SNMP Devices Open to Attacks

Security flaws threaten key network protocol

The security of Simple Network Management Protocol services was thrown into doubt last week by a warning that hundreds of hardware and software products with built-in support for SNMP are vulnerable to attack.

Security analysts had blunt advice for IT managers: Fix your SNMP-based installations immediately if you need them and can get patches from vendors, or else shut down the network-monitoring services.

The flaws exist in products from numerous vendors and can be exploited by malicious hackers to launch denial-of-service attacks or gain unauthorized access to systems, according to an advisory from the CERT Coordination Center at Carnegie Mellon University in Pittsburgh.

"Lots of devices from every single vendor we deal with are affected," said Matt Kesner, chief technology officer at Fenwick & West LLP, a law firm in Palo Alto, Calif. "I can't imagine a broader problem."

Because of the widespread nature of the threat, analysts said firms that use SNMP need to take immediate action. "This is one of those 'pull the emergency cord, go fix it today' kinds of emergencies," said analyst Bill Gassman at Gartner Inc. in Stamford, Conn.

But some vendors, including Cisco Systems Inc., Hewlett-Packard Co. and Microsoft Corp., are still working on patches. "There are patches out there for a lot of products, but not [for] all," said Marty Lindner, an incident-handling team leader at CERT.

SNMP services let network administrators remotely monitor and configure devices such as routers and switches. CERT said the vulnerabilities that have been identified result from differences in the methods vendors use to receive, decode and process SNMP service requests. Many of the processes are flawed and can produce denial-of-service conditions and buffer overflows that could be used by attackers.

Concerns have been raised in the past about the security of SNMP, and many IT managers don't enable the technology in their systems as a result. But for those that do, Kesner said, identifying affected products and applying the required fixes could be a challenge, especially on large networks.

"It is an extremely major problem," said Josh Turiel, network services manager at Holyoke Mutual Insurance Co. in Salem, Mass. "The more intricate your network is, the more exposed you are."

According to Lindner, just figuring out whether installed systems are compromised will take work. "It depends on how you have a particular product deployed," he said. "It may or may not be vulnerable. The combinations are complex."

If patches aren't available from vendors yet, it may be best to disable SNMP services, CERT said. But in some cases, companies will need to filter externally initiated network traffic to fully protect themselves, even if their SNMP services are disabled. CERT also recommended other steps IT managers can take to mitigate the risk of attacks. Such measures can degrade network services but should still be taken, Gassman said.

Turiel said Holyoke Mutual plans to apply patches to all the SNMP-based products on its network, even those that don't have the protocol enabled.

Merit Networks Inc., an Internet service provider in Ann Arbor, Mich., has disabled many of its SNMP services, said Jeff Ogden, director of high-performance networks at Merit. But it's installing patches and re-examining its network filters anyway, he said.

Read accompanying story:


Copyright © 2002 IDG Communications, Inc.

Download: EMM vendor comparison chart 2019
Shop Tech Products at Amazon