| |
 |
 |
 |
|
|
|
|
Date: 12 February 2002
Click here for printable version
Summary
Multiple vulnerabilities have been discovered in a wide range of vendor implementations of the Simple Network Management Protocol version 1 (SNMPv1). The impact of these vulnerabilities varies across numerous hardware and software products and devices and includes denial of service and system level compromise. It has been assessed that the SNMP vulnerabilities have the potential to impact on critical infrastructures in Australia which use SNMP.
Many of the affected vendors have been working to develop and deliver the appropriate range of patches, fixes and workarounds for their products. Network operators and system administrators who have not already been contacted by their vendor should contact their vendor support lines.
CERT/CC has informed us that a public release date for the multiple SNMP vulnerabilities will be 13 February 2002.
Background
In late 2001 the Oulu University Secure Programming Group (OUSPG) in Finland and CERT-CC in the United States commenced a program of approaching a large number of hardware and software vendors following the discovery of multiple vulnerabilities in various implementations the SNMPv1. These vulnerabilities were identified by a test suite called the PROTOS Test-Suite c06-snmpv1 which was designed to abuse the SNMPv1 protocol in unsupported and unexpected ways by delivering syntactically or semantically invalid SNMP messages to a range of devices that use SNMP. In designing their test-suite OUSPG noted that:
SNMP agents and trap-aware managers are by design ready to accept incoming requests and traps without prior session set-up.
All SNMP implementations must support SNMPv1
SNMP was implemented in a range of devices that are part of the core Internet infrastructure
The test suite developed by the OUSPG demonstrated and exploited numerous vulnerabilities in multiple vendor implementations of the SNMPv1 protocol to produce a range of results including:
denial of service (DOS) conditions
service interruptions and unstable behaviour
full administrative control of the targeted device.
These results would not have been achieved under normal usage of SNMPv1.
SNMP is the most popular protocol used to manage network devices and it is designed to exchange management information between networked devices. SNMP operates at the application layer of the ISO/OSI model and is formally defined in RFC1157. SNMP, which operates on TCP and UDP ports 161 and 162, enables network and system administrators to remotely monitor, configure and control devices and services on the network. SNMP runs on a multitude of operating systems and devices including:
Core network devices (eg routers, switches, hubs, bridges, firewalls and wireless network access points);
Consumer broadband network devices (eg Cable and DSL modems)
Consumer electronic devices (eg cameras and image scanners)
Networked office equipment (eg printers, copiers and fax machines)
Network management systems (eg servers, network sniffers and analysers)
Networked medical, manufacturing and processing equipment (eg imaging equipment, oscilloscopes etc).
Running the OUSPG test suite on a number of well known and commonly used devices and operating systems has demonstrated that:
some switches will crash and reboot when subjected to malicious SNMP packets causing them to become unavailable for network operations.
a number of operating systems will allow an attacker to run arbitrary code on the target host with the vulnerabilities being exploitable in some cases without knowing a valid SNMP community name or the actual IP address of the target host. In some cases all installations on the network can be affected by sending a single packet to the network broadcast address.
some applications can be remotely rebooted or halted and in some cases require a manual power down cycle before the target host is able to resume normal operation.
As of the end of January 2002 over 225 software vendors had been approached, many of whom were vulnerable to some part of the OUSPG SNMP test suite. Fortunately most of the major hardware and software vendors have confirmed that they have completed or are working on fixes for the range of SNMP vulnerabilities across their most critical product lines. The equipment that operates the core Internet infrastructure (eg routers and switches) has been identified as a critical area with the highest priority.
Impact
While the full potential of these vulnerabilities is still being assessed a number of factors combine to indicate that the impact could be both wide and serious.
These factors include the following:
It is expected that a large number of vendors are unlikely to have patches available for all the affected devices and operating systems by either 13 February or 20 February 2002. However, given the February 20 release date was chosen in conjunction with vendors it is expected that most major vendors will have fixes available by that time.
In some large networks the period required to apply the patches/work-arounds to all affected equipment once they are released/available could vary from several days to weeks and possibly months.
A large proportion of critical networking equipment (eg, routers, switches, hubs, bridges) from major vendors, including those that form a key part of the backbone to the Internet, exhibit multiple SNMP vulnerabilities.
If network devices with the SNMP vulnerabilities are exploited and fail it could stop traffic both within LANs and traffic to and from the Internet.
The large numbers of affected implementations from multiple vendors across a wide range of platforms/devices which use SNMP, combine to create a wide range of potential targets in many networks.
Some of the vulnerabilities can be exploited in an indiscriminate manner via broadcast traffic without knowing any specific configuration information such as specific target node or community names.
Exploits
At the present time there are no known exploits targeting the vulnerabilities identified by the test suite. However, as with other known vulnerabilities, it is possible that skilled attackers will develop tools including self-propagating worms, to automatically exploit affected systems and make these tools available for others to use.
Information about the SNMP vulnerabilities continues to leak. CERT/CC has reported that some attacker groups are somewhat aware of the existence of these SNMP vulnerabilities and are actively attempting to determine the nature of the vulnerabilities.
Recommendations
Because of the wide variety of devices and systems affected by this issue it is not possible to prescribe any particular solutions. Network operators and system administrators who have not already been contacted by their vendor should contact their vendor support lines.
Some or all of the following steps should be considered:
1. Review the requirement for SNMP to be running on the network. Disable SNMP functionality where it is not required. It is also important to identify where additional SNMP services that are not required have been loaded as part of a default configuration.
2. Apply the relevant vendor patch or adopt the recommended workarounds as soon as possible after they are made available.
3. Apply network filtering to block access to SNMP services (SNMP uses ports 161 and 162 both TCP and UDP). This should be done at the network perimeter as a minimum. This minimal filtering may assist for most externally based attacks however, it will not offer any level of protection if the attack comes from an internal network source. Additional network filtering to block spoofed traffic and limit SNMP traffic to legitimate source IP addresses will offer increased protection. Where available for critical devices (eg firewall devices) consider only allowing SNMP only over VPN tunnels.
4. Consider changing SNMP security configuration (eg community strings), if default or easily guessable values are used. Note: This will provide increased resistance to attack for some implementations, for others it will make no difference.
Disclaimer
AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The appropriateness of this document for an organisation or individual system should be considered before application in conjunction with local policies and procedures. AusCERT takes no responsibility for the consequences of applying the contents of this document.
|
|
|
|
 |
|
 |
|
|