ATMSNMPD Vulnerable but not Addressed

From: Ross Coppage (coppager@scott.disa.mil)
Date: 05/13/02


Date: 13 May 2002 15:55:22 -0000
From: Ross Coppage <coppager@scott.disa.mil>
To: bugtraq@securityfocus.com


('binary' encoding is not supported, stored as-is)

ATMSNMPD vulnerable???? Yep! I am challenging anyone out
there to find information on line stating that Sun's
ATMSNMPD is vulnerable to attack. As of today May 13 2002
there is no information identifying this fact. If you are
running SunATM 4.0 or 5.0 and have not added the patches
below you are vulnerable to attack. Is there sun
documentation identifying the vulnerability and the urgent
need to implement the patch? As of today there is not.
Sun still has not publicly released this info. Why I don't
know. I had to research the heck out of this to get this
answer. See below for more info.
Patches:
107915-13: SunATM 4.0 Update1: bug fixes
109039-09: SunATM 5.0: bug fixes

(SEE BELOW FOR DETAILS)

-----Original Message-----
From: Dave Ahmad [mailto:da@securityfocus.com]
Sent: Wednesday, May 08, 2002 10:44 AM
To: Coppage, Ross
Subject: Re: Suns ATMSNMPD Vulnerable -Not identified

Hi Ross,

Thanks for the information, but do you have the patch IDs?
Could you
include that in a new message to the list?

Dave Ahmad
SecurityFocus
www.securityfocus.com

On Wed, 8 May 2002, Coppage, Ross wrote:

>
> I have been researching the suns ATMSNMPD which is part
of the Sun ATM card
> installation. Suns recent information addressing SNMP
security issues does
> not mention ATMSNMPD. All CERT advisory and other sites
fail to mention it
> as well. Sun has a patch but does not advertise this as
being vulnerable.
> Unless you happen to apply the ATM patch you are
potentially vulnerable to
> the attack. ATMSNMPD should be included in suns security
documentation
> addressing SNMP. Additionally it should be included in
the IAVA information
> released by the Government. Sun engineers did
acknowledge that it is
> vulnerable and should be patched. If you don't have the
very latest patches
> you are vulnerable. No security information ties the
patch to a
> vulnerability. This needs to be identified and
associated with other recent
> SNMP vulnerabilities. I only found this out after a
couple weeks of
> research. Steven Northcut at SANS.org researched and
also found no information
> associating ATMSNMPD with the recent vulnerabilities.
>
> If you follow (Suns) vendor security guidelines and
alerts you would never
> find out about ATMSNMPDs vulnerability and or necessary
patch. I am sure
> there are countless unpatched, vulnerable ATM cards out
there. This is just
> a friendly heads up.
>
> Regards,
>
> Ross
>
> SNMP Vulnerability links:
> http://www.cert.org/advisories/CA-2002-03.html
> http://www.kb.cert.org/vuls/id/854306
>
>
>
> Ross Coppage, MCSE
> UNIX System Administrator
> International Consultants Inc.
> DISA-CONUS
> (618) 229-8877
> coppager@scott.disa.mil
>
> "No amount of ability is of the slightest avail without
honor."
> Andrew Carnegie
>
>
>

Ross Coppage, MCSE
UNIX System Administrator
International Consultants Inc.
DISA-CONUS
(618) 229-8877
coppager@scott.disa.mil

"No amount of ability is of the slightest avail without
honor."
Andrew Carnegie