Bad Packets: SNMP risk? Neil Diamond knew
By Wes Simonds
14 Feb 2002, searchNetworking
|E-mail Wes Simonds|
On Tuesday, my girlfriend, who is well under 60, demanded that we attend a Neil Diamond concert. And so we did.
I had been dreading this event because of the following lyrics from Diamond's 1971 hit "I Am, I Said," which go as follows:
"I am!" I said
To no one there
And no one heard at all
Not even the chair.
Now, I'm the type of guy who cannot listen to these words without a hideous grimace contorting my features as I attempt to stymie what might be -- what surely would be -- politically incorrect laughter.
On this occasion my stymie algorithm did not succeed. Mr. Diamond overwhelmed it by having a stool brought onto stage with him and delivering his song to it.
Despite my best efforts to think about other things, all I could imagine was an SNMP-savvy chair, which could indeed listen, and subsequently respond to a chair administrator with a status update, thus:
I'm good... I'm good... I'm good... Neil Diamond has concluded that he exists... He's telling me about it... I'm pretending I can't hear... I'm ignoring him... He's giving up... He's stopping... I'm good... I'm good...
The irony is of course that the same day, February 12, CERT released an advisory stating in no uncertain terms that SNMP, never considered a particularly secure protocol as protocols go, was now known to be quite vulnerable to attack.
It appears that in the second half of last year, researchers at Oulu University in Finland, in an attempt to verify the fundamental integrity of basic network operations there, discovered that SNMP was susceptible to assault -- that SNMP-aware devices could sometimes be brought down remotely, and far worse, that in some cases rogue code could actually then be installed and executed on them.
Who's affected? Practically everybody. The list of vendors who are currently shipping products that feature SNMP includes almost every blue-chip name on the list: 3Com, Caldera, Cisco Systems, Compaq, Hewlett Packard, IBM, Juniper Networks, Sun Microsystems, Microsoft, Lucent, Nokia and Network Associates, among others.
Do you use anything from those guys? Oh yes, you certainly do.
It's pretty obvious the S in SNMP doesn't stand for secure. In fact it stands for Simple, of course -- an adjective, which at once explains the protocol's widespread popularity and current vulnerability. Therein lies the underlying design flaw in the security architecture of many of today's best-known protocols: They were often designed as quick and dirty answers to an immediate need, but have since been deployed as industrial-strength corporate solutions.
In the case of SNMP, this problem is compounded specifically because it's so old and so well established. SNMP has actually been around as long as some of the hackers who might attack it today -- almost fourteen years. Newer versions exist, but most of the installed base is still at version one. And version one is really all about basic reporting functionality, not encryption and authentication.
This looks bad in today's security-conscious arena, but on the other hand, SNMP has never before been at the heart of a serious security problem. And so vendors, trusting that the protocol isn't going to lead to grief, have rolled it into their firmware and operating systems for years.
Until now, nobody's thought of SNMP as a weak point in the chain of net security largely because the data it involves simply isn't mission-critical. If Neil Diamond's chair stops reporting its status, the show still goes on.
But (to pursue this metaphor further than is really wise) the show is clearly going to be in a certain amount of trouble if a hacker can compromise the chair from a thousand miles away and install an invisible whoopee cushion of his own sinister design.
This isn't pretty, folks. If you have SNMP devices -- and you do -- you're going to need to move quickly if you want to head off the possibility of a protocol-level attack that could result in downed routers, switches, Web servers, and other hardware solutions that are absolutely mission-critical to your operations. While in the past this column has typically focused on security failures as an unfortunate consequence of one particular company's shortcomings in software design, this is bigger and badder than all the other security issues I've written about combined.
Here's what you can do: Get and install the stream of forthcoming patches from vendor sites. Filter out unusual internal SNMP traffic. Give a hard look to shutting down SNMP on those devices for which monitoring won't really be that essential for the next few days, but also be aware of this critical line from the CERT advisory:
"Unfortunately, some of the affected products exhibited unexpected behavior or denial of service conditions...even if SNMP was not enabled."
If you're pressed for time, consider shutting down the devices themselves.
And don't forget that Neil Diamond saw it all coming in 1971.