Tutorial - SNMP Vulnerabilities: Write Community

SNMP Vulnerabilities: Write Community String Guessable

Updated 8/9/02
CAN 1999-0516
CAN 1999-0517

Impact

A write community string for one of your systems can be easily guessed. The full impact will depend largely on exactly what type of device this system is, but it is likely that anyone guessing this write community string can pretty much reconfigure that device any way they please over the network. This could result in denial of service attacks if the device is a printer, etc, or in the case of network devices this might be able to be leveraged into root shell compromises of other systems in that network.

It is strongly recommended that you change the write community string for that device.

Background

The Simple Network Management Protocol (SNMP) is a widespread protocol allowing network administrators to obtain information on and even configure various network devices remotely. It is very common on all but the most basic networking hardware (hubs, switches, routers, etc), and many other networked devices (networked printers, terminal servers, etc). Many workstations/PCs also have SNMP clients running on them as well, and most network management packages (commercial and non-commercial) make extensive use of SNMP for information gathering.

Most devices that provide SNMP allow enormous amounts of data to be accessed over it. The exact information available depends on the type of device, its manufacturer and model, but generally include details of the hardware and OS type, information on the various network interfaces, statistics on the various network protocols, and general and vendor-specific details about what the device does and is doing. The volume of data available is generally too much to be useful to a systems administrator without some management code to sort through it. The security risks of allowing a potential intruder access to this information depends largely on what type of device it is, but realize that if the data is known to the device, it is probably accessible via SNMP.

Many devices allow themselves to be configured remotely via SNMP as well. Devices which do so generally can be completely configured in such a manner. This can definitely be of use to systems administrators, but also is an obvious security concern.

Despite its popularity, SNMP v1 and v2 have rather basic access control, using passwords called community strings. Most devices are set up with two community strings, a (Read) community for viewing information and a Set or Write community for changing configurations. Many devices come out of the box with SNMP operational and a read community string of "public". Write access often has to be turned on manually, but not always. Needless to say, care should be taken with both settings.

The Problem/Resolution

If you were notified of this vulnerability, a read or write community string was able to be guessed for a system you scanned. This is currently done with a simple, brute force algorithm, repeated trying a few guesses. In order to guess write community strings, it actually attempts to change the sysLocation oid (and then changes it back if succeeded). If it guessed your community string, you should consider changing it.

Some SNMP clients will allow you to restrict which hosts can send some or all write SNMP commands from, and possibly which hosts can get information as well. It is recommended that you configure such if available.

8/9/02
Previously released versions of Avaya P330, P130 and M770-ATM Cajun family of products contain an undocumented hard-coded community read/write string that can be used to reset the switch. Hardware versions that have been tested and confirmed affected include P330T software version 3.8.2 and 3.9.1, P333R software version 3.8.1 and 3.9.1, P130, M770-ATM and M770 Supervisor (M-SPX, M-SPS). If an Avaya user is unable to upgrade to a fixed version, one can mitigate the bug by restricting SNMP access using the 'set allowed managers' command, which appeared in recent Cajun firmware.

Related CVE entries:
CAN 1999-0186 Solaris
CAN 1999-0254 HP OpenView
CAN 2000-0147 SCO OpenServer
CAN 2001-0380 Crosscom/Olicom XLT-F
CAN 2002-0478 Foundry Networks EdgeIron 4802F
CAN 2002-1448 Avaya P330, P130, and M770-ATM Cajun

Where can I read more about this?

For more information on SNMP, see Cisco's SNMP Reference. The Avaya vulnerabilities are discussed in Bugtraq and the Avaya advisory.