Child pages
  • 2002 CERT Tech Tip: Simple Network Management Protocol (SNMP) Vulnerabilities Frequently Asked Questions (FAQ)

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Note

Original Publication Date: February 13, 2002

HTML
(Accompanying <a
href="http://www.cert.org/advisories/CA-2002-03.html">CERT 
advisory CA-2002-03</a>)
<br>

<!-- begin index -->
<ol>
<li><a href="#1">What is SNMP?</a>
<li><a href="#2">How is SNMP vulnerable?</a>
<li><a href="#3">Is our network or system in danger of attack?</a>
<li><a href="#4">What can happen if we are attacked?</a>
<li><a href="#5">How can we protect our network or system?</a>
<li><a href="#6">Are there any alternatives to using SNMP?</a>
<li><a href="#7">Do these vulnerabilities affect home users?</a>
<li><a href="#8">What are managers and agents?</a>
<li><a href="#9">What is a community string and how is it used?</a>
<li><a href="#10">What protocols/ports does SNMP use?</a>
<li><a href="#11">Where can I find the specifications for 
SNMP?</a>
<li><a href="#12">Where can I find additional information about 
SNMP?</a>
<li><a href="#13">Has the CERT/CC received any reports of SNMP 
scanning?</a>
<li><a href="#14">I have detected scanning of my network or systems
for SNMP. Should I report that to the CERT/CC?</a>
<li><a href="#15">Has the CERT/CC received any reports of exploitation
of these vulnerabilities?</a>
<li><a href="#16">An intruder has exploited these SNMP vulnerabilities
on my system. What should I do?</a>
<li><a href="#17">I am not a vendor, but I use or otherwise have
first-hand knowledge of an SNMP product that is vulnerable, but it is
not on the CERT/CC's list. Should I report that to the CERT/CC?</a>
<li><a href="#18">Our company manufactures a product that uses SNMP,
and we think it might be vulnerable, but we are not sure. How can we
get more information on these vulnerabilities?</a>
<li><a href="#19">Our company manufactures a product that uses SNMP,
and we know it to be affected by these vulnerabilities, but we are not
listed in any of your vendor statements. How can we get added to your
list of vendors?</a>
<li><a href="#20">Our company manufactures a product that uses SNMP,
but we know it is not affected by these vulnerabilities. Nonetheless,
we are being swamped with calls to our help desk about this issue. We
are not currently listed in any of your vendor statements, but we'd
like to be. How can we get added to your list of vendors?</a>
<li><a href="#21">Who is OUSPG?</a>
</ol>

<!-- end index -->

<hr>

<ol>
<a name="1"></a>
<li><b>What is SNMP?</b>
<blockquote>
<p>
The Simple Network Management Protocol (SNMP) is the most popular 
protocol in use to manage networked devices. SNMP was designed in the 
late 80's to facilitate the exchange of management information between 
networked devices, operating at the application layer of the ISO/OSI 
model. The SNMP protocol enables network and system administrators to 
remotely monitor and configure devices on the network (devices such as 
switches and routers). Software and firmware products designed for 
networks often make use of the SNMP protocol. Support for SNMP is 
available on a multitude of systems, including, but not limited to, 
<br><br>
<ul type="disc">
<li>Core Network Devices (Routers, Switches, Hubs, Bridges, and 
Wireless Network Access Points) 
<li>Operating systems (on nearly all architectures)
<li>Consumer Broadband Network Devices (Cable Modems and DSL 
Modems) 
<li>Consumer Electronic Devices (Cameras and Image Scanners) 
<li>Networked Office Equipment (Printers, Copiers, and FAX 
Machines) 
<li>Network and Systems Management/Diagnostic Frameworks (Network 
Sniffers and Network Analyzers) 
<li>Uninterruptible Power Supplies (UPS)
<li>Networked Medical Equipment (Imaging Units and Oscilloscopes) 
<li>Manufacturing and Processing Equipment 
</ul>
</p>
</blockquote>

<a name="2"></a> 
<li><b>How is SNMP vulnerable?</b> <blockquote>

<p>
The vulnerabilities affect both manager and agent software (see "<a
href="#8">What are managers and agents?</a>" for an explanation of
these terms). Vulnerabilities in both managers and agents include
denial-of-service conditions, format string vulnerabilities, and
buffer overflows. Some of the vulnerabilities do not require the
malicious packet to use the proper community string (see "<a
href="#9">What is a community string and how is it used?</a>").
Several of the more serious vulnerabilities allow the execution of
arbitrary code by a remote unauthenticated attacker. Refer to CERT
advisory CA-2002-03 (<a 
href="http://www.cert.org/advisories/CA-2002-03.html">http://www.cert.org/advisories/CA-2002-03.html</a>)
for a detailed description of the vulnerabilities.
</p>
</blockquote>

<a name="3"></a>
<li><b>Is our network or system in danger of attack?</b>
<blockquote><p>
Because of the relatively large number of products that support SNMP, 
it is unlikely that our list of affected products is comprehensive.  
Therefore, if you use products that support SNMP, we encourage you to 
first refer to CERT advisory CA-2002-03 
(<a 
href="http://www.cert.org/advisories/CA-2002-03.html">http://www.cert.org/advisories/CA-2002-03.html</a>)  
for a partial list 
of affected vendors and products.  If your vendor(s) are not listed 
you should contact them directly for more information to ensure your 
system is protected.  
</p>
</blockquote>

<a name="4"></a>
<li><b>What can happen if we are attacked?</b>
<blockquote><p>
Exploitation of these vulnerabilities can cause denial-of-service 
conditions, service interruptions, and in some cases will allow an 
attacker to gain unauthorized, privileged access to the affected 
device. Effects for some specific products can be found in CERT 
advisory CA-2002-03 
(<a 
href="http://www.cert.org/advisories/CA-2002-03.html">http://www.cert.org/advisories/CA-2002-03.html</a>).  
Contact your vendor(s) for additional information on other products.
</p>
</blockquote>



<a name="5"></a>
<li><b>How can we protect our network or system?</b>
<blockquote><p>
A number of steps can be taken to improve the security of systems 
relying on SNMP:
<br><br> 
<ul type="disc">
<li>Apply a patch from your vendor.
<li>Disable all nonessential SNMP software.
<li>Filter SNMP access to managed devices to ensure the traffic 
originates from known management systems.
<li>Filter SNMP services at your network perimeter (ingress/egress 
filtering).
<li>Change SNMP community strings from their defaults.
<li>Segregate network management traffic onto a separate network.
</ul>
<br>
Refer to CERT advisory CA-2002-03 
(<a 
href="http://www.cert.org/advisories/CA-2002-03.html">http://www.cert.org/advisories/CA-2002-03.html</a>) 
for more details and 
the most recent information regarding recommended solutions.
</p>
</blockquote>

<a name="6"></a>
<li><b>Are there any alternatives to using SNMP?</b>
<blockquote><p>
Although there aren't many practical alternatives to SNMP, there are 
steps that administrators can take to better secure their systems that 
use SNMP.  See the <a href="#5">"How can we protect our network or system?"</a> section 
above or refer to CERT Advisory CA-2002-03 
(<a 
href="http://www.cert.org/advisories/CA-2002-03.html">http://www.cert.org/advisories/CA-2002-03.html</a>) 
for more information.
</p>
</blockquote>

<a name="7"></a>
<li><b>Do these vulnerabilities affect home users?</b>
<blockquote><p>

Most home users are not directly affected by these vulnerabilities.  
However, home users with more advanced configurations may be at risk.  
If you use one or more of the following in your home system or 
network, additional steps might be necessary to ensure protection:
<br><br>
<ul type="disc">
<li>Microsoft Windows operating systems with SNMP services enabled
<li>advanced operating systems (e.g., 
Linux or other Unix operating systems)
<li>network-based router appliances
<li>network-based firewall appliances
<li>wireless Ethernet (802.11a/b) access points
</ul>
<br>
Note that in many cases SNMP services are not enabled by default, so 
merely using one or more of the products above does not mean that you 
are definitely vulnerable. Home users with one or more of the above 
technologies in use on their home networks are encouraged to refer to 
CERT advisory CA-2002-03 
(<a 
href="http://www.cert.org/advisories/CA-2002-03.html">http://www.cert.org/advisories/CA-2002-03.html</a>) 
for a partial list of 
affected vendors and products.  If your vendors are not listed you 
should contact them directly for more information to ensure your 
system is protected.  
</p>
</blockquote>

<a name="8"></a>
<li><b>What are managers and agents?</b>
<blockquote><p>
SNMP is built around the concept of "managers" and "agents."  Manager 
software (commonly installed on a network management system) makes 
requests to agent software running on a host or device to gather data 
on the operational status, configuration, or performance statistics of 
that system (polling).  Some agents allow configuration parameters to 
be changed by managers, while others provide read-only statistics and 
configuration information.  Additionally, agents can generate ad hoc 
messages to manager systems to inform them of unusual events (traps).
</p></blockquote>



<a name="9"></a>
<li><b>What is a community string and how is it used?</b>
<blockquote><p>
The community string (a.k.a. community name) provides a weak 
authentication mechanism to the SNMP protocol.  Agents can be 
configured to allow read-only, read-write, or no access to their 
parameters based on the community string in a request.  Community 
strings are passed in clear text in SNMP messages, so they can be 
easily sniffed and are therefore insufficient for authenticating 
legitimate manager requests.  
</p><p>
Note that many of the vulnerabilities described in CERT advisory 
CA-2002-03 (<a 
href="http://www.cert.org/advisories/CA-2002-03.html">http://www.cert.org/advisories/CA-2002-03.html</a>) 
do <b>not</b> require an attacker to know the configured community 
strings in order to exploit the vulnerability.
</p></blockquote>

<a name="10"></a>
<li><b>What protocols/ports does SNMP use?</b>
<blockquote><p>
SNMP uses 161/udp for general purpose (request/response) 
communications, and 162/udp for traps.  Additionally, the SNMP 
multiplexing protocol (smux, defined in RFC1227 
<a 
href="http://www.ietf.org/rfc/rfc1227.txt">http://www.ietf.org/rfc/rfc1227.txt</a>) uses 199/tcp.  Another SNMP 
extension, the AgentX protocol (RFC2741, 
<a 
href="http://www.ietf.org/rfc/rfc2741.txt">http://www.ietf.org/rfc/rfc2741.txt</a>) 
uses 705/tcp.
</p>
</blockquote>


<a name="11"></a>
<li><b>Where can I find the specifications for SNMP?</b>
<blockquote><p> 
The current SNMPv1 standard is defined in the Internet Engineering 
Task Force (IETF) STD0015 / RFC1157 
(<a 
href="http://www.ietf.org/rfc/rfc1157.txt">http://www.ietf.org/rfc/rfc1157.txt</a>).  
There are also a number of 
draft and proposed standards for SNMPv2 and SNMPv3.  Refer to IETF 
STD0001 / RFC3000 (<a 
href="http://www.ietf.org/rfc/rfc3000.txt">http://www.ietf.org/rfc/rfc3000.txt</a>) 
for the current status of the various SNMP-related RFCs. 
</p>
</blockquote>

<a name="12"></a>
<li><b>Where can I find additional information about SNMP?</b>
<blockquote><p>
The comp.protocols.snmp FAQ may be found at <br><br>

<a 
href="http://www.faqs.org/faqs/snmp-faq/part1/">http://www.faqs.org/faqs/snmp-faq/part1/</a> 
and<br> 
<a 
href="http://www.faqs.org/faqs/snmp-faq/part2/">http://www.faqs.org/faqs/snmp-faq/part2/</a><br>
<br>
There are a number of SNMP-related Working Groups in the "Operations 
and Management" area of the IETF (<a 
href="http://www.ietf.org/">http://www.ietf.org/</a>).
</p>
</blockquote>

<a name="13"></a>
<li><b>Has the CERT/CC received any reports of SNMP scanning?</b>
<blockquote><p>
As of 9:25 EST (UTC-0500) February 12, 2002, we have received reports of scanning for SNMP services related to these 
vulnerabilities and are working to verify.  New incident reports are 
being sent to the CERT/CC 
all the time, though, so you are encouraged to refer to our Current 
Activity page (<a 
href="http://www.cert.org/current/current_activity.html">http://www.cert.org/current/current_activity.html</a>) 
for the latest information on incident trends.
</p>
</blockquote> 

<a name="14"></a>
<li><b>I have detected scanning of my network or systems for SNMP.  
Should I 
report that to the CERT/CC?</b>
<blockquote>
<p>
If you have detected scanning for SNMP services on your network, you 
should first determine whether this scanning has led to a compromise 
or not.  You may wish to refer to our Intruder Detection Checklist 
(<a 
href="http://www.cert.org/tech_tips/intruder_detection_checklist.html">http://www.cert.org/tech_tips/intruder_detection_checklist.html</a>) 
for 
additional tips on determining whether a compromise has occurred.  
</p><p>
Once you are certain that no compromise has occurred and the impact 
was limited to scanning only, you are encouraged to report this 
activity to the CERT/CC using our Incident Reporting Form, available 
at <a 
href="http://www.cert.org/reporting/incident_form.txt">http://www.cert.org/reporting/incident_form.txt</a>.
</p><p>
Reporting scanning activity to the CERT/CC will help us better assist 
you, and allow us to relate ongoing intruder activities. This also 
provides us a better overview of trends in attack profiles and 
provides input for other CERT documents such as advisories and 
summaries. We prefer that Incident Reporting Forms be sent to us via 
email to <a href="mailto:cert@cert.org">cert@cert.org</a>. 
</p></blockquote>

<a name="15"></a>
<li><b>Has the CERT/CC received any reports of exploitation of these 
vulnerabilities? </b>
<blockquote><p>
As of 9:25 EST (UTC-0500) February 12, 2002, we have received reports of exploitation of SNMP services related to these 
vulnerabilities and are working to verify them.  New incident reports 
are being sent to the CERT/CC 
all the time, though, so you are encouraged to refer to our Current 
Activity page (<a 
href="http://www.cert.org/current/current_activity.html">http://www.cert.org/current/current_activity.html</a>) 
for the latest information on incident trends.
</p>
</blockquote> 


<a name="16"></a>
<li><b>An intruder has exploited these SNMP vulnerabilities on my 
system.  
What should I do?</b>
<blockquote>
<p>
As described in CERT advisory CA-2002-03 
(<a 
href="http://www.cert.org/advisories/CA-2002-03.html">http://www.cert.org/advisories/CA-2002-03.html</a>), 
exploitation of 
these SNMP vulnerabilities can cause denial-of-service conditions, 
service interruptions, and in some cases will allow an attacker to 
gain unauthorized, privileged access to the affected device(s).  
</p><p>
If you suspect that your system may have been compromised, you may 
wish to refer to our Intruder Detection Checklist 
(<a 
href="http://www.cert.org/tech_tips/intruder_detection_checklist.html">http://www.cert.org/tech_tips/intruder_detection_checklist.html</a>).  
Once you have confirmed that a compromise has occurred, please refer 
to our Steps for Recovering from a UNIX or NT System Compromise 
(<a 
href="http://www.cert.org/tech_tips/root_compromise.html">http://www.cert.org/tech_tips/root_compromise.html</a>) 
</p><p>
Regardless of whether the exploitation resulted in system compromise 
or denial-of-service, we would appreciate it if you would complete and 
return an Incident Reporting Form as this will help us better assist 
you, and allow us to relate ongoing intruder activities. This also 
provides us a better overview of trends in attack profiles and 
provides input for other CERT documents such as advisories and 
summaries. We prefer that Incident Reporting Forms be sent to us via 
email to cert@cert.org. The Incident Reporting Form is available from 
<a 
href="http://www.cert.org/reporting/incident_form.txt">http://www.cert.org/reporting/incident_form.txt</a>.
</p></blockquote>

<a name="17"></a>
<li><b>I am not a vendor, but I use or otherwise have first-hand 
knowledge of 
an SNMP product that is vulnerable, but it is not on the CERT/CC's 
list.  Should I report that to the CERT/CC?</b>
<blockquote><p>
If you have first-hand knowledge of an SNMP product that is vulnerable 
to either of these vulnerabilities, and that product or vendor is not 
listed in CERT advisory CA-2002-03 
(<a 
href="http://www.cert.org/advisories/CA-2002-03.html">http://www.cert.org/advisories/CA-2002-03.html</a>), 
you are encouraged 
to contact us using our Product Vulnerability Reporting Form.  This 
form can be found at 
<a 
href="http://www.cert.org/reporting/vulnerability_form.txt">http://www.cert.org/reporting/vulnerability_form.txt</a>.
<br><br>
Please send the completed form to <a 
href="mailto:cert@cert.org?subject=CA-2002-03%20Feedback%20VU%23617947">cert@cert.org</a>
with VU#617947 in the subject line.
</p>
</blockquote>

<a name="18"></a>
<li><b>Our company manufactures a product that uses SNMP, and we think 
it 
might be vulnerable, but we are not sure.  How can we get more 
information on these vulnerabilities?</b>
<blockquote><p>
The CERT/CC encourages any vendors whose products are affected 
(whether vulnerable or not) by these or any other security 
vulnerabilities to contact us so that we can establish a working 
relationship on this and any future issues that may arise.  If you are 
authorized to represent your organization on this issue, please 
contact the CERT/CC via our hotline at +1 412-268-7090.  CERT/CC 
personnel answer 8:00 a.m.- 5:00 p.m. EST(GMT-5) / EDT(GMT-4) on 
working days; they are on call for emergencies during other hours and 
on weekends and holidays.
</p>
</blockquote>

<a name="19"></a>
<li><b>Our company manufactures a product that uses SNMP, and we know 
it to 
be affected by these vulnerabilities, but we are not listed in any of 
your vendor statements.  How can we get added to your list of 
vendors?</b>
<blockquote><p>
The CERT/CC encourages any vendors whose products are affected 
(whether vulnerable or not) by these or any other security 
vulnerabilities to contact us so that we can establish a working 
relationship on this and any future issues that may arise.  If you are 
authorized to represent your organization on this issue, please 
contact the CERT/CC via our hotline at +1 412-268-7090.  CERT/CC 
personnel answer 8:00 a.m.- 5:00 p.m. EST(GMT-5) / EDT(GMT-4) on 
working days; they are on call for emergencies during other hours and 
on weekends and holidays.
</p>
</blockquote>

<a name="20"></a>
<li><b>Our company manufactures a product that uses SNMP, but we know 
it is 
not affected by these vulnerabilities.  Nonetheless, we are being 
swamped with calls to our help desk about this issue.  We are not 
currently listed in any of your vendor statements, but we'd like to 
be.  How can we get added to your list of vendors?</b>
<blockquote><p>
The CERT/CC encourages any vendors whose products are affected 
(whether vulnerable or not) by these or any other security 
vulnerabilities to contact us so that we can establish a working 
relationship on this and any future issues that may arise.  If you are 
authorized to represent your organization on this issue, please 
contact the CERT/CC via our hotline at +1 412-268-7090.  CERT/CC 
personnel answer 8:00 a.m.- 5:00 p.m. EST(GMT-5) / EDT(GMT-4) on 
working days; they are on call for emergencies during other hours and 
on weekends and holidays.
</p>
</blockquote>

<a name="21"></a>
<li><b>Who is OUSPG?</b>
<blockquote><p>
The Oulu University Secure Programming Group (OUSPG) is an academic 
research group located at Oulu University in Finland. The purpose of 
this research group is to test software for vulnerabilities. 
</p><p>
History has shown that the techniques used by the OUSPG have 
discovered a large number of previously undetected problems in the 
products and protocols they have tested. Earlier this year, the OUSPG 
produced a comprehensive test suite for evaluating implementations of 
the Lightweight Directory Access Protocol (LDAP). This test suite was 
developed with the strategy of abusing the protocol in unsupported and 
unexpected ways, and it was very effective in uncovering a wide 
variety of vulnerabilities across several products. This approach can 
reveal vulnerabilities that would not manifest themselves under normal 
conditions. 
</p>
</blockquote>

</ol>

<!-- end faq content -->

<br><br>
<a href="#top">Top</a>
<hr noshade>
Copyright 2002 Carnegie Mellon University<br>
CERT<sup>®</sup> and CERT Coordination Center<sup>®</sup> are 
registered in the U.S. Patent 
and Trademark office.<br><br><small>
<font face="arial, geneva, helvetica"><a 
href="/legal_stuff/legal_stuff.html">Disclaimers and copyright 
information</a></small><br><br>
<small><small>
Last updated February 13, 2002
</small></small>