Several SNMP security vulnerabilities have been addressed in a CERT advisory. These vulnerabilities all involve the SNMPv1 implementations, and the improper handling of SNMP requests. The vulnerabilities have a wide range of impacts, depending on the type of device or system and the system's implementation of SNMPv1. The impacts range from a denial of service (DoS) to allowing remote root access. A tool was developed to test and exploit these vulnerabilities and is currently available on the Internet.
The vulnerabilities are due to the way SNMPv1 handles trap messages (CAN-2002-0012) sent from agents to managers, and request messages (CAN-2002-0013) sent from managers to agents. SNMPv1 contains several vulnerabilities in the decoding
and processing of these messages.
Several vendor's systems with SNMPv1 installed are vulnerable, and the vendors have released or are developing patches for these vulnerabilities. Users should contact the appropriate vendor to see if they are vulnerable, and for additional information concerning the availability of patches. The vulnerability is most likely to affect networking devices, such as routers, switches, hubs, bridges, modems and operating systems with remote management software installed.
The Emulex 1Gbit Fibre Channel Hub is potentially vulnerable to this DoS when targeted for attack with the SNMP PROTOS test suite.
Several workarounds to mitigate the vulnerabilities are also available. Systems that do not use
SNMP are not vulnerable.
Patches are available.
Indicators of Compromise
Users running SNMPv1 on any device or system are vulnerable. Users should check with the appropriate vendors to determine if they are vulnerable.
Increased scanning of UDP ports 161 and 162, and 1993 on any Cisco devices may indicate attempts to identify vulnerable systems.
The Emulex 1Gbit Fibre Channel Hub is vulnerable.
The PROTOS test suite identified vulnerabilities that can be broken into two groups: the SNMPv1 trap handling (CAN-2002-0012) and the SNMPv1 handling of GetRequest, GetNextRequest and SetRequest messages (CAN-2002-0013). The vulnerabilities identified are primarily improper decoding and handling of "exceptional" ANS.1 Basic Encoding Rules that trigger unintended results from the system or device.
Very detailed technical descriptions of the problems and the test suite are available from the link in TruSecure Comments.
Network administrators are advised to identify all systems that have SNMP installed, whether enabled or disabled, and that are publicly accessible. These devices are the most likely to be attacked,
and will most likely be exploited to create a DoS. Network management consoles are particularly vulnerable if they are identified by an attacker. It is highly recommended that these systems and devices be secured immediately.
These vulnerabilities were identified using the Oulu University PROTOS SNMPv1 test suite. This is the same group and test suite that were used to identify multiple vulnerabilities in the Lightweight Directory Access Protocol (LDAP) implementations reported in Alert 2443 and Cert Advisory CA-2001-18. The test suite is designed to test the extremes of implementations using valid, exceptional and invalid requests to identify decoding and handling vulnerabilities.
Additional technical information on the test suite and the technical details of the tests are available at the following link: PROTOS Test Suite: SNMPv1
Many systems do not have SNMP
enabled, and very few have SNMP enabled by default. Many organizations block all SNMP traffic at the perimeter and only allow SNMP traffic within the trusted network. This can be verified by looking for systems with the SNMP ports UDP 161 and 162 open or listening. On Cisco devices it is port 1993.
Organizations that are heavily impacted by these vulnerabilities are advised to start at their perimeter and secure the networking devices that are likely to be exploited by remote users, such as routers, switches, gateways and Wireless Access Points (WAP). Once these systems are secured, attention can be turned to devices and systems on the trusted network or that are better protected, such as network management consoles, office equipment and
Uninterruptible Power Supplies (UPS).
Many vendors have products and systems that use SNMP. The links provided in Patches/Software are not a complete list of vulnerable products. Users are recommended to identify the systems with SNMP installed, whether enabled or disabled, and contact that vendor for additional information.
SNMP is a commonly used network management protocol. Most operating systems, routers, switches, cable or DSL modems, and firewalls are shipped with a SNMP service. The PROTOS testing suite is designed to test the SNMP service with a variety of malformed and unexpected requests. The PROTOS test suite can also be used maliciously against vulnerable devices to
disrupt the SNMP service.
Many systems and devices have been identified as vulnerable to the tests included in the PROTOS testing suite. Almost all vulnerable systems can be protected by restricting or disabling the SNMP service, which is also a recommended best practice. SGI announced that they do not intend to release patches for the Emulex Fibre Channel Hub, but do recommend that users apply the workarounds.
Users who rely on SNMP service can take the following steps to help improve system security:
Apply a patch from the appropriate vendor.
Disable all nonessential SNMP software.
Filter SNMP access to managed devices to ensure the traffic originates from known management systems.
Filter SNMP services at the network perimeter.
Change SNMP community strings from their defaults.
Segregate network management traffic to a separate network.
Users who do not require IP connections to the Emulex hub for administration can disconnect it from the Ethernet without disrupting Fibre Channel operations.
Cisco has re-released security advisories at the following links:IOS and Non-IOS
Debian has re-released a security advisory at the following link: DSA-111-1
Hewlett-Packard has re-released security bulletin for registered users at the
following link: HPSBUX0202-184. HP has released a security bulletin for registered users at the following link: HPSBMP0206-015
Red Hat has released a security advisory at the following link: RHSA-2001:163-23
All ucd-snmp versions prior to 4.2.2 are susceptible to this vulnerability and users of versions prior to Version 4.2.2 are encouraged to upgrade their software as soon as possible: net-snmp. Version 4.2.2 and higher are not susceptible.
3Com customers should ensure that they upgrade to the following Agent versions:
Lotus Domino customers should upgrade to version R5.0.1a of the Lotus Domino SNMP Agents, available for download from the Lotus Knowledge Base on the IBM Support Web Site at IBM. Please refer to Document #191059, "Lotus Domino SNMP Agents R5.0.1a", also in the Lotus Knowledge Base, for more
All Microsoft implementations of SNMP v1 are affected by the vulnerability. The SNMP v1 service is not installed or running by default on any version of Windows. Patches are available at the following link: Microsoft
Novell ships SNMP.NLM and SNMPLOG.NLM with NetWare 4.x, NetWare 5.x and 6.0 systems. The SNMP and SNMPLOG vulnerabilities detected on NetWare are fixed and will be available through NetWare 6 Support Pack 1 & NetWare 5.1 Support Pack 4. Support packs are available at Novell
Red Hat has released updated packages at the following link: Red Hat.
The SCO Group has released patches at the following FTP links:
SuSE has released updated packages at the following link: SuSE
All SNMP customers who maintain a support contract have received either release 220.127.116.11 or appropriate patch sets to their 15.3 source code releases addressing these vulnerabilities. Users maintaining earlier releases should update to the current release if they have not already done so. Up-to-date information is available from firstname.lastname@example.org.
Cisco has re-released a security advisory with updated packages for voice products to address the SNMP vulnerabilities.
2004-March-05 15:38 GMT
Silicon Graphics has released a security advisory to address the SNMP denial of service vulnerability in the Emulex Fibre Channel Hub. The hub is distributed as a component of some IRIX system configurations. A workaround is available
2003-July-28 21:24 GMT
SGI has released a security advisory and updated firmware that address the SNMP vulnerabilities in Brocade switches.
2003-April-14 12:05 GMT
Hewlett-Packard has re-released security bulletin HPSBUX0202-184 and released patches that address the SNMP vulnerabilities.
2003-February-19 23:21 GMT
Hewlett-Packard has released an additional security advisory
and packages to correct the SNMP vulnerabilities in MPE/iX.
2002-October-17 18:11 GMT
Caldera has released additional security advisories and packages to correct the SNMP vulnerabilities.
2002-October-16 18:27 GMT
IBM has released an APAR to correct the SNMP buffer overflow vulnerability in AIX versions 4.3.x and 5.1.
2002-July-16 16:30 GMT
Sun Microsystems has released an Alert Notification and patches to address the SNMP vulnerability in the atmsnmpd daemon in SunATM 2.1, 3.0.1, 4.0.1, and 5.0.
2002-May-24 16:35 GMT
Silicon Graphics, Inc. (SGI) has released a security advisory and patches to address the SNMP
vulnerability in IRIX.
2002-April-25 13:40 GMT
Sun Microsystems has released a security bulletin and patches that address the SNMP vulnerability. A buffer overflow exists in snmpd and edd that may allow unauthorized remote access to the Enterprise 10000 System Service Processor Server.
2002-April-22 20:57 GMT
Hewlett-Packard (HP) has released a security bulletin and several patches that address the SNMP vulnerability.
2002-April-12 15:20 GMT
SuSE has released a security advisory for the SNMP vulnerability in their ucdsnmp package. Updated packages are available.
2002-April-08 21:40 GMT
Caldera has re-released
its SNMP security advisory with updated information concerning a vulnerable application and patch. Caldera reports that Volution Manager 1.1 is also vulnerable and patches are available to correct the vulnerability.
2002-March-14 20:29 GMT
Debian has re-released its SNMP security advisory with updated patches. The original patches changed the Application Programming Interface (API) and Application Binary Interface (ABI) for the SNMP library, which prevented other applications from functioning.
2002-February-28 19:04 GMT
Cisco has re-released their SNMP Security Advisory to include non-IOS products. A link with patch and workaround information has been included.
2002-February-26 17:36 GMT
Multiple vendors have released security bulletins and updated packages to address this vulnerability.
2002-February-15 12:37 GMT
This Alert contains further details on the SNMP (Simple Network Management Protocol) vulnerabilities.
2002-February-12 23:40 GMT
: CERT has released an advisory discussing several security vulnerabilities in Simple Network Management Protocol (SNMP). These vulnerabilities can be exploited by an attacker to gain root access on the system. An exploit tool is currently being distributed on the Internet. Users should contact their appropriate vendor concerning patch availability.
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM
THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
FIXED SOFTWARE INFORMATION AND LINKS PROVIDED BY SUPPLIERS AND VENDORS ARE FOR REFERENCE ONLY. USERS SHOULD CONTACT THEIR SUPPLIER OR VENDOR FOR UPDATED SOFTWARE.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products
Cisco Multivendor Vulnerability Alerts respond to vulnerabilities identified in third-party vendors' products. These alerts contain information compiled from diverse sources and provide comprehensive technical descriptions, objective analytical assessments, workarounds and practical safeguards, and links to vendor advisories and patches.