Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
Security /

SNMP - simple management tool for hackers?

Jim Reavis
Network World on Security, 10/04/99

The Simple Network Management Protocol (SNMP) is probably the most pervasive tool you could possibly find. All operating systems have this capability in one form or another. Hubs, switches and routers have this capability as well. Of course, the wonderful capability for network administrators to reach out and touch a device across the net is adouble-edged sword - hackers can do the same thing.

Searching the ISS X/Force database or BugTraq reveal quite a few SNMP vulnerabilities. Before you panic, the vendors have patched many of the vulnerabilities discussed here. However, we all know how hard it can be to stay current on vendor fixes, especially when they have a tendency to break something else that is working. Also, some of the technotes referenced describe best practices vs. a specific vulnerability. Here are some of our favorites:

Insecure Defaults
Products have an insecure default configuration. Some products come out of the box with PUBLIC as the default SNMP community string, which is of course the first thing an attacker would look for. Products should force you to enter a community name, and a hard-to-guess-one at that.

No SNMP community name
The only thing worse than having PUBLIC for a community name is having no community name. Anyone can access the device, learn whatever they can from the device, and possibly alter its configuration.

Stop authentication trapping
An advisory was issued about the ability to write to the snmpEnableAuthenTraps object within various systems. Potentially, an attacker could prevent the device from sending traps for failed authentication. Then the attacker could take his time to crack the admin password for the device, all without drawing attention to his activity.

Unauthorized Write Access
A common problem mentioned is to not control the Read-Write community tightly, giving the wrong people the ability to alter the device. The most common action mentioned was killing the interface and bringing the network connection down.

Hidden SNMP communities
Late in 1998, HP OpenView on Unix was found to have a hidden SNMP community string, which could allow unauthorized access to SNMP variables. It was soon found that this problem extended to other vendors' products, such as Sun Solstice and Solaris. Just because of the nature of what one uses OpenView for, it is very likely that an attacker could query this hidden community to draw a very complete network map and possibly modify some MIB values. X-Force found that with Sun, you could actually run commands with root privileges and kill processes.

Windows NT
Prior to Service Pack 4, SNMP communities could not be set to read-only; therefore someone with access to a server with SNMP enabled could bring down an interface, change the routing table, delete WINS records (if it was a WINS server) and several other things. Of course the default community was and still is PUBLIC, so an attacker might have some luck guessing it. Service Pack 4 fixed this problem; unfortunately Service Pack 4 had a memory leak, which could rob the machine of resources. But no matter, all of your machines have SP5 or the SP4 hotfix, right? Right?

"Cisco Pingball"
Some Cisco routers can be configured to issue ICMP echo requests through the SNMP agent. If repeated numerous times, the router's memory can be filled, causing performance degradation and an inability to respond to ICMP echo requests.

Remote Packet Capturing
Some packet-capturing tools can be accessed over a network using SNMP. An attacker from a remote location could be eavesdropping on network traffic, and obtain passwords, user identifications and other sensitive data. The types of packet-capturing tools that have this capability include Microsoft's Network Monitor and Network Associates' Distributed Sniffer.

Printer Crashing
Older firmware in the HP Series 5 printers lets malicious people execute denial-of-service attacks against it by sending specific SNMP gets.

Besides following security advisories and staying current on vendor patches, here are some other things to keep in mind to keep SNMP security problems at bay:

* How are you doing migrating off of SNMP Version 1? Version 1 famously has no security whatsoever. Someone with a packet sniffer could capture the entire sequence of packets needed to reboot a device and retransmit this at any time. Starting with Version 2, this traffic can be encrypted.

* Do you really need SNMP on a host? If the only purpose of having SNMP on a host is to allow the network control center to see when a host is unavailable, it probably isn't worthwhile. You will get the message soon enough when your help desk becomes a yelp desk.

* Access Control Lists. Make sure you implement ACL filtering to only allow access to your Read-Write community from approved stations or subnets.

* Make the community strings difficult to guess; use stringent rules like you are (hopefully) using for passwords.

RELATED LINKS

Jim Reavis, the founder of SecurityPortal.com, is an analyst with over 10 years' experience consulting with Fortune 500 organizations on networking and security-related technology projects. SecurityPortal.com is a Web site dedicated to providing IT professionals with comprehensive information about network security issues. Jim can be reached at jreavis@securityportal.com.

To see the detail of all of the advisories and technotes we described here, go to X-Force and search on "SNMP"

General SNMP Security resources

Archive of Network World on Security newsletters

Network World Security Alert will keep you up to date on the latest security holes and patches, with daily updates from key vendors, security organizations and Network World reporters. See the latest dispatches from the security here.


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.
* HOME    * RESEARCH CENTERS     * NEWS     * EVENTS

Contact us | Terms of Service/Privacy | How to Advertise
Reprints and links | Partnerships | Subscribe to NW
About Network World, Inc.

Copyright, 1994-2006 Network World, Inc. All rights reserved.