Forwarded From: "Betty G.O'Hearn" <bettyat_private> Plugging Holes In SNMP 11/7/98 8:49 AM Nov. 06, 1998 (InternetWeek - CMP via COMTEX) -- Hackers seeking back doors into corporate networks could target weaknesses in SNMP management systems, security experts warned last week. Vulnerabilities in the Simple Network Management Protocol, a 9-year-old Internet Engineering Task Force (IETF) standard, were brought to light by a team of network penetration experts from Internet Security Systems Inc., which issued alerts about management software from Hewlett-Packard and Sun Microsystems. Community strings, hidden passwords for user authentication found in SNMPv1 and v2, could allow attackers to change system parameters, kill processes and disrupt network services, according to ISS experts. Both vendors have issued patches to plug the security holes, but the alerts are likely to prompt many IT managers to upgrade to the more secure SNMPv3 sooner than planned. Since its inception, SNMP has lacked strong authentication and privacy functions; these features were planned for later versions, said Jeff Case, a co-author of SNMP and president of SNMP Research International, a developer of SNMP products and toolkits. "I don't doubt there are vulnerabilities. What these reports are saying is that SNMPv1 is not safe. Well, it has never been and never will be," Case said. But SNMPv3 was developed with security in mind. The protocol provides users with stronger access control, authorization, authentication and privacy, Case said. Other vendors are getting the message, too. A number of vendors have SNMPv3-compliant products in the works. They include Advent Network Management, Cisco, Hewlett-Packard, IBM/Tivoli Systems, Interworking Labs, Liebert and Nortel/Bay Networks. Some implementations will be available by year's end. For example, SNMPv3 will be incorporated in Cisco Internetwork Operating Software version 12.0.3 by December. The vendor plans to incorporate the protocol into all of its routers, a spokesman said. An SNMPv3-compliant version of Bay Networks' System 5000 switch will ship in April, and the Accelar Layer 3 routing switch will support the protocol by mid-year, said Chris Mangan, a Bay product manager. Owners of penetration services, home to so-called "ethical hackers," said user ignorance of SNMP vulnerabilities exposes organizations to attacks. "SNMP is the way we break into machines," said Jeff Moss, director of Secure Computing Inc.'s penetration services. "Even if you don't have access to community strings, you can cause a lot of confusion." Users of SNMP-based management systems usually leave them "turned on to routers or firewalls, and a [hacker] can pull information off the router and look at router tables," Moss explained. Although this might not get the hacker into the network, it's yet another piece of information that can be used to gain access, he added. Companies will have to be more vigilant as attackers not only target operating systems but other devices such as network management systems, said Chris Ruoland, director of ISS' X Force penetration team. However, Drew Williams, the head of Axent Technologies' SWAT team, questioned whether hackers are targeting SNMP systems. "I don't believe that there is an influx of framework-targeted attacks," he said. Instead, there is a trend among users to integrate more security functions such as intrusion detection with their management frameworks, he said. The community string vulnerability lets a remote attacker take over root privileges and gain unauthorized access to SNMP variables, according to ISS' Ruoland. But SNMPv3 doesn't use community strings, Case said. Users can retain them for backward compatibility to SNMPv1 and v2, but v3 uses a cryptographic technique to secure data. HP systems affected by the vulnerability include HP OpenView 5.02 and HP-UX 9.x and HP-UX 10.x. SNMP agent software installed with OpenView as well as HP OpenView Solaris 2.x. HP OpenView for Windows NT is not vulnerable, ISS said. The vulnerability affects Sun Solstice Enterprise Agent software version 1.0.2 or earlier as well as the Solaris 2.6 operating systems. The company has issued a fix and expects to implement SNMPv3 in the future, a Sun spokesman said. By: Rutrell Yasin -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:10:40 PDT