copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Training
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login

  Home » Security Bul... » AL-2002.02 -- Multiple Vulnerabilities in SNMPv1 Imp...
 

AL-2002.02 -- Multiple Vulnerabilities in SNMPv1 Implementations
Date: 13 February 2002
References: ESB-2002.065  ESB-2002.066  ESB-2002.067  ESB-2002.068  ESB-2002.069  ESB-2002.070  ESB-2002.071  ESB-2002.072  ESB-2002.075  ESB-2002.080  
ESB-2002.081  ESB-2002.082  ESB-2002.083  ESB-2002.084  ESB-2002.095  ESB-2002.107  ESB-2002.116  ESB-2002.126  ESB-2002.138  ESB-2002.163  ESB-2002.167  
ESB-2002.179  ESB-2002.195  ESB-2002.203  ESB-2002.244  ESB-2002.281  ESB-2002.290  ESB-2002.385  ESB-2002.422  ESB-2003.0107  ESB-2003.0517  ESB-2003.0743  


Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T
                                      
                        AL-2002.02  --  AUSCERT ALERT
             Multiple Vulnerabilities in SNMPv1 Implementations
                              13 February 2002

===========================================================================

PROBLEM:  

	There are serious vulnerabilities in various implementations of
	the Simple Network Management Protocol, version 1 (SNMPv1), the
	exploitation of which may allow an attacker to mount a Denial of
	Service (DoS) attack against, or execute arbitrary commands on
	any device that runs management software based on the SNMPv1
	protocol. SNMPv1 is in widespread use on the Internet and these
	vulnerabilities affect multiple platforms and products including
	the core network devices of the Internet infrastructure such as
	routers, switches and hubs.

	AusCERT is not aware of these vulnerabilities being actively
	exploited in Australia or elsewhere.  However, there is public
	knowledge of a tool used to expose some aspects of these
	vulnerabilities.  Sites are urged to follow the corrective steps
	in this alert.


PLATFORM:

	Multiple hardware and software platforms are known to be affected
	from various vendors. In addition to core network devices, a wide
	range of other networked home, office, medical and manufacturing
	equipment may be affected.

	If your site implements SNMP, it is advisable to clarify with your
	vendor as to your exposure to this issue. Vendors are currently
	working on patches and/or workarounds, so it is essential to remain
	vigilant for these as they become available.

IMPACT:   

	Denial of Service (DoS)
	Execution of Arbitrary Code/Commands (EAC)

	The potential for large-scale exploitation of these vulnerabilities
	against core internetworking infrastructure should not be ignored.
	In a worst-case scenario this may stop traffic within and to and
	from affected networks on the Internet.


SOLUTION: 

	As these vulnerabilities affect a common internetworking protocol,
	the primary emphasis should be on prevention and/or mitigation.
	Sites that implement SNMPv1 should consider following some or all
	of the following precautions:

	    Review the requirement for SNMP to be running on the network.
	    Disable SNMP functionality where it is not required.  It is
	    also important to identify where additional SNMP services that
	    are not required have been loaded as part of a default
	    configuration.

	    Apply the relevant vendor patch or adopt the recommended
	    workarounds as soon as possible after they are made available.

	    Apply network filtering to block access to SNMP services. Some
	    (but not all) port numbers for which you may wish to block
	    access are:

	    snmp            161/tcp
	    snmp            161/udp
	    snmptrap        162/tcp    snmp-trap
	    snmptrap        162/udp    snmp-trap
	    synotics-relay  391/tcp    #SynOptics SNMP Relay Port
	    synotics-relay  391/udp    #SynOptics SNMP Relay Port
	    snmp-tcp-port   1993/tcp   #cisco SNMP TCP port
	    snmp-tcp-port   1993/udp   #cisco SNMP TCP port

	    This should be done at the network perimeter as a minimum.
	    This minimal filtering may assist for most externally based
	    attacks, however it will not provide protection if the attack
	    comes from an internal network source. Additional network
	    filtering to block spoofed traffic and limit SNMP traffic to
	    legitimate source IP addresses will offer increased protection.
	    Where available for critical devices (eg. firewall devices)
	    consider allowing SNMP only over VPN tunnels.

	    Consider changing SNMP security configuration (eg. community
	    strings), if default or easily guessable values are used.
	    Note:  This will provide increased resistance to attack for
	    some implementations, for others it will make no difference.

	    Ensure that all other system patches are up to date, to prevent
	    attacks of a related nature that may be facilitated by these
	    vulnerabilities.

	AusCERT and other CSIRT teams are currently monitoring the problem.
	AusCERT will issue further bulletins on this issue when information
	becomes available.

- ---------------------------------------------------------------------------
AusCERT would like to thank the CERT/CC for its assistance with the
production of this alert, and Oulu University for uncovering these issues.
- ---------------------------------------------------------------------------

[AusCERT issues an alert when the risk posed by a vulnerability that may
not have been thoroughly investigated and for which a work-around or fix
may not yet have been developed requires notification.]

The AusCERT team has made every effort to ensure that the information
contained in this document is accurate at the time of publication. However,
the decision to use the information described is the responsibility of
each user or organisation.  The appropriateness of this document for an
organisation or individual system should be considered before application
in conjunction with local policies and procedures.  AusCERT takes no
responsibility for the consequences of applying the contents of this
document.

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

AusCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/.  This archive contains past SERT
and AusCERT Advisories, and other computer security information.

AusCERT maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business
		hours which are GMT+10:00 (AEST).  On call
		after hours for emergencies.
	
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld  4072
AUSTRALIA
===========================================================================

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBPGn31Sh9+71yA2DNAQG6mAQAi6If9/e6m117i0oE0pPiKCK/3+F2p7/r
RadRnAxMYpTj4scVbAXUGToCVuSmh/+NGWMuVvdfwxfFdiIgfEARANlf1ElHKAnN
5o+atfR7RTY6FFY1DVr/KA1rGVkiarIX6URErqlTEppq77Qx0PRuvhqdJwHs/V4f
VisUl5NFNDI=
=p+vB
-----END PGP SIGNATURE-----




Comments? Click here http://www.auscert.org.au/render.html?cid=1&it=115