COMMAND
SNMP - Solstice Enterprise Agent
SYSTEMS AFFECTED
SunOS 5.6
PROBLEM
Solstice Enterprise Agents(tm) expands the scope of enterprise
management by providing a comprehensive development and runtime
environment enabling the creation of custom, extensible agents for
device and system management for the Solaris(tm) operating
environment. Solstice Enterprise Agents(SEA) supports both the
Simple Network Management Protocol and DMI protocols.
Following is based on ISS Security Advisory. Internet Security
System (ISS) X-Force has discovered a serious vulnerability in
Sun Microsystems Solstice Enterprise Agent and the Solaris
operating system. This vulnerability allows attackers to execute
arbitrary commands with root privileges, manipulate system
parameters and kill processes.
The vulnerabilities are present in the SNMP daemons shipping with
Solaris 2.6. Solaris 2.6 is configured by default to support
SNMP. A hidden and undocumented community string is present in
the SNMP subagent which may allow remote attackers change most
system parameters. Remote attackers may kill any process, update
routes, potentially sidestep firewalls or disable network
interfaces. Most notably, attackers may indirectly execute
arbitrary commands with superuser privileges. This vulnerability
is compounded by the fact that these SNMP daemons are configured
and executed by default. Attackers do not need local access to
the target host to exploit this vulnerability.
In the agent s with a binary editor you can found the following
passwords:
Solaris: all private
HP: snmpd
These passwords are NOT stored in the snmp.conf and cannot be
disabled. This is not the case with replaced binaries from HP
Openview Network Node Manager B.05.01.
Some additional tests showed in version 1.0.3 of the SEA SDK (as
opposed to just the runtime stuff), the strings 'all public' and
'all private' are present in the mibiisa binary. It is possible
to read the entire mib using the 'all private' COI, however, there
are difficulties using either 'private' or 'all private' to write
values. This includes when configured the SNMP daemon to use
private. On a system using 1.0.1 it is possible to use the 'all
private' to kill processes, kill connections, etc. Interestingly,
it is also possible to use 'private' to change the system
information.
According to another source, the community string in the SNMP
implementation are not hidden, but rather accessible in plain text
form in (this however got nothing to do with binary hidden
strings):
/etc/snmp/conf/snmp.conf
(by default there, or another location when modified; snmpdx
usually should be started with the "-c /pathname/snmp.conf" option
to control which configuration file is being used.) The relevant
entries are the strings assigned to:
system-group-read-community public
system-group-write-community private
read-community public
write-community private
It is recommended that these "passwords" be changed from their
default values (above: public/private) to avoid security
compromises.
SOLUTION
Sun recommends that sites running Solaris 2.6 and sites running
SEA on Solaris 2.5.1 upgrade the SEA software to SEA 1.0.3. SEA
1.0.3 is bundled with Solaris 7. SEA 1.0.3 is available for
Solaris 2.6, 2.6_x86, 2.5.1, and 2.5.1_x86 and may be downloaded
from:
http://www.sun.com/solstice/products/ent.agents/
Sun also recommends that sites running SEA 1.0 on Solaris 2.4 and
2.5 either disable SEA (see section 3) or upgrade the operating
system to Solaris 7 if possible. Sites upgrading to Solaris
2.5.1 or 2.6 may obtain SEA 1.0.3 from the URL listed above. Sun
recommends that you disable SEA on vulnerable systems until SEA
1.0.3 is installed. To disable SEA, perform the following steps:
% su
Password:
# /etc/init.d/init.snmpdx stop
# mv /etc/rc3.d/S76snmpdx /etc/rc3.d/DISABLED_S76snmpdx