Some quick key points: This is big. I strongly recommend disabling SNMP on as many devices as possible. It isn't a single vulnerability, but a suite of potentially hundreds of vulnerabilities. This is just the beginning, more will be coming. These problems aren't new; they have been known since the early 1990s. It's just that SNMP developers have always though of them as "bugs" rather than "vulnerabilities". Thousands of different devices, such as printers, are vulnerable. Somebody is going to develop an exploit that compromises the printer and forwards copies of everything printed back out to the hacker. This is only one example of the severity of the problem - there are many closed systems that cannot be updated; you can often disable SNMP, but you cannot update it and fix the bugs. You should also block UDP port 7 (echo) on your firewalls. Spoofed SNMP requests can be bounced off of such ports. Don't rely upon IP access control lists to protect you. UDP is stateless and packets can be spoofed. SNMP has always been a huge vulnerability, even when it could not be directly exploited. Your first impulse should always be to disable it. There are exploits that have been used in the underground for years that still haven't made it to bugtraq. Some older versions of Solaris (2.6?) put n SNMP service at a port in the range 32768-32800 (same vulnerability as putting a portmapper at a high port). This wasn't mentioned in the CERT advisory. If you are a heavy Sun shop, these should be blocked anyway. Monitor the "snmp" group at 1.3.6.1.2.1.11. Some of these statistics will track some of the bad stuff that this exploits generates. It's a poor-man's network IDS to detect people playing around on your network. Robert Graham __________________________________________________ Do You Yahoo!? Send FREE Valentine eCards with Yahoo! Greetings! http://greetings.yahoo.com
This archive was generated by hypermail 2b30 : Tue Feb 12 2002 - 18:06:20 PST