmware targeted for release Q2CY03
·
VH-8TX1UM SNMP
vulnerability issues are currently under investigation to determine if and when
a corrective action might be available. There is no targeted commitment or
release date for this product.
·
VH-8TX1MF SNMP
vulnerability issues are currently under investigation to determine if and when
a corrective action might be available. There is no targeted commitment or
release date for this product.
ELS
The ELS100-24TX, ELS100-24TXM, and ELS100-24TXG passed the test suite and are not susceptible to the vulnerability.
RoamAbout
RoamAbout R1 does not support SNMP, and therefore is not vulnerable. AP2000 products have been tested and have passed the test suite. R2, 1.0x.xx failed the trap vulnerability test, AP Manager version 8.0 addresses this vulnerability and is available now
Dragon
Dragon Sensor 5.0.x and all versions of Dragon Squire are vulnerable to potential system crashing when tested with the recent SNMP toolkit made public with CERT advisory CA-2002-03.
Dragon Sensor 5.0.x with SNMP decoding enabled and all versions of Dragon Squire with SNMP enabled are vulnerable to potential system crashing when tested with the recent SNMP toolkit made public with CERT advisory CA-2002-03.
With Dragon Sensor, the vulnerability arises from the parsing of SNMP traffic for NIDS bypassing from null encoding. If you have the SNMPCONVERT keyword enabled, the Dragon Sensor process may be vulnerable to a potential system crash. In Enterasys's testing, if running in a typical deployment mode, the dragonctl program will restart Dragon Sensor. It is recommended that end users disable the SNMPCONVERT keyword immediately and upgrade to new Dragon Sensor binaries, which will be available shortly.
With Dragon Squire, the default OID used in the SNMP security toolkit is different than the default one deployed with Dragon. However, if Dragon Squire is used to aggregate SNMP traps, it is also subject to a denial of service, which crashes the Squire process. New binary versions of Dragon Squire are available to correct this problem.
ANG
The ANG 1102/1105 SNMP agent, by design, is prohibited from the Internet, and SNMP traffic is limited to use through a secure tunnel. The only detected symptoms are a DoS attack on the agent.
The ANG 3000/7050 patch is available at http://www.enterasys.com/fw-images/aurorean/AVN-UGKpatch/.
APS (3000/7000) runs Windows NT 4.0 with SP 4. The SNMP agent on the APS is a Microsoft component that can easily be switched off. A Microsoft patch is available. See http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-006.asp
NetSight
NetSight ACL Manager, Inventory Manager, and Policy Manager passed the tests.
QA has completed the CERT testing against NetSight Element Manager v3.1. The results do not indicate any SNMP vulnerabilities. The ‘short DOS’ vulnerability identified in the previous tests (NetSight EM v3.0) were not observed in recent tests against the new release.
Older NetSight products use the SNMP stack in the Spectrum server. Testing by Aprisma has revealed no vulnerabilities.
Other Products
All other product not specifically mentioned here cannot be patched based on number of considerations such as, but not limited to, discontinuation of third party SNMP stacks. Our Professional Services organization is poised to assist customers in migration strategies, risk assessment, and security implementations consistent with the capabilities of the infrastructure. In addition, our Professional Services organization is also prepared to make product specific recommendations to enhance current infrastructures and leverage current generation technologies to consider current security concerns.
Work Arounds
Written instructions for configuring Matrix products can be downloaded here (Adobe .pdf, 542K).
Until these patches become available, Enterasys recommends that the following steps be taken to help reduce exposure to these vulnerabilities.
- Disable SNMP on devices where the service isn't
required.
- Filter SNMP at interfaces through which SNMP commands
should not be received, such as those providing connection from the Internet
or Extranets. Filter SNMP at interfaces to hosts that should not be running
SNMP.
- Use management VLANs or out-of-band management to
contain SNMP traffic and multicasts. These do not prevent an attacker from
exploiting these vulnerabilities, but they may make it more difficult to
initiate the attacks and to discover community names.
- Enable 802.1X port-locking and RADIUS to prevent
unauthenticated users from attaching to the network.
- Use NetSight Policy Manager to automatically restrict
the use of SNMP to authenticated, SNMP-authorized personnel.
- Update Dragon IDS signatures to help identify when these attacks are being used.