Surviving the SNMP Vulnerability Scare
The recent SNMP vulnerability alert will have repercussions for some time, given that SNMP exists on nearly every piece of networking equipment.
It appears, though, that this was one instance when the good guys were a step ahead of the bad guys. Researchers at the Oulu University in Finland first discovered the vulnerabilities. They worked quietly with security organizations around the world, ensuring these organizations could offer solutions to the vulnerabilities at the same time they put the word out.
In many cases, that meant vendors had patches for their systems ready and waiting when word of the vulnerability was released on Feb. 12. For a change, it was the virus writers and other purveyors of malicious deeds who were left to play catch-up.
Not that the threat is over. Far from it. As noted above, SNMP is virtually ubiquitous, running on everything from switches and routers to workstations and servers. Finding and patching all those instances of SNMP is going to take time. And if you don't find them, you can bet an intruder's virus or worm eventually will. If that happens, it could take the system down or enable an intruder to commandeer it.
The SANS Institute also noted that SNMP made the list of top 20 security vulnerabilities that SANS published last October in conjunction with the National Infrastructure Protection Center. Users who followed the advice the top 20 document presents with respect to SNMP would be far ahead of the game with respect to this latest batch of SNMP vulnerabilities, if not entirely safe.
Recommendations in that document ranged from shutting down SNMP entirely, for those who can get away with that, to ensuring that SNMP community names fall under the same sort of policies as passwords, given that they function in much the same manner.
Alan Paller, director of research for the SANS Institute, noted that if users hadn't heeded the warnings from its top 20 list with regard to SNMP, it's likely there are others on the list that need attention as well. Good point. The list is at: http://www.sans.org/top20.htm.
Paul Desmond is a writer and editor based in Framingham, Mass. He serves as editor of eSecurityPlanet.com, a source of practical security information for IT managers, CIOs and business executives. Email him at firstname.lastname@example.org.