Sun Solaris SNMP components allows remote execution of code with root access

Risk
High

Date Discovered
06-04-2002

Description
The Sun Solstice Enterprise Manager (Solstice EM) daemon and the Sun SNMP agent components running on Sun Solaris contain a buffer overflow and a format string vulnerability that can allow an attacker to execute arbitrary code on the targeted system with root privileges.

The Sun Solstice EM provides a management platform and a suite of tools to manage network resources. The Solstice EM Master Agent, snmpdx daemon, and the Sun SNMP Agent, mibiisa utility, are started by default and run with root privileges on the system. The snmpdx daemon gathers SNMP requests and forwards them to the mibiisa utility. The mibiisa utility supports all SNMP protocol operations on the system.

A format string vulnerability in the Solstice EM Master Agent and a buffer overflow vulnerability in the Sun SNMP Agent can be exploited either locally or remotely to gain root access on a targeted system. The targeted Sun system must be running both the snmpdx daemon and the mibiisa agent to be vulnerable to this exploit.

Platforms Affected
Sun

Components Affected
Sun Microsystems SunOS 5.8
Sun Microsystems SunOS 5.8_x86
Sun Microsystems SunOS 5.7
Sun Microsystems SunOS 5.7_x86
Sun Microsystems SunOS 5.6
Sun Microsystems SunOS 5.6_x86

Sun Microsystems is releasing the following series of version-specific patches that address these and previously identified vulnerabilities. Verify the revision number of the patch before installing.

Sun Microsystems SunOS 5.8
Sun OS 5.8 Patch 108869-16

Sun Microsystems SunOS 5.8_x86
Sun OS 5.8 X86 Patch 108870-16

Sun Microsystems SunOS 5.7
Sun OS 5.7 Patch 107709-19

Sun Microsystems SunOS 5.7_x86
Sun OS 5.7_X86 Patch 107710-19

Sun Microsystems SunOS 5.6
Sun OS 5.6 Patch 106787-18

Sun Microsystems SunOS 5.6_x86
Sun OS 5.6_X86 Patch 106872-18

References
Source: Sun Microsystems Sun Security Bulletin #00219
URL: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/219&type=0&nav=sec.sba

Source: Entercept Security Alert SEA-SNMP
URL: http://www.entercept.com/dr/snmp/

Copyright (c) 2009 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com.

Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and secure@symantec.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.