FAQ
As I have done a bit of networking and set up stuff to monitor equipment
with SNMP I will confirm that SNMP uses a port that the snmpd or
equivalent listens to and then passes the request to the appropriate
process depending on what is registered with the snmpd. This is usually
done on unix if I remember using /etc/.snmp/conf. If really interested
start looking in man snmpd

Yes Oracle itself may not be vunerable but depending on the OS and system
patches snmpd on that system may be vunerable so if your network engineers
that did your firewalling are less than you hoped for you probably will
have trouble. If your firewall is sound then I cant see this being a
problem. your biggest worry in any site is the perimeter router as it
nearly always has SNMP turned on for monitoring purposes and tools such as
HP Openview to manage these. and you will have snmp open over the
firewall between this router and the monitoring station /Openview system.
Good firewall rules should protect you, but that is for your network
engineers to decide.

HTH

Cheers

--
=================================================
Peter McLarty E-mail: Peter.Mclarty_at_mincom.com
Technical Consultant WWW: http://www.mincom.com
APAC Technical Services Phone: +61 (0)7 3303 3461
Brisbane, Australia Mobile: +61 (0)402 094 238
Facsimile: +61 (0)7 3303 3048
=================================================
A great pleasure in life is doing what people say you cannot do.

- Walter Bagehot (1826-1877 British Economist)
=================================================
Mincom "The People, The Experience, The Vision"

=================================================

dgoulet_at_vicr.com
Sent by: root_at_fatcity.com
15/02/2002 08:41 AM
Please respond to ORACLE-L

To: Multiple recipients of list ORACLE-L
cc:
Fax to:
Subject: Re[2]: [sans_at_sans.org: SANS FLASH ALERT: Widespread SNMP Vul

Ray,

No, but I do have a SA who believes that to be true. I'll try to
explain it
as he did.

The DBSNMP agent registers a MIB with the snmp agent. It is the snmp
agent
that has the interface to the world. As he put it, it's not the back end
that
has the problem, but the front end that faces the network, namely the snmp
agent.

As to your nervousness, our facilities folks are using the back of my
chair
as a paint shaker.

Dick Goulet

____________________Reply Separator____________________
Author: Ray Stell
Date: 2/14/2002 12:18 PM

Dick, does this mean that you have firsthand knowledge that
the oracle's snmp code is free from the underlying vulnerabilities?
There was no mention of Oracle in the advisory. This could mean
that they did not respond or they are not vulnerable.

I posted to the Oracle Networking Technical Forum yesterday on this
issue, but there has been no Oracle Corp response. You can search
for SNMP to follow their response.

Joan, Dick is certainly correct here with respect to the the system snmp
agent. The sysadmins need to address this by either patching or disabling
snmpd. However, unless Oracle confirms they did not use the old flawed
code,
I don't see any reason to assume their product is not vulnerable. Until
they do, I will:

1) be nervous,
2) bug oracle corp,
3) confirm ip filter rules,
4) study dbsnmp
On Thu, Feb 14, 2002 at 09:53:37AM -0800, dgoulet_at_vicr.com wrote:
Joan,

The Oracle intelligent agent which uses dbsnmp is not the problem
here.
The
real problem is the snmp agent that is running on the computer and owned by
root. Therefore your SA needs to do something, not you.

Dick Goulet

____________________Reply Separator____________________
Author: Joan Hsieh
Date: 2/14/2002 7:48 AM

Hi Ray,

We use dbsnmp on the production server. How it will affect us? Our
system people sent us the same article to us and very concerned the
security.

Joan

Ray Stell wrote:
Oracle does not seem to be listed, but you got to wonder what code
they based their snmp stuff on. You may want to nudge you sysadmin
in the ribs, also.

----- Forwarded message from The SANS Institute -----

Date: Tue, 12 Feb 2002 12:30:06 -0700 (MST)
To: Ray Stell (SD569668)

SANS FLASH ALERT: Widespread SNMP Vulnerability
1:30 PM EST 12 February, 2002

To: Ray Stell (SD569668)

Note: This is preliminary data! If you have additional information,
please send it to us at snmp_at_sans.org

In a few minutes wire services and other news sources will begin
breaking a story about widespread vulnerabilities in SNMP (Simple
Network Management Protocol). Exploits of the vulnerability cause
systems to fail or to be taken over. The vulnerability can be found
in
more than a hundred manufacturers' systems and is very widespread -
millions of routers and other systems are involved.

As one of the SANS alumni, your leadership is needed in making sure
that
all systems for which you have any responsibility are protected. To do
that, first ensure that SNMP is turned off. If you absolutely must run
SNMP, get the patch from your hardware or software vendor. They are
all
working on patches right now. It also makes sense for you to filter
traffic destined for SNMP ports (assuming the system doing the
filtering
is patched).

To block SNMP access, block traffic to ports 161 and 162 for tcp and
udp. In addition, if you are using Cisco, block udp for port 1993.

The problems were caused by programming errors that have been in the
SNMP implementations for a long time, but only recently discovered.

CERT/CC is taking the lead on the process of getting the vendors to
get
their patches out. Additional information is posted at
http://www.cert.org/advisories/CA-2002-03.html

A final note.

Turning off SNMP was one of the strong recommendations in the Top 20
Internet Security Threats that the FBI's NIPC and SANS and the Federal
CIO Council issued on October 1, 2001. If you didn't take that action
then, now might be a good time to correct the rest of the top 20 as
well
as the SNMP problem. The Top 20 document is posted at
http://www.sans.org/top20.htm

----- End forwarded message -----

--
===============================================================
Ray Stell stellr_at_vt.edu (540) 231-4109 KE4TJC 28^D
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Ray Stell
INET: stellr_at_cns.vt.edu

Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
San Diego, California -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Joan Hsieh
INET: joan.hsieh_at_tufts.edu

Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
San Diego, California -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author:
INET: dgoulet_at_vicr.com

Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
San Diego, California -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
--
===============================================================
Ray Stell stellr_at_vt.edu (540) 231-4109 KE4TJC 28^D
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Ray Stell
INET: stellr_at_cns.vt.edu

Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
San Diego, California -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author:
INET: dgoulet_at_vicr.com

Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
San Diego, California -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).

--
This transmission is for the intended addressee only and is confidential information.
If you have received this transmission in error, please delete it and notify the
sender. The contents of this e-mail are the opinion of the writer only and are not
endorsed by the Mincom Group of companies unless expressly stated otherwise.

--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author:
INET: Peter.McLarty_at_mincom.com

Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
San Diego, California -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).

Search Discussions

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouporacle-l @
categoriesoracle
postedFeb 15, '02 at 12:27a
activeFeb 15, '02 at 12:27a
posts1
users1
websiteoracle.com

1 user in discussion

Peter.McLarty_at_mincom.com: 1 post

People

Translate

site design / logo © 2022 Grokbase