SNMPv1 Vulnerabilities of SystemWalker/StorageMGR May 15th, 2002
This bulletin provides security information about the reports to CERT/CC, the coordination center, or detected by Fujitsu's
own examination by the published date.
Products developed by third parties may be included as subject products. Information about such third party products
may be exactly the same as provided by the
respective third party.
The contents of this bulletin are provided "AS IS" without warranties of any kind, either express or implied (including,
without limitation, any implied warranty of
merchantability, fitness for a particular purpose and non-infringement). In no event shall Fujitsu be liable for any
direct, indirect, special, incidental, consequential,
punitive, or any other damages of any kind, including, without limitation, loss of profits and loss of data incurred
by a customer arising out of, or in connection with, the
use or non-use of any information in this bulletin, even if Fujitsu has been advised of the possibility of such damages.
The information contained in this bulletin will be updated from time to time without notice. Therefore, all customers
are advised to always ascertain the latest
information. In case of redistribution of this security bulletin, the full text of this statement shall be reproduced.
| [Outline] | ||
|---|---|---|
| Problem | Multiple vulnerabilities in the SNMPv1 implementation. | |
| Manufacturer | Fujitsu Limited | |
| Corresponding products | SystemWalker/StorageMGR-M 5.1 EE |
Compatible OS: Solaris |
| SystemWalker/StorageMGR-M 10.0 SE/ EE |
Compatible OS: Solaris, Windows NT/ 2000 | |
| Corresponding system |
GP7000F, PRIMEPOWER, GP-S, PRIMERGY, GP5000 |
|
| Impact | System administrator privileges could be gained by unauthorized users. | |
| Method to temporarily avoid the problem. | See 4. | |
| Patch | Existing. | |
1. Background
According to CERT Advisory CA-2002-03, multiple vulnerabilities in the SNMPv1 implementation have been reported
in advance. In SystemWalker/ StorageMGR, a
security problem was found in the processing of receiving SNMP traps.
This problem may cause system administrator privileges to be gained by unauthorized users.
2. Range of corresponding system(s)
| Corresponding command/file | Products | Target OS |
|---|---|---|
| /opt/FJSVswstt/lib/libmpsnmp.so | SystemWalker/StorageMGR-M | Solaris 2.6/ 7/ 8 |
| Installation path/StorageMGR/mpwksttr/mpsnmp.dll | SystemWalker/StorageMGR-M | Windows NT 4.0/ 2000 |
3. Detected problem(s)
A security problem with receiving SNMP traps, may cause system administrator privileges to be gained by unauthorized
users.
4. Method to temporarily avoid the problem
- Target OS: Solaris
Execute the following command on Operation Management Server.
# /opt/FJSVswstt/bin/mpnm-trapd stop - Target OS: Windows
Stop the following service.
Service name: SystemWalker MpWksttr
After this, the following function is unavailable:
Monitoring the failures of SAN devices.
5. Patch information
| Products | Target OS | Package name | Package ID. |
|---|---|---|---|
| SystemWalker/StorageMGR-M 10.0 SE | Solaris | FJSVswstt | 911827G-02 |
| SystemWalker/StorageMGR-M 10.0 EE | Solaris | FJSVswstt | 911827G-02 |
| SystemWalker/StorageMGR-M EE V10.0 for Windows V10.0L10 | Windows | FJSVswstt | TP04388G |
| SystemWalker/StorageMGR-M SE V10.0 for Windows V10.0L10 | Windows | FJSVswstt | TP04388G |
For the Patches, please contact a Fujitsu system engineer.
6. Revision history
- May 13th, 2002
- Changed "5. Patch information" the following products Patch ID.
- The reason for revision:
There was a check strictly for violations of agreement in addition to correspondence to security brittleness. For this reason, since the trap from specific apparatus was processed with a reception error, the trap was modified so that trap reception could be correctly carried out. - Changed Products for Windows.
- SystemWalker/StorageMGR-M EE V10.0 for Windows to
SystemWalker/StorageMGR-M EE V10.0 for Windows V10.0L10 - SystemWalker/StorageMGR-M SE V10.0 for Windows to
SystemWalker/StorageMGR-M SE V10.0 for Windows V10.0L10
- SystemWalker/StorageMGR-M EE V10.0 for Windows to
- Mar 13th, 2002
- Added "5. Patch information"
- Patch: Existing
- Added "Affect on system operation" to 4.
- Feb 22th, 2002: Initial release
