SNMP Vulnerabilities
Updated 6/12/02
CAN 1999-0615
CAN 2002-0012
CAN 2002-0013
CAN 2002-0053
CAN 2002-0796
CAN 2002-0797
Impact
If a vulnerable implementation of SNMP is
running, a remote attacker could crash the device, cause the
device to become unstable, or gain unauthorized access.
Background
The Simple
Network Management Protocol (SNMP) is a
UDP
protocol used for network management. All networking devices
such as routers and switches support SNMP, as
do most printers, and many servers and workstations. Unix and
Windows NT systems support SNMP either by default
or as an optional service.
SNMP-enabled devices include managers
and agents. A manager is a computer running
network management software, and an agent is a process
running on any other device which communicates with the
manager. Through a process called polling, the manager
uses the SNMP protocol on UDP port
161 to gather status, configuration, and performance
information from each agent. In some cases, the manager is
also allowed to send configuration changes to the agents.
In cases where an agent needs to report an unusual event to the
manager outside the scope of the polling cycle, it is possible
for the agent to initiate communication with the manager.
This is known as a trap, and occurs on UDP
port 162.
SNMP version 1 (SNMPv1) uses
community strings for authentication. A community string
is a password which is known to the manager and agent, and is part of
each SNMP message. Community strings can allow
either read-only access or read-write access. Many devices use the
word public as a default community string.
The Problem
CAN 2002-0012
CAN 2002-0013
CAN 2002-0053
Vulnerabilities in many different implementations of
SNMPv1 could allow a remote attacker to create a denial of
service or gain unauthorized access.
The type and severity of the problem varies with different
vendors. Vulnerabilities
may include buffer overflows, format string problems, or
improper data handling in either the request handling or
trap handling portions of the protocol implementation.
Some exploits would require an attacker to supply a correct
read-only or read-write community string
for the device, but other exploits would not.
6/12/02
CAN 2002-0796
CAN 2002-0797
SunOS 5.6 through 5.8 (Solaris 2.6 through 8) also run a set
of daemons on high numbered UDP ports which
manage specific types of traps
received on port 162. A buffer overflow in one of these
managers, mibiisa, combined with a format string
problem in the SNMP daemon, could allow a remote attacker
to gain root access.
Resolution
There are a number of measures which can be taken to reduce the risk of
this vulnerability being exploited. Apply a
patch
from your vendor if one is available. (IRIX users should also refer to
SGI Security Advisory 20020201-01-P,
and Sun users should also refer to
Sun Security Bulletin 219
for patch information.)
Change all community strings
to non-default strings which are difficult to guess. Block access to
UDP ports 161 and 162 at the network perimeter.
Disable the SNMP service on machines where it
can be disabled and is not needed.
There are a number of additional precautions which should
also be taken wherever possible:
- Filter SNMP traffic from unauthorized
internal hosts
- Segregate SNMP traffic onto a separate
management network
- Block incoming and outgoing traffic (ingress and egress
filtering) on ports 161, 162, 199, 391, 705, and
1993, both TCP and UDP
- Block incoming traffic destined for broadcast addresses and internal
loopback addresses
- Disable stack execution
For more information on these precautions, see
CERT Advisory 2002-03.
Where can I read more about this?
The initial vulnerabilities were discovered by the
Oulu University
Secure Programming Group
using the PROTOS
Test Suite.
For more information, see
CERT Advisory 2002-03, the
CERT SNMP FAQ,
and Microsoft
Security Bulletin 02-006.
A new SNMP vulnerability affecting IRIX was discovered later by
X-Force.
For more information on the Sun mibiisa vulnerability,
see Sun Security Bulletin 219.