Flaws in a popular network protocol may leave devices from desktops to routers open to an Internet attack.
Security flaws in Simple Network Management Protocol (SNMP) could allow attackers to gain control of systems or take down networks, according to the Computer Emergency Response Team (CERT) at Pittsburgh-based Carnegie Mellon University. SNMP allows users to remotely communicate with devices on a network. Everything from servers to routers to printers use the protocol.
"In security, being able to gain user privileges is about as bad as it gets," said Dennis Treece, director of ISS's X-Force Special Operations Group. "The ability make a network crash is also as bad as it gets."
The Oulu University Secure Programming Group (OUSPG) in Finland found the vulnerabilities in version 1of SNMP. The group notified CERT of the flaws last year. Since then, CERT has been working with vendors to address the vulnerabilities. So far, no reports of the vulnerabilities being exploited have surfaced.
Products from more than 200 vendors may contain the flaws. CERT reports the vulnerabilities in products from Microsoft, Hewlett-Packard, Cisco Systems, Novell, 3 Com and others. Some vendors have patches ready but others are still working on them (see box for a link to information about patches).
SNMP was released in the late '80s, hence security wasn't a major concern neither really was the Internet, Treece said. "But the house was built on a foundation of sponges," he said.
SMNPv1 still works very well, Treece said. In fact, 95% of devices still use it. SMNPv3 is more secure but upgrading to that is a time consuming and difficult process, Treece said.
CERT suggests disabling SNMP if not needed. Filtering ports 161/udp and 162/udp can help minimize the chances that the vulnerabilities will be exploited, CERT suggests.
Treece suggests users check with their vendors to make sure they didn't use any additional ports that may need to be blocked. Restricting external SNMP requests is another way to minimize exploitation.
In the long term, shops should consider upgrading to SNMPv3, but that won't be easy, Treece said. "It's like having to upgrade all your systems from Windows 95 to Windows XP right now," he said.