iTera
 
The Four Hundred
OS/400 Edition
Volume 11, Number 8 -- February 25, 2002

Admin Alert: Is OS/400 SNMP Vulnerable to Hack Attack?

by Joe Hertvik

The CERT Coordination Center, which tracks viruses for the public good, has released a notice detailing vulnerabilities in the Simple Network Management Protocol, commonly used in modern servers. These security holes, outlined in Advisory CA-2002-03, may cause denials of service, interruptions in service, or allow an attacker to gain access to servers. These vulnerabilities exist in SNMPv1 implementations from several vendors, including IBM.

iTera
However, IBM hasn't come out with an official statement or fix for OS/400 SNMP vulnerability yet. Here's what I know, and what you can do in the long run. Since OS/400 includes an SNMP server, I contacted IBM for information on what iSeries and AS/400 shops should do about this identified vulnerability. Many shops wind up accidentally starting SNMP on their AS/400s simply by including the Start TCP/IP Server (STRTCPSVR) command in their startup program, as follows: 

STRTCPSVR SERVER(*ALL)

The SERVER(*ALL) parameter in STRTCPSVR starts every OS/400 TCP/IP server--including SNMP-- regardless of whether or not you set the AUTOSTART parameters on your TCP/IP servers to *NO (the AUTOSTART parameters are only used to block TCP/IP server activation through the Start TCP/IP, or STRTCP, command). So if you execute STRTCPSVR with SERVER(*ALL), you've started SNMP on your OS/400 box, whether you meant to or not. Furthermore, some OS/400 applications rely on SNMP for processing, so it may not be so easy for many shops to simply turn off SNMP.

An IBM spokesperson said last week that IBM's practice is to work directly with customers on security and integrity issues, so I was not able to get an official statement on what was happening with the OS/400 SNMP software. I suppose this is understandable, since IBM may feel that it could tip its hand on potential OS/400 vulnerabilities if it said too much, and it may want to move silently and quickly to avoid attention from hackers. However, it would be preferable for IBM to make a public statement about its efforts to assess the vulnerability and fix it. IBM does not have to provide the details on the vulnerability itself or how it fixed it. This would be a comfort to customers trying to figure out what their exposure is.

A second IBM source also told me that there was no official policy about OS/400 SNMP vulnerability yet, but that IBM's techies are looking into it. There are no PTFs available at this writing, and IBM's lawyers may also be looking at the situation to assess what IBM's liability in this matter could be. IBM seems to be getting all of its ducks in a row before it comes out and says anything officially.

IBM will not necessarily put out a PTF for the SNMP vulnerability. It could very well be that IBM will determine that the SNMP vulnerabilities don't affect OS/400. IBM has already put out SNMP patches for AIX (see the CERT advisory for details), so an OS/400 patch isn't out of the question.

So what should you do if you're an OS/400 shop and you're worried about an SNMP virus interrupting operations? Here are some ideas:

  • If you absolutely need SNMP on your iSeries or AS/400, contact IBM for instructions. IBM says it wants to work with customers directly on security and integrity issues. Make IBM do that.

  • If you do not need SNMP, consider disabling SNMP at your firewall, to protect your internal network. The CERT advisory also has some other good suggestions for protecting your network from any potential SNMP viruses.

  • Disable the OS/400 SNMP server. If you start OS/400 SNMP through STRTCPSVR in your startup program, as outlined above, change the STRTCPSVR statement in that program to explicitly start only those TCP/IP servers your AS/400 needs. Disabling servers that are not explicitly required is good networking practice, and reduces system exposure. If you want to leave STRTCPSVR at its SERVER(*ALL) setting, you can add the following End TCP/IP Server (ENDTCPSVR) command later in the program: ENDTCPSVR SERVER(*SNMP). This will end the SNMP server, while leaving the other servers intact. Be sure to also put in any accompanying Monitor Message (MONMSG) commands in the program to trap any errors that may occur. If you're not sure whether or not SNMP is running on your iSeries or AS/400, you can generally look in the QSYSWRK subsystem for the QSNMPSA job and use ENDTCPSVR to end it, if it's found.

  • Keep checking the CERT Web site and bother IBM about a fix. Since IBM is looking at the problem, it may not be too long before we hear something.

    		•
    Sponsored By
    ITERA

    No time for DOWNTIME?

    Get iTera's affordable High Availability software solution that does more than protect you in case of unplanned downtime.

    iTera even helps you eliminate planned downtime associated with software upgrades, file reorgs, data conversions and more.

    Finally a complete High Availability solution that does so much more and costs less.

    To realize the benefits of true 24/7 operations visit us today at http://www.iterainc.com or call (801) 799-0300 ext. 128.

    THIS ISSUE
    SPONSORED BY:
    Help/Systems
    Quadrant Software
    Net400
    iTera
    BCD Int'l
    Client Server Development
    BACK ISSUES
    TABLE OF CONTENTS
    Duncan Rallies the iSeries Troops at PartnerWorld
    IBM Promises Partners Change at PartnerWorld 2002
    Frank Soltis Talks About Shared Technology
    Admin Alert: Is OS/400 SNMP Vulnerable to Hack Attack?
    IBM Offers More Granular 7XX-to-8XX Upgrades
    IBM Extends Support for OS/400 V4R5
    IBM Debuts Rejiggered and New iSeries Software Support
      Newsletters | Subscribe | Advertise | About Us | Contact | Search | Home  
      Last Updated: 2/17/02
    Copyright © 1996-2008 Guild Companies, Inc. All Rights Reserved.