Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Update Protection against Net-SNMP Denial of Service

Subscribe

Check Point Reference: CPAI-2009-043
Date Published:
Severity:
Source: SecurityFocus
Industry Reference(s): CVE-2008-4309
Protection Provided by: IPS-1
  • IPS-1
  • IPS-1 NGX R65
Who is Vulnerable?
net-analyzer/net-snmp 5.4.2.1
Vulnerability Description
Net-SNMP is a suite of applications used to implement SNMP v1, SNMP v2c and SNMP v3. Net-SNMP is available for many Unix and Unix-like operating systems and also for Microsoft Windows. Net-SNMP is vulnerable to a denial of service that can be triggerred by sending a specially-crafted SNMP GETBULK request, a remote attacker could exploit this vulnerability to cause the application to crash.
Update/Patch Available
Upgrade to the latest version of Net-SNMP available from the Net-SNMP Web page at http://net-snmp.sourceforge.net/.
Vulnerability Details
The vulnerability is casued by an integer overflow in the netsnmp_create_subtree_cache() function.

Protection Overview
By enabling this protection, IPS-1 will detect and block  SNMP GET BULK PDUs with a number of max repeaters over a configurable threshold. The threshold can be set by setting the value of 'SNMP GetBulk Maximum MaxRepeaters'.

To configure the defense, select your product from the list below and follow the related protection steps.

IPS-1 & IPS-1 NGX R65

How Can I Protect My Network?
1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Network Security > SNMP, and select the SNMP Attacks protection group.
3. Click Excessive Max Repeaters in GET BULK message (IPS-1 NGX R65 only).
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.

How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:

Alert Name: SNMP Attacks
Description: Excessive Max Repeaters in GET BULK message