Who knew? The Simple Network Management Protocol (SNMP) has been around for a very long time — the early 80’s, in fact. But now it has been reported by CERT, SAMS, the Oulu University Secure Programming Group (OUSPG) in Finland, and other major security analysts that there have always been multiple vulnerabilities in many implementations within SMNP version 1.
SMNP is used to manage and monitor all sorts of equipment including computers, core router switches, broadband devices, printers, and sniffers. The protocol works by sending Protocol Data Units (PDUs) to different parts of the network. Agents, devices which are made SNMP-compliant devices, store data about themselves in Management Information Bases (MIBs) and return this data to the SNMP requesters.
SNMP supports five different types of messages:
The flaws exist in both trap and request handling.
There has been some discussion on what network managers should do, given that several major brands of firewalls utilize SNMP, and may therefore be vulnerable themselves, but prudence would seem to dictate that until the appropriate patches are applied, those ports which use SNMP should be shut down for the nonce.
CERT has published a vendor-by-vendor listing, determining whether or not their implementation is vulnerable, and the date of their latest patch. Now that the cat is out of the bag, and those who would break into systems are aware of these flaws, it is paramount that network managers update to these patches ASAP.
Double-check that your firewalls are filtering out unauthorized SNMP data traffic, and you may consider disabling equipment that uses SNMP services for which patches are not yet available.
For some time now, there has been a movement to define a new, more robust set of protocols called SNMP 2 that would provide additional information, but adoption has been slow. However, for reasons unrelated to these recent reports, there may be life for this new proposed standard. We’ll have the story on that next week.