[ISN] Plugging Holes In SNMP

From: mea culpa (jerichoat_private)
Date: Sun Nov 08 1998 - 02:57:13 PST

  • Next message: mea culpa: "[ISN] NT Warriors (NT shortcomings)"

    Forwarded From: "Betty G.O'Hearn" <bettyat_private>
    Plugging Holes In SNMP
    11/7/98 8:49 AM  
    Nov. 06, 1998 (InternetWeek - CMP via COMTEX) -- Hackers seeking back
    doors into corporate networks could target weaknesses in SNMP management
    systems, security experts warned last week.
       Vulnerabilities in the Simple Network Management Protocol, a 9-year-old
    Internet Engineering Task Force (IETF) standard, were brought to light by
    a team of network penetration experts from Internet Security Systems Inc.,
    which issued alerts about management software from Hewlett-Packard and Sun
       Community strings, hidden passwords for user authentication found in
    SNMPv1 and v2, could allow attackers to change system parameters, kill
    processes and disrupt network services, according to ISS experts. Both
    vendors have issued patches to plug the security holes, but the alerts are
    likely to prompt many IT managers to upgrade to the more secure SNMPv3
    sooner than planned.
       Since its inception, SNMP has lacked strong authentication and privacy
    functions; these features were planned for later versions, said Jeff Case,
    a co-author of SNMP and president of SNMP Research International, a
    developer of SNMP products and toolkits.
       "I don't doubt there are vulnerabilities. What these reports are saying
    is that SNMPv1 is not safe. Well, it has never been and never will be," 
    Case said.
       But SNMPv3 was developed with security in mind. The protocol provides
    users with stronger access control, authorization, authentication and
    privacy, Case said. 
       Other vendors are getting the message, too. A number of vendors have
    SNMPv3-compliant products in the works. They include Advent Network
    Management, Cisco, Hewlett-Packard, IBM/Tivoli Systems, Interworking Labs,
    Liebert and Nortel/Bay Networks.
       Some implementations will be available by year's end. For example,
    SNMPv3 will be incorporated in Cisco Internetwork Operating Software
    version 12.0.3 by December. The vendor plans to incorporate the protocol
    into all of its routers, a spokesman said.
       An SNMPv3-compliant version of Bay Networks' System 5000 switch will
    ship in April, and the Accelar Layer 3 routing switch will support the
    protocol by mid-year, said Chris Mangan, a Bay product manager.
       Owners of penetration services, home to so-called "ethical hackers," 
    said user ignorance of SNMP vulnerabilities exposes organizations to
    attacks. "SNMP is the way we break into machines," said Jeff Moss,
    director of Secure Computing Inc.'s penetration services. "Even if you
    don't have access to community strings, you can cause a lot of confusion." 
       Users of SNMP-based management systems usually leave them "turned on to
    routers or firewalls, and a [hacker] can pull information off the router
    and look at router tables," Moss explained. Although this might not get
    the hacker into the network, it's yet another piece of information that
    can be used to gain access, he added. 
       Companies will have to be more vigilant as attackers not only target
    operating systems but other devices such as network management systems,
    said Chris Ruoland, director of ISS' X Force penetration team. 
       However, Drew Williams, the head of Axent Technologies' SWAT team,
    questioned whether hackers are targeting SNMP systems.
       "I don't believe that there is an influx of framework-targeted
    attacks," he said. Instead, there is a trend among users to integrate more
    security functions such as intrusion detection with their management
    frameworks, he said.
       The community string vulnerability lets a remote attacker take over
    root privileges and gain unauthorized access to SNMP variables, according
    to ISS' Ruoland.
       But SNMPv3 doesn't use community strings, Case said. Users can retain
    them for backward compatibility to SNMPv1 and v2, but v3 uses a
    cryptographic technique to secure data.
       HP systems affected by the vulnerability include HP OpenView 5.02 and
    HP-UX 9.x and HP-UX 10.x. SNMP agent software installed with OpenView as
    well as HP OpenView Solaris 2.x. HP OpenView for Windows NT is not
    vulnerable, ISS said.
       The vulnerability affects Sun Solstice Enterprise Agent software
    version 1.0.2 or earlier as well as the Solaris 2.6 operating systems. 
    The company has issued a fix and expects to implement SNMPv3 in the
    future, a Sun spokesman said.
       By: Rutrell Yasin 
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:10:40 PDT