COMMAND

    SNMP

SYSTEMS AFFECTED

    SCO OpenServer 5.0.5

PROBLEM

    Following is based on  Network Associates Security Advisory.   The
    default configuration of SCO  OpenServer 5.0.5 allows local  users
    read/write  access  to  SNMPD  via  a  default  writable community
    string.  This  configuration has been  verified on SCO  OpenServer
    5.0.5 and may be present in earlier versions.

    SNMP(S.imple N.etwork M.anagement  P.rotocol) is a  protocol suite
    used to manage information obtained from network entities such  as
    hosts,  routers,  switches,  hubs,  etc.   A  management   station
    collects the information from  these various network entities  via
    SNMP variable querys.  Information events called traps can also be
    sent from entities to managment stations notifying the station  of
    critical  changes  such  as  changes  to  interface status, packet
    collisions, etc.

    These domains of SNMP managment stations and entities are  grouped
    togather  in  what  are  called  communities.   The community name
    (called the community string) is used as the authentication method
    used  for  information  retrieval/traps.   There  are  2  types of
    community  strings  read(public),  and  write(private).   A   read
    community has privilages to retrieve variables from SNMP  entities
    and a write community has privilages  to read as well as write  to
    entity  variables.    The  problem  lies   in  that  the   default
    installation  of  SCO  OpenServer  5.0.5  has snmpd enabled with a
    default write(private) community string.

    SNMPD, run on  startup by SCO  OpenServer 5.0.5, is  configured by
    default with  a writable(private)  community string.   This allows
    any local user  full administrator access  to the SNMPD  facility.
    The  potential  abuses  of  this  privelege include the ability to
    modify  hostname,  network  interface  state,  IP  forwarding  and
    routing,  state  of  network  sockets  (including  the  ability to
    terminate active TCP sessions  and listening sockets) and  the ARP
    cache.   An  attacker  also  has  full  read  access  to  all SNMP
    facilities.

    Discovery and documentation of this vulnerability was conducted by
    Shawn Bracken at the security labs of Network Associates.

SOLUTION

    SCO  has  released  a  security  bulletin  for this vulnerability,
    which can be found at:

        http://www.sco.com/security

    The community string definitions  can be found in  /etc/snmpd.comm
    Remove/modify these strings and restart snmpd.  Alternatively,  if
    your site does not use SNMP, kill snmpd and remove it from  system
    startup files.