1. “ Vulnerabilities in SNMP Implementations ” CSCI 5931- Web Security Instructor: Dr. Andrew Yang Presented By: Harini Varatharajan

2. Introduction to SNMP  What is SNMP ?  SNMP Components  Agents ( Managed device)  Managers ( Management Entity)  Network Management System ( NMS)  SNMP Management Information Base

3. SNMP Architecture

4. SNMP Communications  Protocol Data Unit (PDU) message type  GetRequest  GetNextRequest  GetResponse  SetRequest  Traps  UDP Port 161 for Gets and Sets  UDP Port 162 for Traps

5. Why the Concern about vulnerability ?  CERT/CC SNMP Advisory –Issued Feb 12 th, 2002 –Identified multiple vulnerabilities  OUSPG PROTOS Project –Tested HTTP, WAP/WSP, LDAP and SNMP –Additional protocol testing will follow  SNMP is huge target –Nearly every device from every vendor could be affected –Many exploits are theoretically possible –A few exploits work now –More exploits will be developed

6. SNMP Problems  Community String access modes  READ-ONLY  READ-WRITE  Passed in clear text  Limited error handling  Additional exceptions must be handled by vendor’s implementation –Violations to Basic Encoding Rules of ASN.1 –Invalid variable types

7. Where the Vulnerabilities are?  Trap handling  Request handling  What makes things worse ?  Insecure settings  Spoofing

8. Impact  Denial of service attacks  Format String Vulnerability  Unstable behaviors  Unauthorized privileged access  Buffer overflows - Crash SNMP agent - Crash SNMP agent - Reboot device - Reboot device - Overwrite valid SNMP variables - Overwrite valid SNMP variables - Overwrite other applications or OS - Overwrite other applications or OS - Allow unauthorized access - Allow unauthorized access

9. Solutions  SNMP scanners  SNScan Windows based utility by Foundstone SNScan  CERT Advisory Implications  Apply patch from vendor  Disable SNMP service  Ingress filtering  Egress filtering  Filter SNMP traffic from non-authorized internal hosts  Change default community strings  Update signatures from vendors  Segregate SNMP traffic onto a separate management network network

10. Solutions  Other Solutions  Protect Network perimeter  Protect Management systems  Manage Community strings  Eliminate or protect other access  Limit Network access  Watch for uncharted access and services  Play it safe with vendors, partners, customers and employees

11. Will SNMPv3 Help?  Advantages –Improved authentication and access control –Encryption of SNMP packets –Remote management of SNMP agents  Disadvantages –Additional overhead –RFCs have yet to be adopted as a standard –Few vendors have working implementations in their hardware/ software –Existing implementations may still be vulnerable to buffer overflow exploits

12. The Bottom Line  SNMP exploits are real  Integration of network management and security is imperative  Time to rethink overall network management strategy including architecture, applications and future direction.

13. References  “CERT Advisory CA-2002-03: Multiple Vulnerabilities in Many Implementations of the Simple Network Management Protocol (SNMP),” 12 Feb. 2002, (current 11 March 2002). CERT Advisory CA-2002-03CERT Advisory CA-2002-03  “PROTOS: Security Testing of Protocol Implementations,” 19 July 2001 (current 11 March 2002). PROTOS: Security Testing of Protocol ImplementationsPROTOS: Security Testing of Protocol Implementations  “PROTOS Test-Suite: c06-snmpv1,” 12 Feb. 2002 (current 11 March 2002). PROTOS Test-Suite: c06-snmpv1PROTOS Test-Suite: c06-snmpv1  “M-042: Multiple Vulnerabilities in Multiple Implementations of SNMP,”12 Feb. 2002 (current 11 M-042: Multiple Vulnerabilities in Multiple Implementations of SNMPM-042: Multiple Vulnerabilities in Multiple Implementations of SNMP

14. Questions ?