[Xpress] SNMP Vulnerability: FlexCheck and Connection Events Now Available!

From: ISS Customer Relations (bpq@iss.net)
Date: 02/12/02

To: customerconnect@iss.net;, xpress@iss.net
From: ISS Customer Relations <bpq@iss.net>
Date: Tue, 12 Feb 2002 13:21:07 -0500

ISS X-Force has learned of a powerful SNMP attack tool that may be
circulating in the computer underground. This tool has the ability to
crash SNMP daemons and hardware devices running SNMP. The circulation of
this tool may lead to the widespread use of new exploits to crash or
compromise vulnerable systems. Nearly every operating system, router,
switch, cable or DSL modem, and firewall is shipped with an SNMP service.

This issue is relevant to products using SNMP v.1. CERT has stated that
over 100 vendors are vulnerable.

Please refer to the X-Force Alert at the following link for more details:

ISS Protection Solutions

Internet Scanner
- FlexCheck has been developed to detect all potentially vulnerable
SNMP v.1 networked devices. The FlexCheck is available now at:
- Additional assessment support will be added in an upcoming Internet
Scanner X-Press Update.

RealSecure Network Sensor
- The attack tool may trigger several different
signatures. RealSecure administrators should closely examine the following
events if they are detected by RealSecure:
o SNMP_Activity
o SNMP_Set
o SNMP_Community
- Connection events can be configured to detect SNMP
attacks. Instructions for configuring these connection events are included
in the X-Force Alert:
- An X-Press Update for RealSecure Network Sensor will be released as
soon as possible that includes detection support for the various attacks
used in the attack tool. In an effort to provide the X-Press Update to
customers as quickly as possible, XPUs for different versions of Network
Sensor will be released as they are completed.

BlackICE Products
- BlackICE products may trigger several different signatures in
response to an SNMP attack using the PROTOS SNMP attack tool. BlackICE
users and administrators should closely examine the following events if
they are detected by BlackICE:
o SNMP community long
o SNMP sysName overflow
o SNMP Crack
o SNMP Port Probe
o SNMP Corrupt
o SNMP Backdoor
o SNMP SET sysContact
o SNMP discovery broadcast
o UDP Port Probe
- Detection support will also be added in a future update for
BlackICE products.

Xpress mailing list