Ericsson

Ericsson AB    
Home
 
· Home
· Product Info
· Licensing
· Consulting
· Training
· Documentation
· Publications
· Contact Info
· Licensees Area

· User Conferences
· Workshops
· Open Source

For comments or questions about this site, contact us.
     

Declaration regarding  CERT Advisory CA-2002-03 Vulnerabilities in SNMPv1 Request Handling


Ericsson AB has performed tests on the Erlang/OTP SNMP agent
to reveal any applicable issues. Our findings regarding the recent
CERT advisory are as follows:

CERT Advisory CA-2002-03
VU#854306 - Multiple Vulnerabilities in SNMPv1 Request Handling:

We have tested OTP's SNMP agent using the CERT tool.
(some 30.000 cases with mostly malformed ASN.1 PDUs).
No security issues were found, and the agent did not
waste resources during the test.

This applies to the OTP SNMP agent in OTP R3, R6, R7 and R8.

It is the users responsibility to handle the call-back functions
in the module snmp_error in an appropriate way, the default
implementation should be regarded as an example.
Depending on how the users system (where the SNMP agent executes)
is configured the default error logging might cause problems. The
main thing to consider for the user is to reduce the volume of
data logged.

However, a couple of bugs where found in OTP R6, R7 and R8; in some of
the corner cases the packets were silently dropped
but the snmpInASNParseErrs counter was not incremented.
We have corrected this in :

  • patch erl_353 for OTP R7
  • patch erl_355 for OTP R8
  • patch erl_356 for OTP R6


Ericsson AB 2002-03-07
/Kenneth Lundin (Product Manager for Erlang/OTP)

Updated: 2002-03-07