SNMP Vulnerability A 'Triple Threat'
The vulnerabilities reported Tuesday in Simple Network Management Protocol, the ubiquitous software used to monitor and manage all sorts of networked devices, rate extremely high in the three variables used to measure the severity of a security flaw.
Researchers at Oulu University in Finland discovered numerous vulnerabilities in multiple vendors' implementations of SNMP v1. They are considered serious enough that the CERT Coordination Center (CERT/CC), a federally funded security research organization at Carnegie Mellon University in Pittsburgh that tracks security vulnerabilities, posted an alert on its Web site.
The SANS Insitute, another non-profit security organization, likewise issued an email alert Tuesday afternoon.
SNMP, or the Simple Network Management Protocol, is an industry standard protocol for monitoring and managing all sorts of networked devices, from routers to hubs and workstations.
The vulnerabilities reported this week, in the SNMP trap and request facilities, could enable an intruder to gain unauthorized access to the system on which the SNMP software is running, launch denial of service attacks that bring the system down, or cause unstable behavior, the CERT/CC advisory says.
Alan Paller, director of research for the SANS Institute in Bethesda, Md., says there are three variables used to measure the severity of a vulnerability announcement: how many systems are affected; how bad the pain is that the vulnerability causes, where the worst-case scenario is the system is knocked offline or taken over; and how easy the vulnerability is to exploit.
"Normally you don't get all three of those in one," Paller says. "This is the first vulnerability warning I know that's a 10 on all three of those, and in fact it's 100 on the number of systems," given that SNMP is virtually ubiquitous.
A History of Vulnerability
This is hardly the first time security vulnerabilities have been found in SNMP. The protocol has been the source of security concern for years, with a steady stream of patches being issued for past vulnerabilities.
Last October, when the SANS Institute and the National Infrastructure Protection Center (NIPC) published their list of the top 20 Internet security threats, they recommended turning off SNMP if it is not absolutely required.
Paller reiterated that advice in the face of this latest vulnerability and said even organizations that require SNMP should turn it off until they can apply the appropriate patches. (The SANS Insitute/NIPC top 20 document is located at http://www.sans.org/top20.htm.)
It is likely that the vulnerabilities in question have existed for years in SNMP v1, but have only now been discovered. SNMP trap messages are sent from an SNMP agent to a management station to alert managers to potential error conditions.
The Oulu University Secure Programming Group (OUSPG) "found multiple vulnerabilities in the way many SNMP managers decode and process SNMP trap messages," according to the CERT/CC alert. OUSPG found similar vulnerabilities in the way SNMP agents decode request messages, which are sent from management stations to agents to request information or send configuration data.
Solutions for remedying the vulnerabilities range from patching the systems in question, disabling SNMP service, filtering SNMP traffic from non-authorized systems to creating separate networks for net management data. A complete list of solutions, including those specific to many vendors' devices, is available at http://www.cert.org/advisories/CA-2002-03.html.
There are other versions of SNMP available, including SNMP v2 and SNMP v3, which was introduced in 1998. SNMPv3 in essentially an adjunct intended to add security facilities to SNMPv2, namely authentication and encryption. It's not clear from the CERT/CC and other warnings whether these versions are subject to the same security vulnerabilities as SNMP v1 as neither later version is mentioned.