The Oulu University Secure Programming Group in Finland studied SNMPv1 and discovered that it contains several serious vulnerabilities. The group used its PROTOS Test-Suite: c06-snmpv1" to perform the study.
As you know, SNMP is a widely used tool that helps you manage and configure various network devices, including routers, firewalls, servers, and client systems. The vulnerabilities that the university group discovered include multiple problems with trap and request handling, which can lead to Denial of Service (DoS) attacks and service interruptions. In some cases, depending on the vendor hardware and software, an intruder can use the vulnerability to gain access to a given device. The Computer Emergency Response Team (CERT) has released an advisory regarding the problems, as have numerous vendors, including Cisco, Compaq, 3Com, Computer Associates (CA), Caldera, and Microsoft. You can read information related to the SNMP vulnerability in the article referenced in the SECURITY RISKS section of this newsletter, and you can find CERT's bulletin regarding the matter on its Web site. CERT also has an online FAQ that addresses 21 questions related to the risks the discovery presents.
The problems are serious, so if you use SNMP to help monitor and manage your network, be certain that you check with the appropriate vendors to be sure that you have the latest patches on all of your SNMP-enabled devices. If you aren't sure which devices on your network are running SNMP, the SANS Institute has released a tool to help you discover SNMP daemons on your network (the daemons typically listen on port 161). The tool runs on Windows 2000 and Windows NT, and you don't need to have administrative access to run the tool. The tool scans for SNMP-enabled devices configured to use the community string of "Public" and also lets the user specify a particular community string. You can obtain a copy of the tool by sending email to [email protected] SANS will send you a URL to a Web site from which you can download the tool, instructions, and related information.
SNMP is one of the most common services that intruders exploit. If you don't need to use SNMP, or if you can use other methods of remote-device monitoring and management, consider disabling SNMP on all your network devices. Doing so will greatly reduce the risks to your network and reduce the chance of someone using your network devices to exploit other networks.