===========================================================================
SCO Security Bulletin 2000.04
8th February 2000
SNMPD default writable community string
---------------------------------------------------------------------------
SNMPD configuration Vulnerability in  SCO OpenServer
---------------------------------------------------------------------------

I.   Description

Recently Network Associates, Inc. issued a  SECURITY ADVISORY
against SCO OpenServer 5.0.5 titled 
"SNMPD default writable community string"
describing where the default configuration of SCO OpenServer 5.0.5 allows 
local users read/write access to SNMPD provided information 
via a default writable community string.

In addition there was indication of a possible issue with giving an attacker 
ability to read the SNMPD facilities using the standard community strings 
(as well as the test community strings)

II.  Impact

The write access is due to shipping of test community strings in 
one of the snmpd daemon configuration files.
Possible abuses of this include the ability to modify 
System Group Description and ObjectId returned by an SNMPD query
and possibly modification of the info returned for queries of 
network interface state, IP forwarding and routing, state of network
sockets (including the ability to terminate active TCP sessions and
listening sockets) and the ARP cache.

III. Releases

OpenServer version 5 (all versions prior to 5.0.6).

IV.  Solution

The fix for this problem is relatively trivial and is contained
in this bulletin.

Below is a replacement for the post install contents of the snmpd 
configuration file
    /etc/snmpd.comm

--------------------- cut and paste below ------------------------------------
#	  @(#) snmpd.comm 88.1 00/01/28
#      SCCS IDENTIFICATION
#
# This is the community configuration file that determines whom may
# access the gateway.  Each line consists of three items:
# 1st, the community name.
# 2nd, the IP address of the remote site.  If address is 0.0.0.0, any
# address may communicate on that community name.
# 3rd, the priviledges given that community name.  These currently
# consist of READ for read only, WRITE for read/write, or NONE to
# lock out a community name.
# The format is
# community_name IP_address_in_dot_notation priviledges
public   0.0.0.0        read
interop  0.0.0.0        read
isc-i88  0.0.0.0        read

------------------- cut and paste to here ------------------------------------ 

A fix can also be made by a user with administration privilege
editing the file on an existing system and removing the lines beginning
with string "test"

i.e lines 
test1    0.0.0.0        READ
test2    127.0.0.1      WRITE

If your configuration has additions made post install for the use of 
systems like SCO Doctor or any other SNMP monitor you should replicate those
into the replacement file. If you have or envisage no use for the 
interop or isc-i88 community strings feel free to remove these also.

If the issue of anyone being able to read the advertised SNMPD 
state via the normal public community strings is a concern then 
the snmpd daemon can be suppressed from executing.

The simplest way of doing this is (as root) to kill the running daemon 
    kill `ps -e -opid,comm | grep snmpd | cut  -c-6`
and rename the file /etc/snmpd.conf.
    mv /etc/snpd.conf /etc/snmpd.conf.OFF
so it will not get started at boot.

If you kill off snmpd, also check to see if there is a line with:
    smuxtcl  /etc/sysadm.d/hostmib.tcl
shown in a ps listing. This is a SNMP TCL extension and should also
be killed. Its invocation is as a result of previously running 
    mkdev hostmib
        1. Install Host Resources MIB
which creates the init script 
       /etc/rc2.d/S89hostmib
that actually starts and stops the hostmib extensions.  

run 
   /etc/rc2.d/S89hostmib stop
to stop the executing processes and use 
    mkdev hostmib
        2. Remove Host Resources MIB
to disable it from running in the future.


Another alternative is to comment out everything in snmpd.comm
(The daemon is still running, but nobody can read  or write)
and tell the daemon to reread its config files
    kill -HUP `ps -e -opid,comm | grep snmpd | cut  -c-6`


Notes:
If the system is being monitored by SNMP Management tools like
HP Open View, Sun NetManager, UniCenter TNG, or MRTG, then lines allowing the
management workstation or data collector to do SNMP reads must 
be included in /etc/snmpd.comm. 
These will probably be specific to the Management tool in use.
Allowing only the management workstation's IP to read SNMP data is 
the safest configuration.


IV.a Testing.

To test if SNMP read is disabled, run:
       /etc/getmany localhost public iso
If you get a long list of OID's, then SNMP reads are still allowed.
If nothing happens, SNMP is disabled.  
Replace localhost with an IP address to test a remote system.


V.   Updates

This bulletin is available for anonymous ftp download from 
ftp://ftp.sco.COM/SSE/security_bulletins and will be
updated as new information becomes available.

The latest information on security vulnerabilities and fixes from
SCO is available on the world-wide web at http://www.sco.com/security/

VI.  Further Information:

If you have further questions, contact your support provider.  If you
need to contact SCO, please send electronic mail to support@sco.COM, or
contact SCO as follows. 

    USA/Canada: 6am-5pm Pacific Time (PST/PDT)
    -----------
    1-800-347-4381  (voice)
    1-408-427-5443  (fax)

    Pacific Rim, Asia, and Latin American customers: 6am-5pm Pacific
    ------------------------------------------------ Time (PST/PDT)
    1-408-425-4726  (voice)
    1-408-427-5443  (fax)

    Europe, Middle East, Africa: 9am-5:30pm UK Time (GMT/BST)
    ----------------------------
    +44 (0)1923 816344 (voice)
    +44 (0)1923 817781 (fax)