IP: More on Precautions Against SNMP Vulnerability -- a must read re vulnerability of the net

[Dave Farber <dave () farber net>]

------ Forwarded Message
From: Karl Auerbach <karl () cavebear com>
Date: Fri, 15 Feb 2002 15:51:57 -0800 (Pacific Standard Time)
To: farber () cis upenn edu
Subject: Re: IP: Precautions Against SNMP Vulnerability


I don't know if you are aware of this, but back in the mid 1980's I
founded Epilogue Technology Corporation.  Epilogue eventually became one
of the two dominant providers of SNMP for embedded systems.  I wrote the
original version of that SNMP code and there are now several million
copies out there.

So if there's somebody to blame, point at me.  ;-)

(Excuse time:  I know that I put a fair amount of cross-checking into my
implementation of SNMP back in 1987.  Apparently I didn't do enough.  But
then again, I haven't been associated with the software, nor made even a
dime from it, since about 1991.)

But back to the real issue at hand - the matter isn't simple.

SNMP, despite the "S", meaning "simple", in its name, is hardly a simple
protocol at all.  In fact it is quite complex and is very easy to
mis-implement.

(SNMP version 1 really never claimed to be secure - the phrase
"SNMP - Security Not My Problem" is not at all inappropriate, at least
when applied to SNMP version 1.  SNMP version 3 is another matter
entirely.)

The recent announcements from the University of Oulu in Finland of SNMP
vulnerabilities reflect part of the hidden non-simplicity of SNMP.  But
the Univeristy of Oulu work reflects only a relatively small part of the
matter.

SNMP is constructed on an arcane and complicated relic from the OSI wars -
ASN.1/BER.  It is extremely easy to mis-implement ASN.1/BER.  And it was
this layer of SNMP that the University of Oulu exercised.

It is hard to do deterministic testing of ASN.1/BER - a frequent result
is the full or partial failure of the SNMP software and perhaps of the
system in which it is embedded.  (Because SNMP agents are used for
"management" they are often privileged software and thus their faults
often ramified to other parts of the system.)

But there's another aspect of SNMP, an aspect that is of perhaps greater
gravity than the ASN.1/BER issues uncovered by the University of Oulu.
This aspect is that of the quality of implementation of the overall
protocol itself and of the way it is embedded into a device.

Why is this of greater gravity?  Because once one gets past the standard
problems of insufficient data format checking and buffer overruns, which
is largely what the Univeristy of Oulu discovered - there is the bigger
issue of misimplementation of the protocol itself.

I am associated with a company, InterWorking Labs (http://www.iwl.com/),
that does protocol testing of SNMP.  What has been seen over and over
again is that even if people get the ASN.1/BER stuff at least partially
right, there are still often great weaknesses in the protocol operation
and, even more frequently, in the interaction of the SNMP code with the
Management Information Bases (MIBs).

These kinds of weaknesses manifest themselves in often more insidious ways
than the ASN.1/BER errors - rather than crashing systems (which is often a
reasonably obvious event) such weaknesses often are manifested as
erroneous control of a device.  To draw an analogy - I believe that once
Boing shipped some 737's in which the left and right engine fire lights
were reversed.  Such could cause great trouble if a fire were to occur,
say while landing at a British airport, and the pilots were to shut down
the wrong engine.  It is true that the Internet has not yet reached the
stage of criticality of a flight control system.  Yet the Internet is is
becoming a utility and an operator making a mistaken control change due to
mis-implemented SNMP is not all that unforeseeable.

SNMP version 3 is coming along, slowly, and it has the security that SNMP
version 1 lacks.  Yet, that security will be as thin as tissue - and will
provide equally little security - if it is mis-implemented.

As we have seen over and over again, large numbers of implementations of
other Internet protocols have been discovered to be vulnererable to the
same kinds of things that the Univeristy of Oulu exercised in SNMP - ill
formed data.

What scares me is that SNMP is but one Internet protocol of many.  And
I've seen many misimplementations of the SNMP protocol that go well beyond
mere sensitivity to ill formed data; I have no reason to doubt that other
Internet protocol implementations are equally subject to these more
sophisticated kinds of flaws.

I've gone on for a while here so let me finish up with a quick concluson:

The bottom line is this: Much of the Internet is potentially a house of
cards, networking software has often not been subjected to much testing,
and if it has it is often same-kind-with-same-kind testing and only with
minimal testing of the error-mode kinds of protocol interactions.

We will probably never be able to do total and abolute testing of protocol
implementations but we can certainly do a lot better than we are doing
now.

        --karl--




------ End of Forwarded Message

For archives see:
http://www.interesting-people.org/archives/interesting-people/