Subscribe

Host of SNMP vulnerabilities threatens Internet

By Alastair Otter, Journalist, Tectonic
Johannesburg, 13 Feb 2002

An advisory released by the Computer Emergency Response Team Coordination Centre (CERT) has detailed a host of vulnerabilities in the Simple Network Management Protocol (SNMP) that may allow unauthorised privileged access, denial-of-service attacks or cause instability.

SNMP is a common protocol used to monitor and manage network devices. Version 1 of the protocol defines several types of SNMP messages that are used to request information or configuration changes, respond to requests and send alerts. The vulnerabilities were discovered last year by the Security Programming Group of the Finish Oulu University.

CERT says it has been informing vendors of the vulnerabilities since they were discovered, but decided to issue an advisory following concerns that knowledge of the flaws was spreading quickly.

Wayne Biehn, sales director for South African security company SecureData, says the vulnerabilities discovered are "definitely a significant threat" to all Internet users. He explains that the threat is significant because the SNMP protocol is so pervasive on the Internet: "Anything running SNMP is vulnerable," and the risks apply to multiple vendors.

Internet Security Systems (ISS), a US-based security company, similarly warned that there is also a powerful stress-testing tool circulating on the Internet that could be used by attackers to exploit the SNMP vulnerabilities.

According to ISS, the Protos SNMP stress-testing tool can be used to send test cases to remote SNMP demons and discover programming flaws and vulnerabilities, and may lead to the "widespread use of new exploits to crash or compromise vulnerable systems".

According to CERT, more than 100 vendors are known to support SNMPv1 implementations in their products and may be vulnerable to the SNMP exploits. These include big name vendors such as 3Com, Alcatel, Computer Associates, Dell, Microsoft and IBM.

By early this morning most vendors, including Hewlett-Packard, Microsoft, Cisco and Computer Associates, had released patches for their products.

CERT advised that the simplest workaround for the problem is to disable SNMP for users who don`t require it. However, because most networks require elements of SNMP, it is unlikely that most system administrators will be able to close these services entirely.

The CERT warning suggests that in most cases it is preferable to filter the incoming traffic to prevent possible exploits. "Ingress filtering should be performed at the border to prohibit externally initiated inbound traffic to non-authorised services."

The primary ports to filter on are 161/udp and 162/udp. Other ports that are less common, but equally vulnerable, are 161/tcp, 162/tcp, 199/tcp, 199/udp, 391/tcp, 391/udp, 705/tcp, 1993/tcp and 1993/udp. By closing or filtering these ports, system administrators can significantly reduce their risk, although they may also interrupt needed services.

CERT also warned that many SNMP implementations of the SNMP demon may bind to all IP interfaces on the device, which has important consequences when filtering traffic to protect devices.

"Even if a device disallows SNMP packets directed to the IP addresses of its normal network interfaces, it may still be possible to exploit these vulnerabilities ... by using other IP addresses."

These include broadcast addresses, subnet broadcast addresses and internal loopback addresses often used by routers for management purposes.

Share