more SNMP notes

[Robert Graham <robert_david_graham () yahoo com>]

Some quick key points:

This is big. I strongly recommend disabling SNMP on as many devices as
possible.

It isn't a single vulnerability, but a suite of potentially hundreds of
vulnerabilities.

This is just the beginning, more will be coming.

These problems aren't new; they have been known since the early 1990s. It's
just that SNMP developers have always though of them as "bugs" rather than
"vulnerabilities".

Thousands of different devices, such as printers, are vulnerable. Somebody is
going to develop an exploit that compromises the printer and forwards copies of
everything printed back out to the hacker. This is only one example of the
severity of the problem - there are many closed systems that cannot be updated;
you can often disable SNMP, but you cannot update it and fix the bugs.

You should also block UDP port 7 (echo) on your firewalls. Spoofed SNMP
requests can be bounced off of such ports.

Don't rely upon IP access control lists to protect you. UDP is stateless and
packets can be spoofed.

SNMP has always been a huge vulnerability, even when it could not be directly
exploited. Your first impulse should always be to disable it. There are
exploits that have been used in the underground for years that still haven't
made it to bugtraq.

Some older versions of Solaris (2.6?) put n SNMP service at a port in the range
32768-32800 (same vulnerability as putting a portmapper at a high port). This
wasn't mentioned in the CERT advisory. If you are a heavy Sun shop, these
should be blocked anyway.

Monitor the "snmp" group at 1.3.6.1.2.1.11. Some of these statistics will track
some of the bad stuff that this exploits generates. It's a poor-man's network
IDS to detect people playing around on your network.

Robert Graham


__________________________________________________
Do You Yahoo!?
Send FREE Valentine eCards with Yahoo! Greetings!
http://greetings.yahoo.com