>>By setting variables, an attacker can modify the IP routing table >>and the ARP table. An attacker can also bring interfaces up and down >>and set critical networking parameters such as the default IP >>time-to-live (TTL) and IP forwarding. These settings allow an attacker >>to redirect network traffic, impersonate other machines or deny the >>machine access to the network. >Given that a typical local user who is allowed to read the community >strings from the registry can unplug the network cable, this won't be an >issue on most workstations with respect to the console user(s). It may be >of more concern on a terminal server. This leaves the typical insecurities >associated with SNMP, which affect any device running that protocol. Actually, the main problem pointed out in the advisory is the fact that NT ships with a community name of "public" by default AND, unlike most SNMP agents, allows any community to be used to set important networking variables. The registry permissions were a side-note, which have been documented and known for many years as you said, however are still showing up frequently. The real issue, which was previously not common knowledge, is that you can reconfigure important networking parameters on any default NT installation running Windows NT SNMP. In the past, certain firewalls shipped with NT SNMP enabled, and most people only thought that you could obtain information from these systems. This highlights the fact that you could also have changed the systems routing table, brought interfaces up and down, and turned on IP forwarding. This is made worse by the fact that there was no way, prior to service pack 4, to restrict this functionality. If you knew the community name, you could set these variables. You weren't able to configure a community as read-only. >>On NT 5.0, the permissions on this key will be set securely by >>default. >This isn't true, but NT 5.0 is beta software and very well could change >before release. According to Microsoft this will be the case. Cheers, - Oliver Network Associates, Inc. (408) 436-3304
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:23:50 PDT