Re: SNMP Vulnerability Hype
From: Thomas H. Ptacek (tqbf@pobox.com)Date: 02/14/02
- Next message: spp@cs.berkeley.edu: "Re: Microsoft finally acknowledges the security drumbeats"
- Previous message: Nicholas Bachmann: "Re: Enterasys Dragon IDS for Unix/Linux"
- In reply to: catman@magma.ca: "SNMP Vulnerability Hype"
- Next in thread: nickd@nospam.demon.co.uk: "Re: SNMP Vulnerability Hype"
- Reply: nickd@nospam.demon.co.uk: "Re: SNMP Vulnerability Hype"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: tqbf@pobox.com (Thomas H. Ptacek) Date: 14 Feb 2002 13:44:26 -0800
> What's the consensus here. Am I missing something or is this being
> overly hyped? After all, it's not like these vulnerabilities are
> anything new.
These vulnerabilities are new, and very serious. They are
implementation faults resulting in exploitable buffer overflows and
format string attacks. There is no published information on the known
scope of the problem, but from the Oulu.fi report, the prognosis does
not look good.
There are two pathologies that, when examined in retrospect, explain
the problem and validate the attention that the report received.
First, the gene pool of SNMP implementations is pathetic. The
overwhelming majority of products use implementations derived
from CMU's toolkit, or from NET-SNMP, which is itself derived from
CMU. Thus, a bug in CMU's code (which is old, hairy, and until
recently very poorly audited) impacts the overwhelming majority of
SNMP products.
Secondly, SNMP is a ridiculously complicated protocol. It is built on
a complex marshalling strategy (ASN.1/BER) which, instead of making
engineering decisions about the proper way to represent opaque
queries to devices, instead chose to build a system of primitives that
can be combined in such an arbitrary number of ways that an ad hoc
compiler is required to implement it. It is thus very hard to examine
SNMP code to obtain some kind of assurance that it manages data
safely.
The CERT/CC advisory has a pointer to the original report from the
security lab at Oulu.fi. This is a great report, carefully constructed
to
provide details about the problem and a methodology for finding
similar
problems. Unfortunately, CERT/CC chose to suppress the release of
this advisory for months, despite the fact that the underlying issues
had
been discussed in public for years prior to the lab report dissection.
Despite CERT/CC's ill-advised attempt to keep the advisory a secret,
many of the most important afflicted vendors, including Cisco,
Microsoft,
and Sun, are still vulnerable.
- Next message: spp@cs.berkeley.edu: "Re: Microsoft finally acknowledges the security drumbeats"
- Previous message: Nicholas Bachmann: "Re: Enterasys Dragon IDS for Unix/Linux"
- In reply to: catman@magma.ca: "SNMP Vulnerability Hype"
- Next in thread: nickd@nospam.demon.co.uk: "Re: SNMP Vulnerability Hype"
- Reply: nickd@nospam.demon.co.uk: "Re: SNMP Vulnerability Hype"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
