“ Vulnerabilities in SNMP Implementations ” CSCI Web Security Instructor: Dr. Andrew Yang Presented By: Harini Varatharajan

Introduction to SNMP  What is SNMP ?  SNMP Components  Agents ( Managed device)  Managers ( Management Entity)  Network Management System ( NMS)  SNMP Management Information Base

SNMP Architecture

SNMP Communications  Protocol Data Unit (PDU) message type  GetRequest  GetNextRequest  GetResponse  SetRequest  Traps  UDP Port 161 for Gets and Sets  UDP Port 162 for Traps

Why the Concern about vulnerability ?  CERT/CC SNMP Advisory –Issued Feb 12 th, 2002 –Identified multiple vulnerabilities  OUSPG PROTOS Project –Tested HTTP, WAP/WSP, LDAP and SNMP –Additional protocol testing will follow  SNMP is huge target –Nearly every device from every vendor could be affected –Many exploits are theoretically possible –A few exploits work now –More exploits will be developed

SNMP Problems  Community String access modes  READ-ONLY  READ-WRITE  Passed in clear text  Limited error handling  Additional exceptions must be handled by vendor’s implementation –Violations to Basic Encoding Rules of ASN.1 –Invalid variable types

Where the Vulnerabilities are?  Trap handling  Request handling  What makes things worse ?  Insecure settings  Spoofing

Impact  Denial of service attacks  Format String Vulnerability  Unstable behaviors  Unauthorized privileged access  Buffer overflows - Crash SNMP agent - Crash SNMP agent - Reboot device - Reboot device - Overwrite valid SNMP variables - Overwrite valid SNMP variables - Overwrite other applications or OS - Overwrite other applications or OS - Allow unauthorized access - Allow unauthorized access

Solutions  SNMP scanners  SNScan Windows based utility by Foundstone SNScan  CERT Advisory Implications  Apply patch from vendor  Disable SNMP service  Ingress filtering  Egress filtering  Filter SNMP traffic from non-authorized internal hosts  Change default community strings  Update signatures from vendors  Segregate SNMP traffic onto a separate management network network

Solutions  Other Solutions  Protect Network perimeter  Protect Management systems  Manage Community strings  Eliminate or protect other access  Limit Network access  Watch for uncharted access and services  Play it safe with vendors, partners, customers and employees

Will SNMPv3 Help?  Advantages –Improved authentication and access control –Encryption of SNMP packets –Remote management of SNMP agents  Disadvantages –Additional overhead –RFCs have yet to be adopted as a standard –Few vendors have working implementations in their hardware/ software –Existing implementations may still be vulnerable to buffer overflow exploits

The Bottom Line  SNMP exploits are real  Integration of network management and security is imperative  Time to rethink overall network management strategy including architecture, applications and future direction.

References  “CERT Advisory CA : Multiple Vulnerabilities in Many Implementations of the Simple Network Management Protocol (SNMP),” 12 Feb. 2002, (current 11 March 2002). CERT Advisory CA CERT Advisory CA  “PROTOS: Security Testing of Protocol Implementations,” 19 July 2001 (current 11 March 2002). PROTOS: Security Testing of Protocol ImplementationsPROTOS: Security Testing of Protocol Implementations  “PROTOS Test-Suite: c06-snmpv1,” 12 Feb (current 11 March 2002). PROTOS Test-Suite: c06-snmpv1PROTOS Test-Suite: c06-snmpv1  “M-042: Multiple Vulnerabilities in Multiple Implementations of SNMP,”12 Feb (current 11 M-042: Multiple Vulnerabilities in Multiple Implementations of SNMPM-042: Multiple Vulnerabilities in Multiple Implementations of SNMP

Questions ?