Networking and security professionals are taking the security flaw in the Simple Network Management Protocol (SNMP)...
seriously, an informal survey by SearchSecurity has found.
Last month, the Computer Emergency Response Team (CERT) at Pittsburgh-based Carnegie Mellon University announced a security flaw in SNMP. The protocol allows users to communicate with network devices, like printers, routers and servers, but the flaw could allow attackers to gain control of systems.
CERT's alert was released before some vendors had produced patches for the vulnerability. But virtually all users contacted by SearchSecurity said their vendors were forthcoming with them.
"Let's face it, the CERT advisory that announced the vulnerabilities received a good amount of press," said Kevin Schmidt, lead software engineer at GuardedNet of Atlanta. "It's not going to be easy for a company to hide it if they have buggy SNMP software."
The Oulu University Secure Programming Group (OUSPG) in Finland found the vulnerabilities in version 1 of SNMP. The group notified CERT of the flaws last year. No reports of the vulnerabilities being exploited have surfaced.
To aid the creation of patches, vendors had the PROTOS SNMP attack tool developed by OUSPG to test their products. The tool can be used to assess SNMP weaknesses.
Yet, even if a company has a patch ready, installing it on all the devices may not be possible in a timely fashion, Schmidt said.
"So a company may decide to turn off SNMP on a router or use routing tricks that allow only traffic from known hosts (typically only management stations) access the router's SNMP agent," Schmidt said. "Once all the routers have been upgraded, then network management can resume as normal."
But some users didn't wait for their software vendors to release a patch before doing something. "We've installed router filters that limit SNMP access. We've done some more things behind the scenes too," said Elbert LaGrew, network services manager with the Minnesota Department of Health. "You can't be too careful about any vulnerability."
The SNMP flaws found were specific to SNMP v.1. The newest version of the protocol, SNMP v.3, is much more secure. "We've considered it. However, many of the processes we have in place are v.1 specific. We need to plan a migration very carefully," LaGrew said.
Many users, however, find the early version, which dates back to the pre-Web days of the late '80s, still works fine for them. Moreover, migrating to SNMP v3 is tricky, as a lot of products don't support it.
"Most of my network and security software doesn't require it. Why install something you don't use?" said Greg Kilgore, owner of Network Wizards in Keizer, Oregon. "Besides it's just another security hole that I must patch or plug."
Some users have denied SNMP at border firewalls for some time. "It has never been truly secure," said Stan Hoffman, senior network engineer for Houston-based RealEC Technologies, an e-commerce firm.