SNMP vulnerabilities
From: Russ (Russ.Cooper@RC.ON.CA)Date: 02/14/02
- Previous message: Bob Simmons: "Re: IE combined security package..."
- Next in thread: Paul Nash: "Re: SNMP vulnerabilities"
- Reply: Paul Nash: "Re: SNMP vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 13 Feb 2002 19:49:45 -0500 From: Russ <Russ.Cooper@RC.ON.CA> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
If there's going to be any sort of massive SNMP attack, its likely that
it will be an internal attack, delivered via email probably exploiting a
security vulnerability in the email program/browser, targeting servers
or workstations running some "normal" OS, rather than Internet-based
attacks against routers or network devices. There may well be millions
of HP JetDirects out there listening for SNMP messages, but an attacker
still has to get to it and even then its not likely to cause problems
more than once (not much bang for the buck for the hacker).
Robert Graham, in a post today on SecurityFocus.com's Bugtraq mailing
list, suggests that someone is going to code up an exploit that causes a
JetDirect to forward a copy of everything sent to it to the
hacker...yeah, right. Sorry, but I give no credence to such dire
warnings, its just too unlikely. Not only will the hacker have to sift
through the tens of thousands of attack strings and figure out which
few, if any, allow an HP JetDirect to be overflowed to an executable
point in the stack (assuming that's even possible with a JetDirect),
they also have to figure out how to get it onto those printers and still
allow them to continue running their normal work (otherwise its just a
DoS).
They aren't PC's or workstations with the requisite capabilities to
allow such things to run, or propagate.
The same is true of most routers. I spoke to Cisco today and put the
idea to them, namely, could the millions of 1600/2600 style routers out
there be used for any sort of Code Red/Nimda style worm attack. Nothing
has ever been done before to make it even sound reasonable to suggest it
would be feasible.
Some background:
---------------
So far there is no consolidated listing of which attack strings within
the PROTOS tool from OULU cause what to happen on a given system. There
are thousands of potential attack strings in the tool, but you need to
be at both ends of an attack to determine which string led to what on a
given implementation. Ergo, to figure out how to get a given
implementation to overflow to a point where you can insert code and
cause it to run is a non-trivial task, it takes systems and software
that the average hacker isn't likely to have available (although no
doubt some "security group" is going to post such information when they
figure it out).
That said, there are only a few implementations of SNMP which are likely
to be widely deployed, making them targets because they will offer a
bang for the buck (the ones those "security groups" are likely going to
post an advisory on, making them the target of attacks). Those will be
figured out, and attacks likely developed to exploit them. My estimate
is that it will likely be at least a month before an attempt is made to
release the first such tool en-masse.
So be proactive.
Attack Scenarios:
----------------
1. Wide spread, but sporadic (and not terribly bothersome), DoS of
routers and other network devices (possibly including DSL and other
home-type devices). Since the source address can be spoofed, this could
prove to be a pain, but its likely only going to affect lower-tier ISPs.
It will also likely be targeted at relatively obscure routers in
businesses, so people can say they crashed BigCorp.com's router. May
also be used in IRC-retaliation attacks (and their ilk).
Bottom line, get your Vendor's patch, upgrade your router/router OS, and
maybe finally get some clue to ingress/egress filtering (default deny
please!!!!) DO ALL OF YOUR ROUTERS! (Read scenario number 2 below)
2. Attack programs incorporated in email messages intended to disrupt an
organization from inside, ala Nimda Internal Meltdowns.
Its trivial to take the PROTOS tool and modify it into something which
can do ranges. The PROTOS tool is a Java application, so its portable
(despite the fact that it requires the Java SDK to run now). This means
if you can get a client to invoke it, it stands a pretty good chance of
running properly. Even it alone can cause problems, as it takes ~30
minutes to run the full suite of tests it can do (ergo it generates a
lot of traffic by itself).
Its unlikely that we will see Anti-Virus companies scanning things for
code that does Winsock calls to UDP161, so unless/until something
emerges they can detect/stop, AV isn't likely going to prevent you from
participating in the initial wave should something be released. Given
how most networks that employ SNMP work, any company which does get
attacked by this method is likely going to have to shut down for a day
or two to clean up.
Bottom line, you need to be thinking about SNMP internal attacks now.
You need to do an inventory of all of the systems in your organization
which are capable of executing code (e.g. capable of being turned into
attacking systems) and run SNMP daemons/services. You need to contact
the appropriate Vendors and find out if you are vulnerable, and if so,
plan to remove the service or get patched.
What you need to do Now!
-----------------------
1. Enable ingress/egress default deny filtering on your
Internet/VPN/Partner networks. If an attack comes from the Internet, and
it can't come into your network because you don't allow anything but
what you know you need, you've made a great start!
2. Check your router vendor for a patch for this SNMP vulnerability. Ask
them for a patch for the vulnerabilities identified as Mitre CVE
CAN-2002-0012 and CAN-2002-0013. If they don't know what you're talking
about, point them to http://cve.mitre.org/ and then ask for the patch
for CERT Advisory CA-2002-03. If they don't know what you're talking
about, ask them about CERT Vulnerability Note VU#854306 and/or CERT
Vulnerability Note VU#107186.
If they still don't know what you're talking about, buy another router
from a different vendor who does have a clue.
1. Find out what has SNMP enabled. We know that Windows doesn't enable
SNMP by default, but we also know that some OEM's do. You won't know
until you check, so check now (listens on UDP161 is where you start, but
you need to check the box and documentation to be sure something else
isn't using SNMP and listening on a different port). I will happily take
any check results you have that indicate what systems are running SNMP
by default, but I'm not going to be releasing any such list as it would
only serve to point the attackers in a direction towards greater
success. I'll use this information to provide better assessments on the
potential scale of anything that gets released.
2. Find out why its enabled, turn it off if you can (one less thing to
secure in the future if you don't use it). If you don't know if you can
turn it off, turn it off! You'll soon find out why it was needed if it
was.
3. Make sure you are using a non-standard community string. I know that
lots of people are saying that community strings aren't effective at
preventing this vulnerability suite. While that's a good general
statement to make, given the way implementations have been done, it may
or may not be true for your implementation.
See, some implementations check the community string before doing any
decoding. If it doesn't match what its supposed to be, it drops the
transmission. Problem is, most of the vulnerabilities occur because
decoding is done on malformed data prior to checking the community
string. If you're one of those, the community string you use won't
matter. Vendors aren't readily making such information available, mostly
because it might vary by version number or other minor details. Check
with your vendor, its much easier to change your community string than
to do a slew of updates.
IMPORTANT: If you haven't checked with every vendors implementation that
you own, and every nuance of every implementation for a given vendor,
don't rely on the community string to protect you.
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
"My thoughts are facts in my world, opinion to you. YMMV"
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by Qualys - Make Your Network Secure
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Go Beyond PARTIAL Security: FREE White Paper
Stop hassling with half-baked ENTERPRISE SECURITY.
FREE White Paper shows you how to ensure TOTAL security for your Internet
perimeter with the most current and most complete PROACTIVE Vulnerability
Assessment solution. Get your FREE White Paper now. Click here!
https://www.qualys.com/forms/techwhite_86.html
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
- Previous message: Bob Simmons: "Re: IE combined security package..."
- Next in thread: Paul Nash: "Re: SNMP vulnerabilities"
- Reply: Paul Nash: "Re: SNMP vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
