Ready, Set, Patch!

Every so often, a vulnerability in a widespread piece of software

causes security and administrative folk stop all existing projects to

madly apply patches and upgrade program on every machine. This week,

our culprit of lost-time is SNMP, the Simple Network Management

Protocol.

SNMP, a UDP-based protocol (though infrequently it uses TCP instead),

lets network devices provide tons of information that monitoring agents

and management tools can use, as well as provide alerts. 'Community

strings', which are effectively a simple password (usually PUBLIC and

PRIVATE), protect access to this information.

Almost all SNMP-enabled devices use version 1 of the protocol, which

has a number of shortcomings. Prevent ip spoofing is not possible --

there is no privacy or encryption and no authentication methods other

than community strings are available. Many folks have referred to SNMP

as the 'Security Not My Problem' protocol. Newer SNMP specifications

offer more security, but few products actually use these yet.

Bugs in numerous SNMP implementations were found by the Oulu University

Secure Programming Group, and details were released on February 12th,

2002. These are not bugs in the SNMPv1 protocol, but bugs in various

implementations. For detailed information, see the CERT advisory at

http://www.cert.org/advisories/CA-2002-03.html.

The Short Version

If you have any machines running SNMP, then you could be in some

serious trouble. Some of the bugs leave a device vulnerable to a

Denial of Service attack, while others can trigger buffer overflows or

format string bugs that could allow arbitrary code to run on the

affected system.

The net-snmp (formerly ucd-snmp) package is provided with most Linux

distributions and the 4.2.2 version is vulnerable. Most users have no

need for an SNMP server on their Linux box; however, some distributions

enable it by default when installing the machine with a server

configuration. If this is the first time you've heard of SNMP, then

it's definitely not something you need enabled on your systems.

So it's time to visit all your Linux machines and upgrade your net-snmp

packages to 4.2.2 or later. Or better yet, remove the server SNMP

packages entirely.

Linux security doesn't end with your Linux machines themselves --

security is dependent on each and every machine with which they

interact. Many other devices on your network probably have SNMP

enabled by default as well. Almost all switches, routers, network

printers, and other just-plug-them-in devices are SNMP ready. And due

to the bugs found by OUSPG, we now know that 'SNMP ready' is merely a

synonym for 'vulnerable.'

SANS has created a tool named SNMPing that you can use to find systems

that have SNMP enabled. To get a copy, send an email to

snmptool@sans.org and they'll send you the download information.

Unfortunately, the tool only runs on Windows NT/2000. I haven't tried

the tool myself, but given SANS' technical know-how, it's probably

quite effective.

If you want to do a quick search of your own networks the Unix way,

Nmap is your true and eternal friend. Some devices listen on more than

just the standard 161/udp and 162/udp ports. The following is a fairly

complete list:

snmp 161/udp # SNMP

snmp-trap 162/udp # SNMP management messages (traps)

snmp 161/tcp # SNMP (TCP version)

snmp-trap 162/tcp # SNMP system management messages (TCP

version)

smux 199/tcp # SNMP Unix Multiplexer

smux 199/udp # SNMP Unix Multiplexer

synoptics-relay 391/tcp # SynOptics SNMP Relay Port

agentx 705/tcp # AgentX

snmp-tcp-port 1993/tcp # cisco SNMP TCP port

snmp-tcp-port 1993/udp # cisco SNMP TCP port

Since we want to check both tcp and udp ports, we'll need to run two

rounds of nmap. Below is an example to check all machines on the

192.168.1.0/24 network for the ports listed above. Naturally you

should tailor the example appropriately.

root# nmap -sU -p 161,162,199,1993 192.168.1.0/24

root# nmap -p 162,199,391,705,1993 192.168.1.0/24

Any machines that has open ports will show results similar to the

following:

Interesting ports on someprinter.example.com (192.168.1.100):

Port State Service

161/udp open snmp

Then it's time for you to turn off SNMP on that device or upgrade the

SNMP software.

Somewhere, right now, someone is probably writing a worm to attack

vulnerable SNMP installations. Make sure that you update your machines

before it hits the Internet. Luckily, the nature of the

vulnerabilities is that an exploit that would succeeded against one

type of machine, say a router, would crash the SNMP service on a

different machine like your Linux server. However, loosing your

connectivity isn't a bundle of fun either.

Insider: How the basic tech behind the Internet works
Join the discussion
Be the first to comment on this article. Our Commenting Policies