Declaration regarding CERT Advisory CA-2002-03 Vulnerabilities in
SNMPv1 Request Handling
Ericsson AB has performed tests on the Erlang/OTP SNMP agent
to reveal any applicable issues. Our findings regarding the recent
CERT advisory are as follows:
CERT Advisory CA-2002-03
VU#854306 - Multiple Vulnerabilities in SNMPv1 Request Handling:
We have tested OTP's SNMP agent using the CERT tool.
(some 30.000 cases with mostly malformed ASN.1 PDUs).
No security issues were found, and the agent did not
waste resources during the test.
This applies to the OTP SNMP agent in OTP R3, R6, R7 and R8.
It is the users responsibility to handle the call-back functions
in the module snmp_error in an appropriate way, the default
implementation should be regarded as an example.
Depending on how the users system (where the SNMP agent executes)
is configured the default error logging might cause problems. The
main thing to consider for the user is to reduce the volume of
However, a couple of bugs where found in OTP R6, R7 and R8; in some
the corner cases the packets were silently dropped
but the snmpInASNParseErrs counter was not incremented.
We have corrected this in :
patch erl_353 for OTP R7
patch erl_355 for OTP R8
patch erl_356 for OTP R6
Ericsson AB 2002-03-07
/Kenneth Lundin (Product Manager for Erlang/OTP)