From: Korhan GURLER (korhan@netkeyfi.com)
Date: Wed 13 Feb 2002 - 00:53:13 EET
Mutlaka ilgisini cekecek birileri vardir. Cok dikkatli olmak lazim.
--Endless Loop: n., see Loop, Endless. Loop, Endless: n., see Endless Loop. -- Random Shack Data Processing Dictionary
-----BEGIN GEEK CODE BLOCK----- Version: 3.12 GCS d- s:- a- C+++ UL++++ P+ L+++ E--- W- N o-- K- w O- M-- V- PS+ PE+ Y+ PGP t 5 X++++ R* tv+ b+++ DI D++ G e+ h! r-- y+ ------END GEEK CODE BLOCK------
---------- Forwarded message ---------- Date: Tue, 12 Feb 2002 15:33:53 -0700 (MST) From: The SANS Institute <sans@sans.org> To: Korhan GURLER <korhan@netkeyfi.com> Subject: SANS FLASH ALERT: Widespread SNMP Vulnerability
To: Korhan GURLER (SD577678) From: Alan Paller, Director of Research, The SANS Institute
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
SANS FLASH ALERT: Widespread SNMP Vulnerability 2:30 PM EST 12 February, 2002
Note: This is preliminary data! If you have additional information, please send it to us at snmp@sans.org
In a few minutes wire services and other news sources will begin breaking a story about widespread vulnerabilities in SNMP (Simple Network Management Protocol). Exploits of the vulnerability cause systems to fail or to be taken over. The vulnerability can be found in more than a hundred manufacturers' systems and is very widespread - millions of routers and other systems are involved.
Your leadership is needed in making sure that all systems for which you have any responsibility are protected. To do that, first ensure that SNMP is turned off. If you absolutely must run SNMP, get the patch from your hardware or software vendor. They are all working on patches right now. It also makes sense for you to filter traffic destined for SNMP ports (assuming the system doing the filtering is patched).
To block SNMP access, block traffic to ports 161 and 162 for tcp and udp. In addition, if you are using Cisco, block udp for port 1993.
The problems were caused by programming errors that have been in the SNMP implementations for a long time, but only recently discovered.
CERT/CC is taking the lead on the process of getting the vendors to get their patches out. Additional information is posted at http://www.cert.org/advisories/CA-2002-03.html
Two final notes.
Note 1: Turning off SNMP was one of the strong recommendations in the Top 20 Internet Security Vulnerabilities that the FBI's NIPC and SANS and the Federal CIO Council issued on October 1, 2001. If you didn't take that action then, now might be a good time to correct the rest of the top 20 as well as the SNMP problem. The Top 20 document is posted at http://www.sans.org/top20.htm
Note 2: If you have Cisco routers (that's true for 85% of our readers) you are going to have to patch them to fix this problem. This is a great time to make the other fixes that will protect your Cisco routers from an increasingly common set of increasingly bad attacks.
A great new free tool will be announced on Thursday that checks Cisco routers, finds most problems, and provides specific guidance on fixing each problem it finds. We've scheduled a web broadcast for Thursday afternoon at 1 PM EST (18:00 UTC) to tell you about it and how to get it.
Mark your calendar now and we'll supply complete data in tomorrow's Newsbites and on the SANS web site tomorrow, as well.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (BSD/OS) Comment: For info see http://www.gnupg.org
iD8DBQE8aX8y+LUG5KFpTkYRAnzlAJ920GGAqfFGAcNhrMQs+7N7wjBrEgCgkZM7 63OGBNgmoFsv/aajLby5+7g= =isBR -----END PGP SIGNATURE-----
----------------------------------------------------------------------- Liste üyeliğiniz ile ilgili her türlü işlem için http://liste.linux.org.tr adresindeki web arayüzünü kullanabilirsiniz.
Listeden çıkmak için: 'linux-guvenlik-request@linux.org.tr' adresine, "Konu" kısmında "unsubscribe" yazan bir e-posta gönderiniz. -----------------------------------------------------------------------