Every so often, a vulnerability in a widespread piece of software
causes security and administrative folk stop all existing projects to
madly apply patches and upgrade program on every machine. This week,
our culprit of lost-time is SNMP, the Simple Network Management
Protocol.

SNMP, a UDP-based protocol (though infrequently it uses TCP instead),
lets network devices provide tons of information that monitoring agents
and management tools can use, as well as provide alerts. 'Community
strings', which are effectively a simple password (usually PUBLIC and
PRIVATE), protect access to this information.

Almost all SNMP-enabled devices use version 1 of the protocol, which
has a number of shortcomings. Prevent ip spoofing is not possible --
there is no privacy or encryption and no authentication methods other
than community strings are available. Many folks have referred to SNMP
as the 'Security Not My Problem' protocol. Newer SNMP specifications
offer more security, but few products actually use these yet.

Bugs in numerous SNMP implementations were found by the Oulu University
Secure Programming Group, and details were released on February 12th,
2002. These are not bugs in the SNMPv1 protocol, but bugs in various
implementations. For detailed information, see the CERT advisory at
http://www.cert.org/advisories/CA-2002-03.html.

The Short Version
If you have any machines running SNMP, then you could be in some
serious trouble. Some of the bugs leave a device vulnerable to a
Denial of Service attack, while others can trigger buffer overflows or
format string bugs that could allow arbitrary code to run on the
affected system.

The net-snmp (formerly ucd-snmp) package is provided with most Linux
distributions and the 4.2.2 version is vulnerable. Most users have no
need for an SNMP server on their Linux box; however, some distributions
enable it by default when installing the machine with a server
configuration. If this is the first time you've heard of SNMP, then
it's definitely not something you need enabled on your systems.

So it's time to visit all your Linux machines and upgrade your net-snmp
packages to 4.2.2 or later. Or better yet, remove the server SNMP
packages entirely.

Linux security doesn't end with your Linux machines themselves --
security is dependent on each and every machine with which they
interact. Many other devices on your network probably have SNMP
enabled by default as well. Almost all switches, routers, network
printers, and other just-plug-them-in devices are SNMP ready. And due
to the bugs found by OUSPG, we now know that 'SNMP ready' is merely a
synonym for 'vulnerable.'

SANS has created a tool named SNMPing that you can use to find systems
that have SNMP enabled. To get a copy, send an email to
snmptool@sans.org and they'll send you the download information.
Unfortunately, the tool only runs on Windows NT/2000. I haven't tried
the tool myself, but given SANS' technical know-how, it's probably
quite effective.

If you want to do a quick search of your own networks the Unix way,
Nmap is your true and eternal friend. Some devices listen on more than
just the standard 161/udp and 162/udp ports. The following is a fairly
complete list:

snmp 161/udp # SNMP
snmp-trap 162/udp # SNMP management messages (traps)
snmp 161/tcp # SNMP (TCP version)
snmp-trap 162/tcp # SNMP system management messages (TCP
version)
smux 199/tcp # SNMP Unix Multiplexer
smux 199/udp # SNMP Unix Multiplexer
synoptics-relay 391/tcp # SynOptics SNMP Relay Port
agentx 705/tcp # AgentX
snmp-tcp-port 1993/tcp # cisco SNMP TCP port
snmp-tcp-port 1993/udp # cisco SNMP TCP port

Since we want to check both tcp and udp ports, we'll need to run two
rounds of nmap. Below is an example to check all machines on the
192.168.1.0/24 network for the ports listed above. Naturally you
should tailor the example appropriately.

root# nmap -sU -p 161,162,199,1993 192.168.1.0/24
root# nmap -p 162,199,391,705,1993 192.168.1.0/24

Any machines that has open ports will show results similar to the
following:

Interesting ports on someprinter.example.com (192.168.1.100):
Port State Service
161/udp open snmp

Then it's time for you to turn off SNMP on that device or upgrade the
SNMP software.

Somewhere, right now, someone is probably writing a worm to attack
vulnerable SNMP installations. Make sure that you update your machines
before it hits the Internet. Luckily, the nature of the
vulnerabilities is that an exploit that would succeeded against one
type of machine, say a router, would crash the SNMP service on a
different machine like your Linux server. However, loosing your
connectivity isn't a bundle of fun either.

» posted by ITworld staff

ITworld

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine