[ale] SNMP newly discovered problems

Transam transam at cavu.com
Tue Feb 12 16:45:28 EST 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This reports newly discovered severe vulnerabilities in SNMP that have
existed for a long time in many vendors' products.  I pointed out in my
book that SNMP had many severe security problems and security experts
joke that SNMP=Security Not My Problem.

Best regards,

Bob Toxen, President
Fly-By-Day Consulting, Inc.           "Experts in Linux & network security"
Author,
"Real World Linux Security: Intrusion Detection, Prevention, and Recovery"
700 pages
Prentice Hall
November 2000
+1 770-662-8321 Office
- ------------- Advisory follows ------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8aYlmltNTPeOhxUARAnQQAJwOOU1JPtz0VPuhC/9CZIxKtsDh7QCdFWEZ
q7oV/nXF+c9n0pxPgNFwFi8=
=t/JQ
-----END PGP SIGNATURE-----

To: Bob Toxen (SD149501)
From: Alan Paller, Director of Research, The SANS Institute

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



SANS FLASH ALERT: Widespread SNMP Vulnerability
2:30 PM EST 12 February, 2002


Note: This is preliminary data! If you have additional information,
please send it to us at snmp at sans.org

In a few minutes wire services and other news sources will begin
breaking a story about widespread vulnerabilities in SNMP (Simple
Network Management Protocol).  Exploits of the vulnerability cause
systems to fail or to be taken over.  The vulnerability can be found in
more than a hundred manufacturers' systems and is very widespread -
millions of routers and other systems are involved.

Your leadership is needed in making sure that all systems for which you
have any responsibility are protected. To do that, first ensure that
SNMP is turned off. If you absolutely must run SNMP, get the patch from
your hardware or software vendor. They are all working on patches right
now. It also makes sense for you to filter traffic destined for SNMP
ports (assuming the system doing the filtering is patched).

To block SNMP access, block traffic to ports 161 and 162 for tcp and
udp.  In addition, if you are using Cisco, block udp for port 1993.

The problems were caused by programming errors that have been in the
SNMP implementations for a long time, but only recently discovered.

CERT/CC is taking the lead on the process of getting the vendors to get
their patches out.  Additional information is posted at
http://www.cert.org/advisories/CA-2002-03.html

Two final notes.

Note 1:  Turning off SNMP was one of the strong recommendations in the
Top 20 Internet Security Vulnerabilities that the FBI's NIPC and SANS
and the Federal CIO Council issued on October 1, 2001.  If you didn't
take that action then, now might be a good time to correct the rest of
the top 20 as well as the SNMP problem.  The Top 20 document is posted
at http://www.sans.org/top20.htm

Note 2:  If you have Cisco routers (that's true for 85% of our readers)
you are going to have to patch them to fix this problem. This is a great
time to make the other fixes that will protect your Cisco routers from
an increasingly common set of increasingly bad attacks.

A great new free tool will be announced on Thursday that checks Cisco
routers, finds most problems, and provides specific guidance on fixing
each problem it finds.  We've scheduled a web broadcast for Thursday
afternoon at 1 PM EST (18:00 UTC) to tell you about it and how to get
it.

Mark your calendar now and we'll supply complete data in tomorrow's
Newsbites and on the SANS web site tomorrow, as well.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org

iD8DBQE8aX8y+LUG5KFpTkYRAnzlAJ920GGAqfFGAcNhrMQs+7N7wjBrEgCgkZM7
63OGBNgmoFsv/aajLby5+7g=
=isBR
-----END PGP SIGNATURE-----

---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.






More information about the Ale mailing list