Interesting People mailing list archives
IP: More on Precautions Against SNMP Vulnerability -- a must read re vulnerability of the net
From: Dave Farber <dave () farber net>
Date: Fri, 15 Feb 2002 19:02:49 -0500
------ Forwarded Message From: Karl Auerbach <karl () cavebear com> Date: Fri, 15 Feb 2002 15:51:57 -0800 (Pacific Standard Time) To: farber () cis upenn edu Subject: Re: IP: Precautions Against SNMP Vulnerability I don't know if you are aware of this, but back in the mid 1980's I founded Epilogue Technology Corporation. Epilogue eventually became one of the two dominant providers of SNMP for embedded systems. I wrote the original version of that SNMP code and there are now several million copies out there. So if there's somebody to blame, point at me. ;-) (Excuse time: I know that I put a fair amount of cross-checking into my implementation of SNMP back in 1987. Apparently I didn't do enough. But then again, I haven't been associated with the software, nor made even a dime from it, since about 1991.) But back to the real issue at hand - the matter isn't simple. SNMP, despite the "S", meaning "simple", in its name, is hardly a simple protocol at all. In fact it is quite complex and is very easy to mis-implement. (SNMP version 1 really never claimed to be secure - the phrase "SNMP - Security Not My Problem" is not at all inappropriate, at least when applied to SNMP version 1. SNMP version 3 is another matter entirely.) The recent announcements from the University of Oulu in Finland of SNMP vulnerabilities reflect part of the hidden non-simplicity of SNMP. But the Univeristy of Oulu work reflects only a relatively small part of the matter. SNMP is constructed on an arcane and complicated relic from the OSI wars - ASN.1/BER. It is extremely easy to mis-implement ASN.1/BER. And it was this layer of SNMP that the University of Oulu exercised. It is hard to do deterministic testing of ASN.1/BER - a frequent result is the full or partial failure of the SNMP software and perhaps of the system in which it is embedded. (Because SNMP agents are used for "management" they are often privileged software and thus their faults often ramified to other parts of the system.) But there's another aspect of SNMP, an aspect that is of perhaps greater gravity than the ASN.1/BER issues uncovered by the University of Oulu. This aspect is that of the quality of implementation of the overall protocol itself and of the way it is embedded into a device. Why is this of greater gravity? Because once one gets past the standard problems of insufficient data format checking and buffer overruns, which is largely what the Univeristy of Oulu discovered - there is the bigger issue of misimplementation of the protocol itself. I am associated with a company, InterWorking Labs (http://www.iwl.com/), that does protocol testing of SNMP. What has been seen over and over again is that even if people get the ASN.1/BER stuff at least partially right, there are still often great weaknesses in the protocol operation and, even more frequently, in the interaction of the SNMP code with the Management Information Bases (MIBs). These kinds of weaknesses manifest themselves in often more insidious ways than the ASN.1/BER errors - rather than crashing systems (which is often a reasonably obvious event) such weaknesses often are manifested as erroneous control of a device. To draw an analogy - I believe that once Boing shipped some 737's in which the left and right engine fire lights were reversed. Such could cause great trouble if a fire were to occur, say while landing at a British airport, and the pilots were to shut down the wrong engine. It is true that the Internet has not yet reached the stage of criticality of a flight control system. Yet the Internet is is becoming a utility and an operator making a mistaken control change due to mis-implemented SNMP is not all that unforeseeable. SNMP version 3 is coming along, slowly, and it has the security that SNMP version 1 lacks. Yet, that security will be as thin as tissue - and will provide equally little security - if it is mis-implemented. As we have seen over and over again, large numbers of implementations of other Internet protocols have been discovered to be vulnererable to the same kinds of things that the Univeristy of Oulu exercised in SNMP - ill formed data. What scares me is that SNMP is but one Internet protocol of many. And I've seen many misimplementations of the SNMP protocol that go well beyond mere sensitivity to ill formed data; I have no reason to doubt that other Internet protocol implementations are equally subject to these more sophisticated kinds of flaws. I've gone on for a while here so let me finish up with a quick concluson: The bottom line is this: Much of the Internet is potentially a house of cards, networking software has often not been subjected to much testing, and if it has it is often same-kind-with-same-kind testing and only with minimal testing of the error-mode kinds of protocol interactions. We will probably never be able to do total and abolute testing of protocol implementations but we can certainly do a lot better than we are doing now. --karl-- ------ End of Forwarded Message For archives see: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- IP: More on Precautions Against SNMP Vulnerability -- a must read re vulnerability of the net Dave Farber (Feb 15)