more SNMP notes (fwd)

From: jeffrey arnold (jba@analogue.net)
Date: Tue Feb 12 2002 - 22:51:53 EST

from:
https://www.juniper.net/support/csc/fieldalerts/fa-sw-0202-001.html

[quote]
Products Affected: All releases of JUNOS Internet software prior to
January 5, 2002:

Description: CERT Advisory CA-2002-03 describes a series of tests
designed to determine the vulnerability of SNMP implementations. Juniper
Networks has evaluated its software using the provided test suites, and
has determined that, with one exception, the JUNOS software is not
vulnerable to any of the potential exploits.

The only vulnerability found occurred when SNMP PDU tracing was enabled
(snmp traceoptions flag pdu). With this trace flag enabled, certain
invalid SNMP varbinds can cause the SNMP process to overflow a buffer and
terminate. Although one could theoretically use this buffer overflow to
gain root access to the router, no known exploit code exists.

[..snip..]

As a work-around, customers can remove "snmp traceoptions flag pdu" from
the router's configuration.
[end quote]

for more info:
http://www.cert.org/advisories/CA-2002-03.html
http://www.securityfocus.com/news/328

-jba 

--
 [jba@analogue.net] :: analogue.networks.nyc :: http://analogue.net

---------- Forwarded message ----------
Date: Tue, 12 Feb 2002 16:45:49 -0800 (PST)
From: Robert Graham <robert_david_graham@yahoo.com>
To: bugtraq@securityfocus.com
Subject: more SNMP notes

Some quick key points:

This is big. I strongly recommend disabling SNMP on as many devices as
possible.

It isn't a single vulnerability, but a suite of potentially hundreds of
vulnerabilities.

This is just the beginning, more will be coming.

These problems aren't new; they have been known since the early 1990s. It's
just that SNMP developers have always though of them as "bugs" rather than
"vulnerabilities".

Thousands of different devices, such as printers, are vulnerable. Somebody is
going to develop an exploit that compromises the printer and forwards copies of
everything printed back out to the hacker. This is only one example of the
severity of the problem - there are many closed systems that cannot be updated;
you can often disable SNMP, but you cannot update it and fix the bugs.

You should also block UDP port 7 (echo) on your firewalls. Spoofed SNMP
requests can be bounced off of such ports.

Don't rely upon IP access control lists to protect you. UDP is stateless and
packets can be spoofed.

SNMP has always been a huge vulnerability, even when it could not be directly
exploited. Your first impulse should always be to disable it. There are
exploits that have been used in the underground for years that still haven't
made it to bugtraq.

Some older versions of Solaris (2.6?) put n SNMP service at a port in the range
32768-32800 (same vulnerability as putting a portmapper at a high port). This
wasn't mentioned in the CERT advisory. If you are a heavy Sun shop, these
should be blocked anyway.

Monitor the "snmp" group at 1.3.6.1.2.1.11. Some of these statistics will track
some of the bad stuff that this exploits generates. It's a poor-man's network
IDS to detect people playing around on your network.

Robert Graham

__________________________________________________
Do You Yahoo!?
Send FREE Valentine eCards with Yahoo! Greetings!
http://greetings.yahoo.com

This archive was generated by hypermail 2b29 : Mon Aug 05 2002 - 10:42:39 EDT