February 26, 2002, 12:00 AM — Every so often, a vulnerability in a widespread piece of software
causes security and administrative folk stop all existing projects to
madly apply patches and upgrade program on every machine. This week,
our culprit of lost-time is SNMP, the Simple Network Management
SNMP, a UDP-based protocol (though infrequently it uses TCP instead),
lets network devices provide tons of information that monitoring agents
and management tools can use, as well as provide alerts. 'Community
strings', which are effectively a simple password (usually PUBLIC and
PRIVATE), protect access to this information.
Almost all SNMP-enabled devices use version 1 of the protocol, which
has a number of shortcomings. Prevent ip spoofing is not possible --
there is no privacy or encryption and no authentication methods other
than community strings are available. Many folks have referred to SNMP
as the 'Security Not My Problem' protocol. Newer SNMP specifications
offer more security, but few products actually use these yet.
Bugs in numerous SNMP implementations were found by the Oulu University
Secure Programming Group, and details were released on February 12th,
2002. These are not bugs in the SNMPv1 protocol, but bugs in various
implementations. For detailed information, see the CERT advisory at
The Short Version
If you have any machines running SNMP, then you could be in some
serious trouble. Some of the bugs leave a device vulnerable to a
Denial of Service attack, while others can trigger buffer overflows or
format string bugs that could allow arbitrary code to run on the
The net-snmp (formerly ucd-snmp) package is provided with most Linux
distributions and the 4.2.2 version is vulnerable. Most users have no
need for an SNMP server on their Linux box; however, some distributions
enable it by default when installing the machine with a server
configuration. If this is the first time you've heard of SNMP, then
it's definitely not something you need enabled on your systems.
So it's time to visit all your Linux machines and upgrade your net-snmp
packages to 4.2.2 or later. Or better yet, remove the server SNMP
Linux security doesn't end with your Linux machines themselves --
security is dependent on each and every machine with which they
interact. Many other devices on your network probably have SNMP
enabled by default as well. Almost all switches, routers, network
printers, and other just-plug-them-in devices are SNMP ready. And due
to the bugs found by OUSPG, we now know that 'SNMP ready' is merely a
synonym for 'vulnerable.'
SANS has created a tool named SNMPing that you can use to find systems
that have SNMP enabled. To get a copy, send an email to
firstname.lastname@example.org and they'll send you the download information.
Unfortunately, the tool only runs on Windows NT/2000.