It's one of the most pervasive IT tools, and many administrators make use of it daily. As a result, any problem with SNMP is of critical concern to security professionals.
Details of the vulnerability
Although SNMP has been in use for a long time, CERT just published an advisory (CA-2002-03) outlining two major vulnerabilities recently discovered by the Finnish Oulu University's Secure Programming Group (OUSPG) as part of the school's ongoing protocol testing project, PROTOS - Security Testing of Protocol Implementations".
The problem isn't a single minor bug but a number of important vulnerabilities in several parts of the first version of SNMP, known as SNMPv1. This is an old protocol, and there are newer versions. Unfortunately, most vendors implement the first version, so this is a very widespread threat.
The first vulnerability, VU#107186, relates to SNMP trap message handling. SNMP trap messages are used to communicate error messages, and OUSPG has described a number of problems with the way SNMP decodes and processes these messages.
The second problem, VU#854306, is found in manager-to-agent request messages. Unfortunately, until patches are available, the only way to protect systems using SNMP is to temporarily disable it.
Threat level: Medium
The potential for damage from this flaw is serious, leading to denial of service events or allowing attackers to run any arbitrary code on target systems. However, SNMP is widely known to be an insecure protocolâ€"one never designed for use except between trusted systems. Therefore, this threat will probably not be a major problem despite the fact that it is relatively easy to exploit.
Admins who have already taken SNMP's weaknesses into account and compensated for them will probably not be affected by this flaw. However, anyone who does rely on SNMP for Internet-based network management and either was not aware of SNMP's security shortcomings or has not compensated for them needs to take immediate action.
Since SNMP's UDP Ports 161 and 162 are normally blocked by a well-configured firewall, most firewall-protected networks would only be vulnerable to internal attacks based on these vulnerabilities.
Applicability
This threat affects nearly 200 different vendor systems. Microsoft has released MS02-006 dealing with the SNMP problems for its systems, but, although all versions of Windows except Me ship with SNMP as an optional component, it isn't implemented by default in any version. This greatly reduces the level of threat to Windows systems.
Nevertheless, SNMP is widely used, and any network making use of it is potentially vulnerable. On the UNIX front, FreeBSD doesn't implement SNMP in its basic package, so installations aren't vulnerable unless you have installed the FreeBSD Ports Collection. IBM has reported that tests on AIX show its version of SNMP is not vulnerable.
For more information on specific software and hardware, please see the CERT bulletin Appendix for information provided by various vendors.
Learn about the fixes, and discover how to protect your data.
