Steps to Secure EEM Servers with Directory SNMP Vulnerability
Issue: A vulnerability has been identified with CA Directory, which can allow a remote attacker to cause a denial of service condition. The vulnerability, CVE-2011-3849, occurs due to insufficient bounds checking. An attacker can send a SNMP packet that can cause a crash.
Affected Products: CA Directory r12 SP1-SP7 and CA Directory 8.1
Work Around: The vulnerability is related to CA Directory parsing of SNMP packets. To mitigate the risk, the SNMP port can be disabled by removing the "snmp-port" line from the DSA's knowledge configuration section.
EEM impact: EEM embeds the CA Directory versions that are being affected by this vulnerability. In EEM r12 version, "snmp-port" line is already commented out, so this doesn't impact EEM r12.0 release. But in EEM 8.4 and prior versions, the above line has to be explicitly commented out to mitigate this vulnerability. We have tested EEM by commenting out the above lines and we did not observe any functionality impact. In the next major release of EEM 8.x we would upgrade/apply the CA Directory patch, which would address the issue. Please work with your embedding product teams which are using EEM to determine when and what version will be certified with the latest EEM containing the CA Directory r12.0 SP7 CR01 (build 6279) release which corrects this vulnerability.
Steps to secure EEM Servers:
- On each of your EEM servers go to your knowledge folder. The default locations on Unix and Windows are below.
Edit ALL the dxc files starting with iTechPoz and comment out the snmp-port line by putting a pound sign at the beginning of the line. You can also remove the line altogether.
- Windows: %DXHOME%configknowledge
- Unix: $DXHOME/config/knowledge
See example below.
Once this setting is changed and saved in each of the iTechPoz dxc files the CA Directory services need to be re-initialized from the command line using the command below to take effect. This command will only instruct the dsa to reread its configuration files allowing the change to initialize without restarting services.
- snmp-port = 509
- # snmp-port = 509
- See below screenshot and highlighted files for example of the files to be modified.
- Note: If you have EEM Failover setup you should have many more iTechPoz dxc files in your folder. Please modify all the iTechPoz files including the ones for your other servers.
- If you have other dxc files in your knowledge folder which are not prefixed with iTechPoz, you should also consider making this change to them as well while coordinating with the product which is utilizing these other .dxc files to ensure it will maintain its product functionality and does not utilize the snmp port.
The snmp traffic should now be turned off and the vulnerability closed.
- dxserver init all
- Note: If you are on Unix you will first need to su to the dsa user (or Directory service user defined in your install) with the below command.
If you wish to verify the snmp traffic is now off you can test with the command below from the following folders based on your OS.
- Windows: %DXHOME% samplessnmp
- Unix: $DXHOME/samples/snmp
If the snmp traffic is off it should now timeout and report "Target Unreachable"
- dxsnmp -r2 localhost/509
- dxsnmp -r2 localhost/1684
- See below example:
- C:Program FilesCADirectorydxserversamplessnmp>dxsnmp -r2 localhost/509
- Please note if your iTechPoz dxc files are not referring to localhost you may need to use your IP or hostname as you see it used in the "address" line in the command above (replacing localhost).
- See the bolded "address" line in the below sample iTechPoz dxc file.
# iTechPoz - iTechnology rePOZitory
set dsa "iTechPoz-EEMSERVER1" =
prefix = <cn iTechPoz>
dsa-name = <cn iTechPoz><cn PozDsa><cn EEMSERVER1>
# address = tcp localhost port 509
#for failover configuration
address = tcp EEMSERVER1 port 509
# snmp-port = 509
# for dxconsole debugging. info: make sure that the port is not used
# console-port = 10510
auth-levels = anonymous
dsp-idle-time = 120
#for failover configuration
dsa-flags = multi-write
link-flags = ssl-encryption-remote