CERT warns of SNMP vulnerability with widespread impact

The CERT Coordination Center has warned that a broad array of network equipment used on the Internet – including switches, routers, hubs, printers and operating systems – may be vulnerable to an SNMP-related attack that could cause equipment to fail or allow an attacker to take control of it.

The problem relates to half-dozen vulnerabilities discovered in Simple Network Management Protocol (SNMP) v1, a fundamental TCP/IP protocol for managing networks. The vulnerabilities, detailed in a paper published by researchers at Finland’s Oulu University, reveal precisely how SNMPv1, which is widely used by the network industry, can be exploited to disrupt systems through a denial-of-service attack or to allow a hacker to gain control of equipment.

“Basically, most everything on the Internet is impacted,” commented Chris Rouland, director of Internet Security Systems’ threat-assessment group, called the X-Force. “Linux, Solaris, BSD, routers, switches, hubs – this is the most widespread security vulnerability I can ever remember being reported.”

The very long list of equipment known to be vulnerable to the SNMP vulnerability problem is detailed on CERT’s Web site.

Cisco Systems Inc. is expected to soon issue a security advisory regarding the status of its equipment, but security experts believe Cisco’s switches, hubs and routers are vulnerable to the SNMPv1 vulnerability. Cisco could not be reached for comment.

Attackers could exploit technical weaknesses related to six classes of vulnerability – overflow exceptions, format-string exceptions, bit-pattern exceptions, basic encoding rules, missing symbol exceptions and integral-value exceptions – to knock equipment offline or gain control of it.

The Finnish university published Java-based tools to demonstrate some of these attacks, Rouland noted. “Today, it’s only the denial-of-service stuff. But someone will write the exploits for broader attacks to control systems,” Rouland said.

About 40 vendors, which are said to have known of the issue for a few weeks, have reported to CERT so far. AdventNet, Avaya, cacheFlow, 3Com and Caldera have all detailed products which are vulnerable. Computer Associates acknowledged its Unicenter management platform is vulnerable. Systems running Hewlett-Packard’s HP-UX operating system and snmpd or OpenView are vulnerable. Some versions of Microsoft are affected, although not Windows XP. The list goes on for 20 pages.

A few vendors reported their products are not vulnerable, such as IBM’s AIX or products from Covalent Technologies.

With the network industry discussing this problem quietly as it could for two weeks, most vendors have software patches available or plans in the works to ready them.

Some products come with SNMPv1 turned on by default. Security experts are recommending turning off SNMP or blocking SNMP traffic that does not originate directly under corporate network-management control.

“It would take a very skilled hacker to exploit some of these vulnerabilities,” said Guardent Chief Technology Officer Jerry Brady.

But as a precaution, Guardent, which provides security management services for 300 companies, decided to prevent SNMP traffic from untrusted systems from reaching trusted systems in the corporate environment. “We’re providing ‘triage’ support here, by blocking the protocol entirely,” Brady said. Guardent will maintain that approach until customer equipment is patched and tested for resistance to the SNMP vulnerabilities.

Brady said he expects it may be difficult to install a software patch on systems such as routers, and like many managers he’s awaiting word from Cisco on how the SNMPv1 problem affects Cisco equipment.

ISS’s Chris Rouland advised ensuring that any device that uses SNMPv1 be configured to only allow SNMP traffic from the network management console used to manage it. ISS has also prepared signature updates for its intrusion-detection and scanning products to recognize this new vulnerability.

If users or service providers experience unexplained disruptions in equipment, they are urged to call the CERT hotline at 412-268-7090.

While there’s little sign yet that attackers are exploiting the vulnerabilities – perhaps because they are somewhat difficult to understand even by reading the Finnish university paper on the topic – that could change now that there’s more widespread publicity about the SNMPv1 issues.

“The biggest risk may be for home users with cable and DSL that are directly on the Internet,” said Rouland. Hackers will find them to be one of the easiest targets, he predicted.