By Bri Hatch.
Summary: SNMP launched this week's panicky rush to patch vulnerable machines and caused many system administrators to reacquaint themselves with an old friend, nmap.
Every so often, a vulnerability in a widespread piece of software causes security and administrative folk stop all existing projects to madly apply patches and upgrade program on every machine. This week, our culprit of lost-time is SNMP, the Simple Network Management Protocol.
SNMP, a UDP-based protocol (though infrequently it uses TCP instead), lets network devices provide tons of information that monitoring agents and management tools can use, as well as provide alerts. 'Community strings', which are effectively a simple password (usually PUBLIC and PRIVATE), protect access to this information.
Almost all SNMP-enabled devices use version 1 of the protocol, which has a number of shortcomings. Prevent ip spoofing is not possible -- there is no privacy or encryption and no authentication methods other than community strings are available. Many folks have referred to SNMP as the 'Security Not My Problem' protocol. Newer SNMP specifications offer more security, but few products actually use these yet.
Bugs in numerous SNMP implementations were found by the Oulu University Secure Programming Group, and details were released on February 12th, 2002. These are not bugs in the SNMPv1 protocol, but bugs in various implementations. For detailed information, see the CERT advisory at http://www.cert.org/advisories/CA-2002-03.html .
The Short Version If you have any machines running SNMP, then you could be in some serious trouble. Some of the bugs leave a device vulnerable to a Denial of Service attack, while others can trigger buffer overflows or format string bugs that could allow arbitrary code to run on the affected system.
The net-snmp (formerly ucd-snmp) package is provided with most Linux distributions and the 4.2.2 version is vulnerable. Most users have no need for an SNMP server on their Linux box; however, some distributions enable it by default when installing the machine with a server configuration. If this is the first time you've heard of SNMP, then it's definitely not something you need enabled on your systems.
So it's time to visit all your Linux machines and upgrade your net-snmp packages to 4.2.2 or later. Or better yet, remove the server SNMP packages entirely.
Linux security doesn't end with your Linux machines themselves -- security is dependent on each and every machine with which they interact. Many other devices on your network probably have SNMP enabled by default as well. Almost all switches, routers, network printers, and other just-plug-them-in devices are SNMP ready. And due to the bugs found by OUSPG, we now know that 'SNMP ready' is merely a synonym for 'vulnerable.'
SANS has created a tool named SNMPing that you can use to find systems that have SNMP enabled. To get a copy, send an email to firstname.lastname@example.org and they'll send you the download information. Unfortunately, the tool only runs on Windows NT/2000. I haven't tried the tool myself, but given SANS' technical know-how, it's probably quite effective.
If you want to do a quick search of your own networks the Unix way, Nmap is your true and eternal friend. Some devices listen on more than just the standard 161/udp and 162/udp ports. The following is a fairly complete list:
snmp 161/udp # SNMP snmp-trap 162/udp # SNMP management messages (traps) snmp 161/tcp # SNMP (TCP version) snmp-trap 162/tcp # SNMP system management messages (TCP version) smux 199/tcp # SNMP Unix Multiplexer smux 199/udp # SNMP Unix Multiplexer synoptics-relay 391/tcp # SynOptics SNMP Relay Port agentx 705/tcp # AgentX snmp-tcp-port 1993/tcp # cisco SNMP TCP port snmp-tcp-port 1993/udp # cisco SNMP TCP port
Since we want to check both tcp and udp ports, we'll need to run two rounds of nmap. Below is an example to check all machines on the 192.168.1.0/24 network for the ports listed above. Naturally you should tailor the example appropriately.
root# nmap -sU -p 161,162,199,1993 192.168.1.0/24 root# nmap -p 162,199,391,705,1993 192.168.1.0/24
Any machines that has open ports will show results similar to the following:
Interesting ports on someprinter.example.com (192.168.1.100): Port State Service 161/udp open snmp
Then it's time for you to turn off SNMP on that device or upgrade the SNMP software.
Somewhere, right now, someone is probably writing a worm to attack vulnerable SNMP installations. Make sure that you update your machines before it hits the Internet. Luckily, the nature of the vulnerabilities is that an exploit that would succeeded against one type of machine, say a router, would crash the SNMP service on a different machine like your Linux server. However, loosing your connectivity isn't a bundle of fun either.
Bri Hatch is Chief Hacker at Onsight, Inc and author of Hacking Linux Exposed and Building Linux VPNs. He has been securing and breaking into computers since before he traded in his Apple ][+ for his first Unix system. Bri can be reached at email@example.com.
Copyright Bri Hatch, 2002.
This article was first published here in ITworld.com Inc., 118 Turnpike Rd., Southborough, MA 01772 on 26-Feb-2002.