SUMMARY ======= SNMP agents supplied by nCipher, as well as those required to run other nCipher SNMP aupport software, could be vulnerable to buffer overflow attacks including denial of service and privilege elevation. BACKGROUND ========== nCipher supplies a range of Hardware Security Modules (HSMs) and a range of cryptographic accelerators. These modules have the ability to return statistics about current operational conditions (running temperature, free memory, etc.) as well as information about the number of commands processed and various other parameters. To facilitate remote monitoring of nCipher-supplied modules, nCipher supplies an SNMP agent and SNMP support software that can be installed on the host system, if required. The SNMP agent is able to return management information and statistics for all modules connected to that server. The software supplied with the nShield, nForce and some nFast modules is a self-contained SNMP agent. The newer nFast 800 range comes with support software that is installed alongside the standard operating system SNMP agent. ISSUE DESCRIPTION ================= 1. Cause -------- A recent CERT advisory highlighted research by the Oulu University Secure Programming Group (OUSPG) showing that various vulnerabilities exist in many SNMP implementations from many different vendors. The SNMP agent used as the basis for customisation of the nCipher SNMP agent is the NET-SNMP agent version 4.2.1. The NET-SNMP programming group claim that the vulnerabilities are fixed in the current version (4.2.3, at the time of writing). An inspection of the code and change log between this version and the current version at the time of writing (4.2.3) shows that the following vulnerabilities have been fixed: * Buffer overflow in the ASN.1 handling code * Buffer overflow in the incoming packet handling code * Various buffer overflows in logging code * Lack of error checking in the command-line parser that determines which user/group the agent runs as * Various memory leaks in the main agent code. In addition, the SNMP agents that the nFast 800 support software require for correct operation may also be vulnerable to the problems highlighted by CERT: * on Linux and Solaris systems the agent used is a pre-packaged version of the NET-SNMP agent, which is vulnerable as described above. * on Windows systems the agent used is the Microsoft SNMP agent. Microsoft has released a security advisory of their own highlighting the vulnerabilities in their agent and providing a patch. 2. Impact --------- An attacker who is able to send malformed SNMP packets to an affected machine may be able to cause a denial-of-service or execute arbitrary code with the same privileges as the SNMP agent. In addition, anyone who can alter the SNMP agent startup script on the server may be able to modify the user that the SNMP agent is running as and cause a denial-of-service or privilege elevation. The default nCipher installation allows only root or local administrator users to edit the SNMP agent startup script. Note that these vulnerabilities only affect the host the SNMP agent is running on, and not the HSM. The security of the HSM is unaffected. However, the ability to execute code as a user of the server may enable greater access to security information than would otherwise be available. 3. Who May Be Affected ---------------------- This problem affects users: * that are using nForce, nShield or nFast modules (excluding the nFast 800) and are running an unpatched version of the nCipher SNMP agent * that are using nFast 800 modules on Linux or Solaris and have installed the nCipher SNMP support software alongside a NET-SNMP version older than 4.2.2 * that are using nFast 800 modules on Windows and have installed the nCipher SNMP support software alongside an unpatched version of the Microsoft SNMP agent. This problem does not affect users: * that have installed the software from the nCipher CD but not run the post-install step to set up the nCipher SNMP agent. The nCipher SNMP agent does not run by default, needing further configuration and setup * that are using nFast 800 modules and have installed the nCipher SNMP support software alongside a new version of the appropriate SNMP agent supplied by the OS vendor. 4. How To Tell If You Are Affected ---------------------------------- If you are using an nShield, nForce or nFast module (excluding the nFast 800) and running the nCipher SNMP agent: * from the server the agent is running on: type 'snmpd -v'. If the NET-SNMP version number reported is less that 4.2.2, you are affected * from a client machine: request the value of the enterprises.nCipher.agentVersion.0 node. If the nCipher version number is less than 0.1.39, you are affected. As an example, you can do this with the NET-SNMP command-line tools by running 'snmpget <host name> <community string> agentVersion.0'. If you are using an nFast 800 and running the nCipher SNMP support software on a Linux or Solaris server: * from the server the agent is running on: type 'snmpd -v'. If the NET-SNMP version number reported is less that 4.2.2, you are affected * request the version of the UCD-SNMP or NET-SNMP installation from the package manager; if you are running a version less that 4.2.2 you are affected. If you are using an nFast 800 and running the nCipher SNMP support software on a Windows 2000 server: * If you are running the SNMP agent on Windows 2000 and have not installed the patch available from Microsoft Security Bulletin MS02-006 you may be vulnerable. REMEDY ====== 1. Users running the nCipher SNMP agent: ---------------------------------------- nCipher has upgraded its SNMP agent to version 4.2.3 of the NET-SNMP agent, which fixes the vulnerabilities outlined here. * Obtain the latest version of the SNMP agent for your operating system by following the links on http://www.ncipher.com/support/advisories/ * Follow the install instructions supplied in Appendix C of the user guide (also available from the above link). The patch includes a new version of the nCipher SNMP component that will install over the top of the original. 2. Users running the nCipher SNMP support software (nFast 800 only): ------------------------------------------------------------------- Customers using the nCipher SNMP support software must ensure that their operating system has a suitably new version of the SNMP agent software installed. If the server is running Linux or Solaris, a release updating the NET-SNMP software to version 4.2.3 should be available from the vendor. If the server is running Windows 2000, a patch from Microsoft is available from http://www.microsoft.com/technet/security/bulletin/MS02-006.asp. If you have not applied this patch, Microsoft advises customers to disable the SNMP service. SECURITY USAGE NOTES ==================== We reproduce here some information from the User Guide, concerning recommended security practices: The nCipher SNMP Agent enables other computers on the network to connect to it and make requests for information. The nCipher agent is based on the NET-SNMP kit, which has been tested but not fully reviewed by nCipher. nCipher strongly recommends that the nCipher agent is deployed only on a private network, or protected from the global Internet by an appropriate firewall. SOFTWARE DISTRIBUTION AND REFERENCES ==================================== You can obtain copies of this advisory, patch kits for all nCipher supported platforms, and supporting documentation, from the nCipher updates site: http://www.ncipher.com/support/advisories/ Further information ------------------- The CERT advisory on vulnerabilities of multiple implementations of the SNMP protocol: http://www.cert.org/advisories/CA-2002-03.html The NET-SNMP project pages: http://www.net-snmp.org/ Microsoft Security Bulletin MS002-006, with details of the patch: http://www.microsoft.com/technet/security/bulletin/MS02-006.asp Solaris Users: Sun Microsystems SunSolve Home Page: http://sunsolve.sun.com/ General information about nCipher products: http://www.ncipher.com/ nCipher Support --------------- nCipher customers who require support or further information regarding this problem should contact support@ncipher.com. (c) nCipher Corporation Ltd. 2002 $Id: advisory2.txt,v 1.6 2002/02/26 17:06:44 james Exp $
