SNMP Vulnerability Offers 3,200 Reasons to Worry

A security hole that affects thousands of network devices, plus a new virus, set Vince Tuesday on edge

The past few weeks haven't been a complete disaster, but I have to dig deep to find the silver lining in recent events.

It started when the Finland-based University of Oulu's security research team released a series of vulnerability warnings about Simple Network Management Protocol (SNMP) v1 implementations. Last year, the team released a similar warning about the Lightweight Directory Access Protocol (LDAP) that was entirely accurate, so I was sure it was right again.

LDAP servers aren't that common—we have four, which we patched quickly. SNMP servers are a different story. Everything seems to come with an SNMP interface; I hear even some digital cameras are affected by SNMP problems. Certainly, every major system and network operating system is at risk.

We have 4,312 network devices. Of those, 75%—about 3,200—run SNMP and need to be patched. Luckily, we block SNMP from the outside world and don't publish anything to third parties via SNMP.

By the time you read this, however, I expect some bright spark will have written a chunk of malicious code that spreads via the SNMP bug and also uses Web sites or e-mail to propagate itself. Despite our excellent layered antivirus strategy, I'd be kidding myself if I didn't think it was possible for such code to get into the company. And once it got there—ouch!

1by1.gif
THISWEEK'SGLOSSARY

RFC1918: This Internet Engineering Task Force request for comment specifies the following three ranges of IP addresses exclusively for internal network use:

red_bullet.gif
10.0.0.0 - 10.255.255.255 (10/8 prefix)

red_bullet.gif
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)

red_bullet.gif
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

Correctly configured Internet routers won’t allow packets within these address ranges through to the Internet. To allow internal computers to communicate with others outside the firewall, the router (or firewall) uses network address translation to associate internal addresses with valid external ones. For more information, visit www.faqs.org/rfcs/rfc1918.html.

LINKS:

The University of Oulu takes the spotlight again with its SNMP vulnerability warning. My advice: Find out what the university’s security team will investigate next and turn it off in your environment before the team releases its next report.

Read the details of the SNMP warning from the CERT Coordination Center at Carnegie Mellon University.

This useful summary at the Web site of Internet Security Systems Inc. lists network equipment vendors and their current status regarding the SNMP vulnerability.

Got the MSN IM virus? McAfee.com Corp. offers details on the virus and how to eradicate it.

1by1.gif

Since almost every system, from desktops to servers and printers to networks, is vulnerable, this is one attack that could cripple everything. I'd rather not think about that; I just have to start the race to get the patches in or the SNMP servers disabled before a new virus appears.

We've also taken a closer look at SNMP probes of our firewalls to see if this weakness is already being attacked. Although there has been some growth in the number of probes, it hasn't been an explosive increase, like the one we saw in secure-shell probing when bugs were announced regarding CRC32 handling in the protocol.

We did detect one of our software providers trying to send thousands of SNMP traps to our central network-monitoring systems. It seems we sent the company an example of our configuration, including where to send alerts, for testing purposes. The provider has been using the configuration on a system that can see the Internet, and it's been merrily sending alerts to our firewall. As we renumber our internal networks to RFC1918 private address ranges rather than the Class B addresses we currently use, this kind of problem should disappear.

An Insidious IM Virus

While we wait for the ax to fall with an automated exploit of the SNMP weaknesses, my thoughts have turned to other virus writers. In general, I pity and hate people who write viruses. The majority of virus codes show no particular skill and are obviously lifted wholesale from previous successful viruses. I'd much rather these people spent their time doing something constructive. I expect that the people who clean graffiti off subway trains have similar feelings toward vandals.

But I bet that those workers sometimes come across a piece of graffiti that transcends the medium and almost becomes art. The recent MSN Instant Messenger (IM) virus includes some impressive features, and I have to show some grudging respect to its author.

In an obvious display of originality, the virus uses a new medium to spread—in this case, IM. When initiated, the code sends a message to all your buddies telling them to visit a Web site. It also lets them know that if they're sick of these messages, they can go to another Web site to stop the invitations. The first Web site contains 60 lines of malicious JavaScript that takes advantage of an Internet Explorer bug to run without constraint and open the messaging software and spread further.

The unsubscribe site just takes you to the first site, ensuring that once you've infected all your buddies and their messages have flooded you, you reinfect yourself while trying to unsubscribe.

The code itself is better-written than most commercial code I buy. It checks to make sure that you're vulnerable and that you have the right version of IE before running so it doesn't pop up with errors that might help you realize you have a virus. If your security settings are configured so that it can't run, the virus shows you a "warning" and explains how to reduce your settings to supposedly get the most out of the site you're visiting.

I don't use IM myself, but several members of my team got hundreds of copies of the message, which spreads quickly. This version doesn't do anything other than propagate and disrupt IM communications, but because the code is freely available for download on the link sent to everyone, it won't be long before someone releases a destructive variant. To protect ourselves, I've pulled the plug on IM until we have patches in place.

But this week hasn't been all bad news. Yes, we are wide open to the SNMP bugs and will have to work hard to patch devices before the sky falls. Yes, a whole new arena of virus threats has been invented, meaning we have to disable a service until we can be certain it's safe. These are hardly victories in the war for a secure company. But at least we have been able to complete the next phase of our perimeter testing.

We had been using phone hacker Chris Lamprecht's ToneLoc program for phone testing, but the software isn't very user-friendly. Instead, we have just tested PhoneSweep from Sandstorm Enterprises Inc. in Cambridge, Mass. This professional tool allows us to scan and probe our private branch exchange and other lines to make sure no workers have connected via an unauthorized modem to bypass our firewall. Now we can focus on the next stage—wireless LAN identification and tracking—while our modems ring every number in the company.

This week's journal is written by a real security manager, "Vince Tuesday," whose name and employer have been disguised for obvious reasons. Contact him at vince.tuesday@hushmail.com or go to the Security Manager's Journal forum.

Related:
5 ways to make Windows 10 act like Windows 7
  
Shop Tech Products at Amazon