Introduction
The CERT®/Coordination Center (CERT/CC) issued an advisory on February 12, 2002 titled "CERT® Advisory CA-2002-03 Multiple Vulnerabilities in Many Implementations of the Simple Network Management Protocol (SNMP)." This advisory is available at: http://www.cert.org/advisories/CA-2002-03.html.
The overview to the advisory states that individual vendors’ implementations of SNMP Version 1 can result in unauthorized privilege access, denial-of-service attacks or unstable behavior. The advisory also lists a set of solutions. The solutions, and how to apply these solutions to Robot Trapper are described below.
Apply a Path From Your Vendor
Fortra will provide fixes related to the CERT Advisory in future releases of Robot Trapper. These fixes are provided free as part of your continuing maintenance agreement.
Disable SNMP Service
-
When Robot Trapper detects a situation that it cannot handle, the Trap Manager will end with informative messages in the job log. The job log is available as a spool file. To view the joblog, enter the following on an IBM i command line:
WRKJOB JOB(TRPMANAGER)
-
If there are multiple jobs named TRPMANAGER, the Select Job panel appears first. Enter a 1 next to the most recently ended job named TRPMANAGER entered with the user ID RBTUSER. The job will have the highest number in the number field with a status of OUTQ.
-
When the Work with Job panel appears, select option 4.
-
The Work with Job Spooled Files panel displays and should only list the job log for the TRPMANAGER job. Select option 5.
-
Enter a B in the Control field and press Enter to view the end of the job log. Page up until you find the error that caused the job to end. The solution to the problem that caused the Trap Manager to end should be included in the second level text of the messages. The solution may require that you:
Leave the Robot Trapper Trap Manager inactive until other solutions can be applied.
Ingress Filtering
Use of a ingress filter can prohibit users outside of your local area network from using SNMP to gain unauthorized access to your IBM i running Robot Trapper. The ingress filter, such as a firewall, should prohibit externally initiated inbound traffic to non-authorized services. Verify that the ingress filter limits access to UDP port 161 (SNMP) and UDP port 162 (SNMP-trap).
The advisory also lists other ports to which you can deny access. Robot Trapper only accesses UDP port 162, and is not affected if you choose to limit access to these other ports via a firewall.
Filter SNMP Traffic From Nonauthorized Internal Hosts
You can filter SNMP traffic via the Robot Trapper menus, as follows:
-
Display the Robot Trapper main menu by entering the following on a command line:
RBTTRPLIB/TRP
-
Select option 3 to display the System Setup menu.
-
On the System Setup menu, select option 3 to display the System Defaults panel.
-
On the System Defaults panel, enter an N in the Automatically Add Devices field and press Enter.
-
Press F3 key twice to return to the Robot Trapper Main Menu.
-
Select option 1 to display the Maintain Devices panel.
-
Press F6 to add the devices that you want to monitor with Robot Trapper. Repeat this step until you have added all of the devices that you want Robot Trapper to monitor.
Change Default Community Strings
This does not affect Robot Trapper.
Segregate SNMP Traffic to a Separate Management Network
This solution is best implemented by restricting SNMP traffic to separate virtual private networks (VPNs), which employ cryptographically strong authentication. This solution may require extensive changes to your network architecture.
Egress Filtering
This does not affect Robot Trapper because it doesn’t send data from the IBM i.
Disable Stack Execution
This does not apply to the IBM i.
Share Tools and Techniques
This advisory is available at: http://www.cert.org/advisories/CA-2002-03.html. This Web site provides information on how to share tools and techniques to handle the problems listed in the advisory.
