[ISN] Most SNMP vulns remain dormant

From: InfoSec News (isnat_private)
Date: Fri Feb 22 2002 - 00:56:35 PST

  • Next message: InfoSec News: "[ISN] Famed hacker Mitnick greets former target"

    By Thomas C Greene in Washington
    Posted: 22/02/2002 at 07:51 GMT
    It's been over a week since CERT released a seemingly endless list of
    devices and software products containing SNMP vulnerabilities
    discovered by Finnish University of Oulu researchers, and to date very
    little bad has happened, no doubt to the disappointment of most news
    agencies. As the story drops off the media radar screen, it's
    important to keep in mind that threats to your system can't be
    measured by the amount of mainstream press coverage they receive.
    The PROTOS auditing suite developed by the Finnish researchers has
    been available for download at least since the original CERT advisory,
    and possibly longer. This means that while things are quiet, there's
    no question that industrious members of the blackhat development
    community are using it to advantage.
    For example, the PROTOS tool doesn't include a buffer overflow
    exploit, but researchers working with SANS were able to come up with a
    working buffer overflow to get root access to several versions of
    Linux in about two hours, Counterpane Security Architect Tina Bird
    remarked receltly.
    "It's safe to say that they're not the only people who were able to do
    that," she added wryly.
    Linux and Solaris are definitely vulnerable to root access exploits,
    primarily via buffer overflows. But this won't always be easy to
    "Most messages in SNMP manager logs indicate test cases that don't jam
    the system up, but don't fit what the listener is expecting. It
    [merely] creates an error message that it can't understand the data,"  
    Bird says.
    "An attacker who actually knows which test cases are causing the
    problem is going to write an exploit that only uses those. He's not
    going to take the system down."
    For this reason there may be serious SNMP attacks that go unnoticed
    for some time, until everyone gets accustomed to looking for the
    "One of the problems with system monitoring is that it's generally
    much easier to see attacks that fail than it is to see attacks that
    succeed," Bird notes.
    Another useful tip from Counterpane: if SNMP is disabled on Solaris
    and the system is subsequently patched, it's possible that the patch
    will re-enable it, so this has to be checked.
    There's another free SNMP scanner available, called SNScan from
    Foundstone. It will take lists of IPs, but apparently not machine
    names. It also runs only on Windows, like SNMPing from SANS. Both
    tools will scan a wide range of equipment, however.
    Again, the best single source of information and links to vendor
    bulletins is the CERT advisory, which has been updated over forty
    times since it was created last week.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Fri Feb 22 2002 - 04:09:46 PST