Security Hole In SNMP 267
wiredog writes: "From ZDNET comes the news that there is apparently a serious security flaw in the Simple Network Management Protocol, used to control routers and other network devices." An anonymous reader points to the CERT advisory as well.
Alternatives (Score:1)
Re:Alternatives (Score:1)
(root@Insomnia)-(~)
# apt-get remove snmp
Reading Package Lists... Done
Building Dependency Tree... Done
The following packages will be REMOVED:
snmp 0 packages upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
Need to get 0B of archives. After unpacking 343kB will be freed.
Do you want to continue? [Y/n] Y
(Reading database
Removing snmp
Re:Alternatives (Score:1)
It's a really great and useful protocol, but if you have any intelligence at all, you firewall off all SNMP enabled devices from anyone you don't trust anyway.
Either way, it's going to take a bit of work to patch all the machines using SNMP.
Re:Alternatives (Score:3, Informative)
Re:Alternatives (Score:2)
Don't talk to strangers.
And this means you do not connect a vulnerable server to the internet to download patches.
Re:Alternatives (Score:3, Informative)
SNMP is well known to be a security problem (at least in the networking community). The answer is to cut all of it off at your firewall, and make sure your internal networks are zoned appropriately. The best way to deal with it right now is to put all your equpiments' management addresses in a management VLAN, of which none of the user ports are members, and then control access to it via the router you'll use to get to the VLAN.
Re:Alternatives (Score:2)
We do the same, almost universally, certainly for all of our Cisco routers and switches. Unfortunately, that does not address all the issues here, as some of these are buffer overflows which are independent of community string and allow DOS attacks. Unfortunately, the grisly details don't seem to be available - CERT refers to docs at mitre, but mitre currently isn't disclosing what these contain.
Not much scanning for it yet. (Score:3, Informative)
But I guess the kiddies are still sharpening the tools...
FreeBSD may be vulnerable... (Score:1, Informative)
FreeBSD has issued the following FreeBSD Security Advisory regarding the UCD-SNMP / NET-SNMP package: [freebsd.org]
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisori
Interesting (Score:3, Insightful)
It includes Cisco, Microsoft, HP, Sun, Novell, and many others. When it comes to SNMP bugs, it would seem that most vendors are created equal.
Re:Interesting (Score:2)
Sun, HP, and RedHat all listed links to the patches before patches were ready.
In fact, as of this morning, only RedHat had coughed up a patch yet. But Sun and HP still recommend you install the nonexistent patch right away.
Also, hmm, Microsoft doesn't use Open Source code, but their product is curiously affected by this vulnerability that mostly afflicts UNIX-based implementations...
Re:Interesting (Score:2)
UCSD's Free reference code, that's what. The same thing Microsoft used.
Re:not quite (Score:1, Redundant)
Those evil Microsoft d00ds (Score:5, Informative)
You'll notice that Microsofts response was to turn off the SNMP service until they get a patch ready.
Yeah, those bastards. Why can't they do things like the following model citizens?
Re:Those evil Microsoft d00ds (Score:2)
Have you tested their software? (Score:2)
Anyway, I was asked to test this set of tools against MSFT servers and then some networking hardware. So far the tests against WIN2K have been pretty good. I've managed to get SNMP to die gracefully a total of 2 times. No BSOD, the service simply dies. Howver in order to do this I had to run all 4 test sets at once and damn near FLOOD the machine I was testing - over 5meg worth of data at one point. When the service did die it didn't die consistantly - that is to say we cannot pick a single "magic packet" to kill WIN2K's SNMP service. Starting all test suites at the same point kills the service only occasionally and always at different test sets. I've been told via word of mouth that NT4 is even more robust - we're testing that next.
IF we get the same results from NT4 then it would seem to me that Microsoft's response to this isn't so bad. Their software doesn't APPEAR to be particularly vulnerable - hell if anything I was surprised at how robust it seemed to be with the absolute FLOOD of pure crap we were sending it's way - SNORT was going nutz BTW noting "potentially dangerous traffic" (lol).
Networking hardware may or may not be effected more easily. We've had some procurement issues but I expect we'll be attacking some test equipment soon - starting with CISCO stuff. Network management software also tends to talk SNMP. TIVOLI (note IBM didn't really mention this in their response - AIX?!), Compaq Insight Manager, TNG, HP OpenView, and many others could be effected. We're going to test what we can based on what we use. Printers and other networked office equipment might also have issues but that's low on my list of priorities right now.
Overall, I'm not really worried by this YET. When it was first brought to my attention the message was one of panic - that this software would be the "kiss of death" for most anything running SNMP even if the Community string wasn't known. Well, so far it's really yet to kill much of anything in our lab! I'm sure we'll find some things that keel over more quickly but so far our primary operating platform has shrugged off 99% of these attacks and our IDS spotted it even without having an alert put on it just for this traffic.
Anyone else testing this software? Finding problems? Hint: it seems to work best when run off of LINUX\Java. When run on a WIN2K\Java platform it didn't appear to form the packets correctly - we're getting different\better results on LINUX (shrug). I'd still be careful to only test this on isolated test netowkrs though - just in case
From patches to kings (Score:3, Informative)
Getting them installed may be a different story. There are probably a lot of "forgotten" SNMP devices out there...
I thought SNMP was a security hole... (Score:2, Informative)
It's probably changed since I last worked with it, but it just looked kindof funny.
matt
Re:I thought SNMP was a security hole... (Score:2)
Re:I thought SNMP was a security hole... (Score:2, Informative)
- Send an SNMP set or get to a box. Use any ol' random community string.
- The box then sends an SNMP trap to its management station which contained the cleartext real community string.
If you had a packet sniffer, you could easily get the community string. I don't remember offhand if the trap contained the read-only or read-write string, but still, either way, I don't want a device doing that.
That was a long time ago. I can't imagine any devices still have such a hole unless they haven't been upgraded in years.
Re:I thought SNMP was a security hole... (Score:2)
For example, on a WinNT server that isn't too far from me, I bring up the [Network] control panel, hit the [Services] tab, double-click on the [SNMP Service] line, hit the [Traps] tab, and see that teh [Community Name] is set to "trap". Also, if I hit the [Security] tab, I see that the [Send Authentication Trap] checkbox is checked, so an invalid community string will cause a trap to be sent to the management station.
On the other hand, the [Accepted Community Names] are set to "Public", with READ-ONLY rights, and "Private", with READ-WRITE rights. Finally, [Accept SNMP Packets From Any Host] is checked, rather than [Accept SNMP Packets From These Hosts]. This means that the system is rather open, but since it is behind a firewall that blocks all SNMP traffic, it isn't too much of an issue.
The benefits of diversity (Score:1)
How silly to deploy a less-than-perfect protocol so widely with no real diversity in its implentations, and indeed no built-in security.
Re:The benefits of diversity (Score:2)
'Net meltdown once again imminent (Score:1)
--Nick
Not a SNMP hole (Score:4, Informative)
Re:Not a SNMP hole (Score:4, Informative)
Re:Not a SNMP hole (Score:4, Informative)
The reason for this is that SNMP uses an incredibly complicated wire format: ASN.1/BER. ASN.1/BER is based on the (once seductive) idea that you could avoid interoperability and extensibility problems by (in effect) defining a programming language to encode and decode data structures. As long as you implement the primitives of the language, third parties can implement arbitrarily complex constructs on top of the protocol without changing your code.
The reality, of course, is that almost all queries fit into a tiny subset of the "language", and that the "language" itself is so complicated to implement (relative to other protocols) that nobody is willing to "reinvent the wheel".
So they all downoad the (free) CMU or UCD SNMP library and use that.
Hence, everyone is vulnerable.
Re:Not a SNMP hole (Score:4, Informative)
Nobody uses SNMPv3.
Nobody uses SNMPv2
Everyone uses SNMPv1
People will ALWAYS use SNMPv1. Nobody will set up a new authentication infrastructure just for SNMP. They will build ad-hoc backchannels to isolate SNMP from the rest of the Internet. They will fail repeatedly, but it won't be nearly as expensive as deploying an entire new security infrastructure for network management.
This is the same reason why nobody will ever use DNSSEC, and why everyone uses SSH. SSH did the simplest thing possible and left the infrastructure up to the consumers. DNSSEC and SNMPvNG repeatedly fucked this simple problem up by trying to mandate more of the environment than was required to get off the ground.
Re:Not a SNMP hole (Score:3, Interesting)
People are beginning to use v3 as the product vendors are beginning to ship it in the majority of the products. Unfortunately, it's still not "all", as you well know.
(and as for dnssec, the reason it can't be used effectively now is that verisign won't let it be used because they refuse to sign the
Re:Not a SNMP hole (Score:3, Funny)
From the so-never-mail-your-passwords dept? (Score:5, Insightful)
Re:From the so-never-mail-your-passwords dept? (Score:1)
I imagine it's a reference to the fact that routers and boxen using the SNMP could lead to passwords being stolen from emails or something... I don't know... but I doubt it's a case of mistake network protocols... sheesh...
Ob-BOFH (Score:2)
The scary part is... (Score:2)
Re:The scary part is... (Score:3, Interesting)
Re:The scary part is... (Score:1)
How so? If there is no daemon listening on the port, how can a system be at risk? If I don't run an SNMP daemon, any SNMP data that hits my boxen will be dropped.
Mind you, the implications of this issue is huge for those that run Tivoli / NetView or OpenView management systems.
Well duh. (Score:3, Funny)
Re:Well duh. (Score:2)
Saturate the Network with Mangled Packets.
(the early CMU code used the phrase "mangled packet" as one of its error messages)
Delay in release (Score:1, Interesting)
CERT has a 45 day release policy, which apparently they are ignoring!
Many vendors have apparently known of this issue since last Fall! A bit longer then the 45 day policy.
End of email from SANS... (Score:5, Informative)
Re:End of email from SANS... (Score:2, Insightful)
Similarly, SNMP is a really useful tool that administrators should be making even more use of. They shouldn't get rid of it just because of this bug or the fact that lots of people use defautl passwords. That doesn't make the tool bad. Fix the bug(s). (Have there been other bugs recently?) Set the passwords. Save the car.
Re:End of email from SANS... (Score:2, Informative)
"As a general rule, the CERT/CC recommends disabling any service or capability that is not explicitly required, including SNMP. Unfortunately, some of the affected products exhibited unexpected behavior or denial of service conditions when exposed to the OUSPG test suite even if SNMP was not enabled. In these cases, disabling SNMP should be used in conjunction with the filtering practices listed below to provide additional protection. "
I'm not sure if this is 100%... (Score:1)
snmp-server host [snmp server ip] [community string] snmp
I'm not sure if ACL'ing 162, 163, and 1993 from outside your network will do any good for this, but it can't hurt.
What about obsoleted equipment? (Score:1)
Fortunately, my own network is behind a NAT gateway, but would it be possible to tank my APC SNMP adapter (the old style w/o web), and my 3Com LanPlex 2500 FDDI switch?
SNMP is supposed to be a "simple" protocol, per se, which is generally supposed to be left untrusted. Given the turnaround for exploits, I'm surprised this one took so long to come out...even if it was hidden from the general public for so long.
You mean, besides the fact... (Score:1)
Security ? - Not My Problem. (Score:1)
SNMP's a pretty damned scary protocol anyway (Score:3, Insightful)
But this assumes that security is even configured at all. So many network devices support SNMP these days that anything less than perfect administration can result in all kinds of trouble. Be honest: how many networks that you know of don't have several devices set to the "public" domain with no address filtering. Hello, Denial of Service.
After all these years of (alleged) focus on network security, I'm pretty shocked that there isn't a widely deployed standard based on public-key encryption, digital signatures, and other means of access control. You can't really make the argument that this is rocket science anymore...
Re:SNMP's a pretty damned scary protocol anyway (Score:3, Informative)
Re:SNMP's a pretty damned scary protocol anyway (Score:2, Interesting)
Face it... if you must use SNMPv1, make sure the router configuration port is on a private LAN and not accessible to the service ports you are providing. And pray someone doesn't break through.
Re:SNMP's a pretty damned scary protocol anyway (Score:2, Insightful)
Why, just because SNMP provides a community string as a level of deterent, you says it's insecure because of this? Anyone with a tinge of security mindedness knows that you don't want SNMP exposed to the world in the same way you don't want HTTP available to external IPs (on an intranet machine).
If you bind the snmp daemon to the internal network, and disable snmp-sets, you have a pretty locked down information gathering service.
I use SNMP as a remote information gathering tool for a home-brewed network monitor, No One can even know I am running SNMP untill they first break into my internal network.
Not saying it can't be done, but if it was done, I'd have more to worry about than SNMP.
Re:SNMP's a pretty damned scary protocol anyway (Score:2)
flaimbait...
snmp has survived the years where others have tried and failed. perhaps this is horrible to you, but I call it interoperable and highly functional.
Re:SNMP's a pretty damned scary protocol anyway (Score:2)
we're not talking about some closed vendor product here; this is an ietf-controlled protocol and if it really was junk (as some would have you believe) then it would have evolved into something totally different. and its really just slightly changed over its lifetime, with the core philosophy still being 'model everything as variables and instances and keep the data types as simple as possible'. seems to have gotton us by nicely for such a long long time..
Apparently crackers already had half a year (Score:1, Interesting)
The flaws were found last year by a project group at the University of Oulu in Finland, said Lindner. The group informed the CERT Coordination Center last summer, and the watchdog has been working since then to inform network hardware makers of the problems.
Isn't this like finding a gas tank that occasionally blows up and only telling the vendor (and thus a crime because deliberately witholding information that WILL save lives, and/or prevent a LOT of damage (ie not telling the police about a bomb in a car that you know of))
overflowing (Score:2)
Unfortunately the article is of provides too little information to know what's actually going on. A search on Google, as of yet, provides equally little information on this or these "bugs." Funny how much the above vagueness sounds like behaviour people used to engage in order to take over IRC channels. Perhaps some of the solutions that have been implemented in other areas can benefit this one... DoS attacks on http servers anyone? The CERT advisory, on the other hand provides the necessary information, but how many people are really going to read that?
The one thing I dislike reading ZDNet, is how they state it could affect "PC's." Perhaps people who haven't figured out IPTables or who fail to use ZoneAlarm are at risk. With the extent of today's always-on internet connections it seems that most of the problems facing the end user, ie: worms, viruses, stolen data, wrecked systems, etc., are the result of insufficient knowledge concerning the tool they are using. Now if you can't drive a car without a license.... ?? Well think about it.
What! You don't think computers can kill? [apple.com]
Wrong summation (again). (Score:5, Informative)
Re:Wrong summation (again). (Score:1)
Re:Wrong summation (again). (Score:5, Funny)
No security in SNMPv1 (Score:4, Interesting)
This means that if you like to configure yoru routers using SNMPv1 and someone intercepts your UDP packet, they can read the community string (normally used as an ad-hock password) you use and have access to your NE (network element).
This is a common security failure with a LOT of telecom equipment. Normally, if you enable SNMP on your boxes, keep the conguration port (normally found outside of service ports) inside a private LAN and hope for the best!
And the kicker is, I work for a telecom company implementing SNMP solutions on OOSes and EMSes. Even after 5 years or SNMPv2 being out (SNMPv3 has also come out in the last few years), most NE's being produced on the market (save for the big boys -- Nortel, Cisco, etc) come with standard SNMPv1 managment and configuration capabilities. Safe surfing.
Re:No security in SNMPv1 (Score:2)
Note: there were some defined versions of SNMPv2 that never made it very far through the standards process. These were snmpv2*, snmpv2c, snmp2p,
Re:No security in SNMPv1 (Score:2)
not always. many vendors use ACL's (access lists) to police their PDUs based on various criteria (source ip being the most popular).
SNMP on the internet, (Score:1)
Would it help to restrict the IP's that can connect to SNMP. Some devices supports this. I guess it depends on which level the hole is at.
BTW, did anyone see the beaten up Cisco router (that connects Patty and Selma to the net) with flies buzzing around it the the lastest ep of the Simpsons.
Cisco knew about this a year ago (Score:1, Redundant)
- Freed
It is not a problem with the protocol!!! (Score:1)
This is incorrect!! If you read the information in the CERT alert you will find this is a problem with implementation of the protocol. Just happens that almost everyone implemented it wrong. It is a classic buffer overflow DoS.
scary... (Score:2, Funny)
Excellent (Score:3, Insightful)
But still, this notice strikes me as excellent. First, it draws attention to a hole that can be patched, and I'm sure a number of programmers are grabbing down what source they can to implement a fix for it. Corporations who bitch and moan about how security flaws should not be broadcast to the world strike as not being willing to fix them quickly, or are willing to sell packages with flaws in them and hope to get away with it. Yay CERT!
Second, while the magnitude of impact may be great, it's sure a change from the near-weekly "a hole has been found in Microsoft Product X" announcements we get. It stands out because we don't get "Major security hole in basic technologies" announcements very often - usually they're linked to some broken MS implementation of it, or a proprietary protocol looking for adoption.
Plus, it goes to show that the Internet is an interdependent community that relies on basic technologies to work, rather than perpetuating the myth that Microsoft *is* the Internet. And the community will either fix the problem, or adopt a new, more rigorous standard.
And speaking of rigorous, isn't it nice that the basic standard has stood up this long under heavy usage? Can MAPI32 say the same thing? Or VBScripting? Or IIS? Or...
I love watching big stuff break for two reasons - I'm a pyromaniac who loves to see thinks go up in flames, and I'm always uplifted by a well-executed community response.
GMFTatsujin
Re:Excellent (Score:2, Funny)
IANA Programmer, IANA Sysadmin, I'm just a user... Mod appropriately, please.
Ahh, the mark of someone trolling for karma.
But still, this notice strikes me as excellent
Really? I thought it was the clueless stick that strikes you. daily. The notice is no different than any other Cert notice.
First, it draws attention to a hole that can be patched
Just like every other security hole notice...
and I'm sure a number of programmers are grabbing down what source they can to implement a fix for it.
Wow. You're right. 0 is a number.
Second, while the magnitude of impact may be great, it's sure a change from the near-weekly "a hole has been found in Microsoft Product X" announcements we get.
While the magnitude of imoact of an asteroid hitting the earth may be great, it's sure a change from the near-weekly "an airport was shutdown due to a putz forgetting his camera" accouncements we get.
It stands out because we don't get "Major security hole in basic technologies" announcements very often - usually they're linked to some broken MS implementation of it,
Right. Like bugs in Microsoft Sendmail. Or Microsoft WuFTP. Or Microsoft Red Hat linux.
Plus, it goes to show that the Internet is an interdependent community that relies on basic technologies to work, rather than perpetuating the myth that Microsoft *is* the Internet.
Even more of the obligatory MS sucks, trying to dissipate the blame.
And the community will either fix the problem, or adopt a new, more rigorous standard.
Which explains why XWindows is the Linux windowing system of choice.
And speaking of rigorous, isn't it nice that the basic standard has stood up this long under heavy usage? Can MAPI32 say the same thing? Or VBScripting? Or IIS?
And speaking of apples and oranges, do you understand the difference between a standard and an implementation?
I love watching big stuff break for two reasons - I'm a pyromaniac who loves to see thinks go up in flames, and I'm always uplifted by a well-executed community response.
What's your point again?
Do as usual (Score:2, Insightful)
2) If you use it and implemented it the way it's supposed to be implemented (listen only to trusted hosts) - upgrade with the next roll-out.
3) If you use it but don't know what you are using - get a clue, so that you fall in 2). Every lister on your box can fail you, be prepared, you have none to blame but yourself.
Testing this vulnerability (Score:2)
Numerous vulnerabilities have been reported in multiple vendors' SNMP implementations. These vulnerabilities may allow unauthorized privileged access, denial-of-service attacks, or cause unstable behavior. If your site uses SNMP in any capacity, the CERT/CC encourages you to read this advisory and follow the advice provided in the Solution section below.
There is not secret (Score:3, Informative)
Not a flaw in the protocol, but implementations (Score:2)
-me
Bogus release number for SNMP Research? (Score:2)
Re:Bogus release number for SNMP Research? (Score:2, Informative)
15.2.1.7 is a release that shipped for nearly
a year on some operating systems up to October
of 2001. We started shipping 15.3 in July, and
15.3.1.7 is the release that has changes
addressing the OUSPG-related issues, which started
shipping in October.
The 15.3.1.7/15.2.1.7 release number similarity
is an unfortunate accident - had I thought
about it we might have done it differently.
Idiot's Guide to Security... (Score:2)
And in the case of an ISP, they should know their IP addresses and what addresses they use for internal machines, so creating simple Access Control Lists in their routers to deny all snmp from everywhere except their own internal machines should be as common sense as One leg at a time when putting your pants on while standing up.
access-list 161 permit tcp 192.168.148.0 0.255.255.255 any eq 161 access-list 161 deny tcp any any eq 161
Re:Idiot's Guide to Security... (Score:2)
access-list 20 permit [monitoring ip address]
snmp-server community [communityname] RO 20
The access list number, 20, is arbitrary. It's in a range that denotes a simple IP access list.
Re:Correction... (Score:2)
Thanks!
Updated story on cnet's news.com and some links (Score:2, Informative)
To mitigate this vulnerability OULU (the guys that found this a year ago) has some good links at http://www.ee.oulu.fi/research/ouspg/protos/testi
Securing SNMP on Solaris
http://ist.uwaterloo.ca/security/howto/2000-10-04
Securing SNMP in Windows
http://www.sans.org/infosecFAQ/incident/SNMP.htm [sans.org]
Securing your Cisco Router when using SNMP
http://www.sans.org/infosecFAQ/netdevices/router.
SNMP - simple management tool for hackers?
http://www.nwfusion.com/newsletters/sec/1004sec1.
Windows 2000, SNMP and Security
http://www.securityfocus.com/focus/microsoft/2k/s
Re:Updated story on cnet's news.com and some links (Score:2)
CERT Considered Harmful. (Score:2, Insightful)
And yet, looking at the advisory, the most important vendors don't yet have patches . In particular, Microsoft, Cisco, and Sun remain vulnerable, with no released patches!
The entire rationale behind keeping vulnerabilities quiet is to enable vendors to fix the problem before the exploit falls into the hands of attackers. The entire rationale behind CERT's very existance is to act as a clearinghouse for vulnerabilities so that fixes can be coordinated prior to announcements. Virtually every credible security researcher has repeatedly exclaimed that CERT's model doesn't work. I can't imagine a clearer vindication for CERT's critics than this.
From the looks of this announcement, this may well be the most serious security vulnerability ever published; it's a root hole in literally every piece of Internet infrastructure deployed to date (assuming lack of filtering; but remember that most networks aren't properly firewalled off internally from customers and insiders). If CERT can't successfully coordinate a response to this vulnerability, why should we trust them with any other problems?
SNMP is a bad protocol. It's universally hated and derided by implementors. This is an amazingly great example of the problems that spring from shallow implementation gene pools; most of these vulnerabilities are probably due to code in CMU and UCD's (related) SNMP libraries. This is an excellent example of why it is critical to diversify implementations of core protocols on the Internet. Some incredibly hardworking [cr.yp.to] researchers have been working towards these ends for years; the network engineering community has largely responded to them with derision . Think about this.
This problem was so subtle that it wasn't detected for years and years, even though the vulnerability boils down to simple buffer overflows. This is because SNMP is an ASN.1/BER protocol. There are like four bazillion ways to represent a length in BER. Talented researchers [cr.yp.to] have continuously reiterated the need for simple, modular protocols to replace the rickety ad-hoc mess we use now. They have again met with derision from the network engineering community. Think about this.
Finally, the fact that SNMP is an insanely complicated protocol has not been lost on attackers. The very fact that CERT "accelerated" the release of this advisory indicates that they knew attackers "could" find some of these vulnerabilities. The fact is that some black hats almost certainly have worked this out. If we had published last year, when the discovery was made, just like the overwhelming majority of other vulnerabilities, the problem would have been fixed a year ago. If you manage a large network, how do you know you haven't already been compromised? Attackers have had years to exploit these problems without you knowing about it.
Why isn't anyone learning from these mistakes?
Re:CERT Considered Harmful. (Score:3, Informative)
And yet, looking at the advisory, the most important vendors don't yet have patches . In particular, Microsoft, Cisco, and Sun remain vulnerable, with no released patches!
The entire rationale behind keeping vulnerabilities quiet is to enable vendors to fix the problem before the exploit falls into the hands of attackers. The entire rationale behind CERT's very existance is to act as a clearinghouse for vulnerabilities so that fixes can be coordinated prior to announcements. Virtually every credible security researcher has repeatedly exclaimed that CERT's model doesn't work. I can't imagine a clearer vindication for CERT's critics than this.
Not that I'm trying to validate CERT's model mind you...
They were somewhat forced into releasing today. There was a leaked early version of the advisory (with no details) that had a release date of February 20th. Details were spilling out from various sources. Given how many patches were announced today after the advisory, it's safe to say that those vendors must have been pretty close to being ready.
It also demonstrates that it's not possible to try and give that many vendors that much warning, and not have leaks.
S.N.M.P. (Score:2, Funny)
Not
My
Problem!
Jeeeeez (Score:2)
blanket statements are misleading (Score:2)
buffer overflows are platform and agent dependant. you can't just say the protocol SNMP has inherent overflow problems.
no doubt some vendors' implementations have overflows and DOS issues. note the CERT title Multiple Vulnerabilities in Many Implementations . this is a far cry from the blanket statement that slashdot used as their headline (sigh).
public and private (Score:2)
I was honestly expecting the CERT advisory to be something like "90% of all SNMP agents were found to be using the default community strings. Your pants our down, buddy, turn off the agent."
Seriously, I've always been surprised the script kiddies haven't gotten hold of this. How hard would it be to write something that finds vender X's boxes and shuts down their interfaces? Switches cannot always be behind firewalls, and the ones in front are the juicy ones.
No experts on Slashdot? (Score:2)
If you don't know these names you can always check out the OVForum [ovforum.org] and join the fun. I've been "working with" these guys for quite a few years and if you want to tap some of the most experienced network engineers that deal with SNMP for the largest companies in the world then you're welcome to stop by. Yes, it's HP OpenView centric, but unless it's really off-topic then general questions are, generally, tolerated.
So that this is not taken as a totally self-serving reply here are some suggestions that I use that generally mirror the recommendations from CERT:
Create a separate VLAN or management network for your LAN infrastucture.
Protect this management network from the rest of the network via a firewall or at a minimum access-list.
Use access-list or similar technology to limit SNMP access to your WAN infrastructure from your management network, or better yet specific network management servers.
Use SNMPv3 if at all possible.
Just like any other security matter, make sure that you are running the appropriate version of code and or patches on your systems.
Hope this was helpful!
Fred Reimer
we are seeing SNMP scans (Score:2, Informative)
The scans are talking the IP address space in pseudo-random order. It appears to hold the top 16 bits constant while walking the lower 16 in a pseudo-random order. We have not seen simple SNMP scans that just walk up the IP address range.
It appears that the tool is initially just looking for open SNMP ports. The tool could be simply collecting open SNMP ports for later system cracking.
Old News. But it does bring up other issues.. (Score:2, Informative)
I, and most admins I know will completely block SNMP at the border routers (only allowed in through an IPSEC or VPN connection.). I used to have a simple demonstration of how "evil" unportected SNMP could be by showing admins just WHAT kind of info their SNMP enabled switches/routers haapilly gave out.. (quick hint: if u have the snmp tools in linux:
snmpwalk {ip address of any SNMP enabled cisco device} public
And watch as a list of the devices ARP tables shows you exactly which ports have which devices, as well as the routing table for the device and all sorts of info that any snoop can use to help them build a better picture of how the network is configures... [in fact, Fluke makes a software product called Network Inspector that uses the SNMP data from switches among other things to build a full network map including stuff to show things like exactly which switch port a device is on as well as the distance between two devices and how a packet IN THE SWITCH ENVIRONMENT travels from one device to another]
http://www.flukenetworks.com/us/LAN/Monitoring+
The other real issue that this brings up is what about the implementations of OTHER protocols like syslog? How many vendors use the same BASE code that may require a patch in flash as a firmware update?...
Cable modems... (Score:2)
Now, considering that many cable modems are owned by the USER, not by the cable supplier, how will they be updated?
If the modem can be updated remotely by the ISP, then it can also be updated by some 5|<r!97 |<!66!E, and that scares the hell out of me.
If the modem can only be updated from the client's side, then how the hell will the cable company know if what update to direct the user to?
And worst yet, what if the modem cannot be reflashed? I can just see the conversation now:
Re:What is the flaw? (Score:2, Informative)
Re:What is the flaw? (Score:4, Informative)
Bullshit:
http://www.kb.cert.org/vuls/id/107186
http://www.kb.cert.org/vuls/id/854306
These are linked to on the first page of the CERT Advisory. RTFA, doofus.
Re:What is the flaw? (Score:4, Informative)
In fact, there are several different buffer overflow and format string bugs, in different SNMP implementations. The OUSPG report [ee.oulu.fi] (which triggered this advisory) seems to be more detailed, but I still have to read it. (OTOH, SNMP vulnerabilities are rather boring stuff nowadays, any sane person blocks SNMP at the closest router.)
Re:What is the flaw? (Score:2)
As expected, the Cisco notice does not contain any explanations which would make easier for you to conduct your own tests.
Re:And this affects (Score:1)
Re:And this affects (Score:1)
Re:My opinion on the article (Score:1)
Re:this is it. (Score:1)
What the hell does this have to do with SNMP? I mean.. Really.
[OT]Please take meta discussion to the meta thread (Score:1)
Re:OpenBSD (Score:2)
Re:OpenBSD (Score:2)
Re:Fucking LAZY Vendors (Score:2)
If you mean using access lists to protect the SNMP process, sorry but:
This is probably what we'll end up doing anyhow, to narrow our vulnerability while we certify a new release, but it's by no means a true fix for the problem.
If you mean turning off SNMP altogether in the router, it's like poking out your eyes to protect them from sun damage. Network Management Systems (as well as a lot of my home-brewed scripts) assume that SNMP is present and working. Still, in some cases, it may actually be necessary.
I still stand by my original point - if the OpenBSD crew can audit their kernel code and theb OpenSSH code, why can't Cisco and Microsoft (OK, forget MS, they just don't care), with more money than I can think about, do the same?
Re:SNMP Hole is that of Administration (Score:2)