Surviving the SNMP Vulnerability Scare

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  
You can expect repercussions from the recent SNMP vulnerability scare to be felt for some time. This, after all, was no run-of-the-mill vulnerability alert. Given that SNMP exists on nearly every piece of networking equipment there is, and many of the servers and other systems those networks serve to connect, the potential for destruction is almost mind-numbing.

It appears, though, that this was one instance when the good guys were a step ahead of the bad guys. Researchers at the Oulu University in Finland first discovered the vulnerabilities. They worked quietly with security organizations around the world, ensuring these organizations could offer solutions to the vulnerabilities at the same time they put the word out.

In many cases, that meant vendors had patches for their systems ready and waiting when word of the vulnerability was released on Feb. 12. For a change, it was the virus writers and other purveyors of malicious deeds who were left to play catch-up.

Not that the threat is over. Far from it. As noted above, SNMP is virtually ubiquitous, running on everything from switches and routers to workstations and servers. Finding and patching all those instances of SNMP is going to take time. And if you don't find them, you can bet an intruder's virus or worm eventually will. If that happens, it could take the system down or enable an intruder to commandeer it.

A number of vendors and security organizations have come up with tools and services to help you stem the damage. Here is a sampling:

  • The SANS Institute, which was instrumental in getting the word out about the alert, is offering a tool that can identify where SNMP is running in your network. It was created with the help of more than a dozen government, commercial and university testers and developers and is offered at no charge. Send email to snmptool@sans.org to receive information on how to get the tool. SANS says it is employing this method of distribution so it can let you know when it provides any updates to the tool.
  • The Carnegie Mellon University CERT Coordination Center was one of the security organizations that issued an alert about the SNMP problem on Feb. 12. It is maintaining a vendor-by-vendor list of information regarding the vulnerability, including links to available patches.
  • Microsoft and Cisco are both offering patches for their respective systems:
  • Qualys, a security vulnerability assessment company, is offering to conduct a free scan to detect systems that are SNMP-enabled, which vulnerabilities may exist, and recommendations on how to fix them. (You will be asked to provide contact information.)
  • Another security and vulnerability assessment firm, Foundstone, Inc., is offering a free tool to detect SNMP-enabled devices and gauge your level of exposure. The tool, dubbed SNScan, is available for download. (Foundstone likewise wants to know who you are before it'll give you the tool.)
  • The SANS Institute also noted that SNMP made the list of top 20 security vulnerabilities that SANS published last October in conjunction with the National Infrastructure Protection Center. Users who followed the advice the top 20 document presents with respect to SNMP would be far ahead of the game with respect to this latest batch of SNMP vulnerabilities, if not entirely safe.

    Recommendations in that document ranged from shutting down SNMP entirely, for those who can get away with that, to ensuring that SNMP community names fall under the same sort of policies as passwords, given that they function in much the same manner.

    Alan Paller, director of research for the SANS Institute, noted that if users hadn't heeded the warnings from its top 20 list with regard to SNMP, it's likely there are others on the list that need attention as well. Good point. The list is at: http://www.sans.org/top20.htm.

    Paul Desmond is a writer and editor based in Framingham, Mass. He serves as editor of eSecurityPlanet.com, a source of practical security information for IT managers, CIOs and business executives. Email him at paul_desmond@king-content.com.