SNMP Security Flaw Threatens Network Infrastructure
By Steven Bonisteel, Newsbytes
PITTSBURGH, PENNSYLVANIA, U.S.A.,
12 Feb 2002, 5:11 PM CST
Network administrators are being urged to fix - or at least shield from attackers - a veritable laundry-list of Internet-connected equipment that may be vulnerable because of flaws in software that helps control them. The CERT Coordination Center of Carnegie Mellon University's
Software Engineering Institute said the problem might allow malicious hackers to snarl equipment ranging from routers and switches at the heart of the Internet to the high-speed modems that deliver Net access to cable and digital subscriber line (DSL) customers.
CERT said the problem is so widespread because it is rooted in the Simple Network Management Protocol (SNMP) that is widely used for remote management of such devices.
The experts said that the vulnerabilities - which can be found in SNMP code imbedded in firmware and in software applications - could open important infrastructure to denial of service attacks. Some combinations of equipment and vulnerable SNMP code - like a computer workstation - might be susceptible to hijacking.
The CERT bulletin said that researchers at Finland's Oulu University Secure Programming Group (OUSPG) found related SNMP vulnerabilities in equipment from a variety of vendors. A number of other vendors have since reported similar problems, and many have released patches.
But Chris Rouland, director of the X-Force research team at Internet Security Systems in Atlanta, said applications and pieces of networking equipment have yet to be tested. What's more, he said, many are unlikely to be tested or fixed because vendors no longer support the products or have gone out of business.
"It's a huge problem," he said. "This is more serious than Code Red. This is probably an eight or a nine on a scale of one to 10."
Rouland said Code Red, the fast-spreading worm that cut a wide swath through Internet-connected Windows Web servers last year, was a highly successful attack on a fairly simple vulnerability in certain software from Microsoft Corp. He said the SNMP problem is dramatically more complex and could lead to more dire consequences if administrators don't act to shore up their systems.
Ironically, the Windows Web sever bugs that allowed Code Red to spread, and worms like Nimda after it, were well known to many network administrators and had been fixed by Microsoft before malicious individuals exploited them.
Rouland said the enormity of the SNMP problem is partly defined by the long list of vendors whose equipment may be vulnerable because of it.
"We've never seen a single vulnerability that affected over 100 vendors," he said. "It just did not exist. This is new."
While SNMP is widely used in devices on internal corporate LANs, in manufacturing and processing systems, networked medical imaging equipment, and even consumer electronic devices, Rouland said the a top priority for most administrators will be securing SNMP equipment that is connected to the public Internet.
The larger and more distributed a company's network is, the more likely it is to be managing that equipment with the help of SNMP, he said.
Rouland said a prototype tool has already been built by the researchers in order to demonstrate the possibility of SNMP holes being exploited by hackers on a wide scale.
In certain instances, he said, a hacker might be able to disable multiple devices on a single Internet subnet - say, an entire neighborhood of cable-mode users - with a single SNMP-busting command.
CERT said network administrators should move quickly to ensure that network firewalls are filtering out unauthorized SNMP data traffic. Additionally, SNMP services on equipment for which patches are not yet available should be disabled if possible.
More information for CERT is available at http://www.cert.org/advisories/CA-2002-03.html
OUSPG's findings are at http://www.ee.oulu.fi/research/ouspg...ng/c06/snmpv1/
Reported by Newsbytes.com, http://www.newsbytes.com