The SNMP proxy agent on certain large Solaris systems contains a buffer overflow. It may be possible, though it is unconfirmed, that an intruder could use this flaw to execute code with root privileges.
The Sun Enterprise 10000 is monitored and controlled by a systems called a System Service Processor (SSP). If two SSPs are in use they are configured as a main and a spare. The snmpd agent on the main SSP, part of the SSPSUNWsspop package, contains a buffer overflow in a variable used to hold argv. The location of the buffer suggests it would be difficult to use this flaw to execute code.
The complete impact of this vulnerability is not yet known. In the worst case, it could allow an intruder to execute code with root privileges, but that impact is unconfirmed. Because the overflow occurs in a buffer used to hold argv, an intruder cannot use this flaw to crash an existing snmpd.
The CERT/CC is currently unaware of a practical solution to this problem.
Vendor| Status| Date Notified| Date Updated
Sun| | -| 05 May 2001
If you are a vendor and your product is affected, let us know.
Group | Score | Vector
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A
Our thanks to Pablo Sor who originally identified this problem on Bugtraq.
This document was written by Shawn V. Hernan.