CERT Warns of Flaw in Popular Network Protocol

The protocol used by the majority of Internet networks around the world is
at risk from a new vulnerability discovered by the Oulu University Secure
Programming Group (OUSPG) in Finland recently.

The Computer Emergency Response Team Coordination Center (CERT/CC) issued an advisory to all network
administrators of a flaw in the simple network management protocol (SNMP),
the protocol used to remotely administer routers, switches and network
management systems.

The culprit responsible for the security breach seems to be one that
underlies most vulnerabilities: buffer overflow and format string errors.

Ian Finlay, CERT/CC Internet security analyst, said vendors were contacted
last year about the vulnerability, giving them a chance to create a security
patch to address the problem before the rest of the world (notably hackers)
found out. All told, more than 240 vendors were contacted after the Oulu
group ran a test program on networks that use SNMP as its protocol.

The problem is especially vexing because the problem can’t be pinned down
to one specific vendor, as is often the case with security vulnerabilities,
but must be corrected by many vendors.

If software vendors don’t get patches to their customers, CERT/CC predicts
“large-scale outages of these devices (that) could disable significant
portions of the global network.”

The biggest problem with patches, Finlay said, doesn’t reside with vendors
getting them published and out to their custmers. It’s getting system
administrators to deploy those patches across their networks.

“As we’ve seen in the past, getting administrators to actually deploy the
patch is the other half of the (problem),” Finlay said. “We haven’t seen
any (breaches) yet, but we would expect because SNMP is so common and so
pervasively deployed that we may see that shortly.”

Vendors with vulnerable systems follow: Nokia, Lucent Technologies,
Caldera, Hewlett-Packard, Multinet, Lotus, Juniper Networks, 3Com, Novell,
Cisco Systems, Microsoft Corp., NET-SNMP, Lantronix, Novell, Marconi,
Computer Associates, Red Hat Linux, AdventNet, COMTEK Services Inc.,
Innerdive Solutions LLC, CacheFlow Inc., Hirschmann Electronics GmbH & Co.,
FreeBSD, SNMP Research, Redback Networks Inc., and Netscape Communications
Corp.

This represents only a partial list of all vendors using SNMP, it’s unclear
whether others may be affected. CERT/CC recommends administrators visit
their Web page of
companies that are possibly affected by the vulnerability.

A Web page with security patches, by vendor, is available here.
Many listed in the previous paragraph already have patches available or
have release dates scheduled.

The organization reported increased information about the SNMP
vulnerability making its way through the hacker community, so it’s likely
only a matter of time before an enterprising cracker creates a distributed
denial of service (DDoS) to bring a network to its knees.

The breach is such that it can also let hackers create a “back door” to
devices using SNMP, giving hackers the leisure of breaking into the network
and returning at a more leisurely pace later.

Security experts warn that disabling SNMP as a defensive measure, which
would give administrators time to install a patch, is not an option for
many corporations around the world who conduct e-business, since billing
functions and ordering will be interrupted.

CERT/CC instead recommends the temporary stopgap of ingress filtering to
prevent outside machines from logging into corporate servers. The
organization recommends filtering ports 161/udp and 162/udp.

If the two measures above aren’t feasible, CERT/CC also suggests
restricting SNMP traffic to virtual private networks (VPNs) or to separate,
isolated management networks not available to the public.

SNMP 1 has been around since the early 1980s and several efforts have been
made to update the standard to SNMP 2 on a global basis, with no
success. Though there are some networks using SNMP 2 and SNMP 3, and some
networks have switched their remote administration protocol to remote
monitoring (RMON – which tells technicians more than whether the equipment
is functioning or not), most still use SNMP 1.

Finlay suspects the nature of the vulnerability doesn’t make versions two
or three any more secure than SNMP 1.

Get the Free Newsletter!

Subscribe to our newsletter.

Subscribe to Daily Tech Insider for top news, trends & analysis

News Around the Web