IP: Precautions Against SNMP Vulnerability

[Dave Farber <dave () farber net>]

------ Forwarded Message
From: Lisa Disbrow <newsalert () lumeta com>
Organization: Lumeta Corporation
Date: Fri, 15 Feb 2002 16:49:54 -0500
To: "David J.Farber" <farber () cis upenn edu>
Subject: Precautions Against SNMP Vulnerability


***NEWS ALERT*** 
Precautions You Can Take to Mitigate SNMP Vulnerability

The Computer Emergency Response Team (CERT), the research organization at
Carnegie Mellon University, and the Oulu University Secure Programming Group
announced a series of very serious vulnerabilities in equipment that
responds to the Simple Network Management Protocol (SNMP). If exploited, it
is possible that routers across the global Internet could be crashed, suffer
serious performance degradation, or be commandeered.

Bill Cheswick, Chief Scientist of Lumeta Corporation and internationally
renowned security expert, described the vulnerability, "It involves very
complicated software. They probably haven't found all the problems with it,
and I suspect we'll be hearing more about this in the future."

"I have never seen a vulnerability of this magnitude to the Internet
itself," continued Cheswick. "It is conceivable that this could make large
parts of the Internet quite unreliable for quite a while. The vendors and
ISPs are scrambling to deal with this."

Cheswick, who co-wrote the book "Firewalls and Internet Security: Beware the
Wily Hacker," stated, "As a first step, companies should to turn off SNMP on
any equipment that doesn't absolutely need it. "

Cheswick continued, "To help protect the equipment that must be managed via
SNMP, companies should configure their firewalls to block SNMP traffic that
comes from outside their network. It isn't sufficient to change the SNMP
community strings."

"Although it doesn't entirely mitigate the risks identified in the advisory
released yesterday, companies should also identify those devices that
respond to 'public' or other common default community strings," said
Cheswick. "I think they will be shocked at how open they are. As part of
Lumeta's Network Discovery analysis, we look for routers that are open. Even
though many companies have a stated policy that their equipment should not
respond to public community strings, we typically find that between 10 and
30 percent of the SNMP-managed devices do respond. This shows the
difficulties of knowing the configuration of every SNMP device in a large
network, and it foreshadows the challenges companies will face rolling out
the fixes uniformly once the vendors issue patches that address these
vulnerabilities."

For more information on how to determine if your devices will respond to
public community strings please refer to http://www.lumeta.com/pc021402

You have received this information because you have requested more
information from Lumeta Corporation. If you do not wish to receive any more
alerts, please reply to this message with "REMOVE" in the subject line.

We apologize if you received this message in error. Your name may be on
multiple lists. All best efforts are being done to remove it. Lumeta does
not sell, convey, propagate or give away e-mail address. They remain
confidential and are not disclosed to third parties.

Lumeta Corporation


------ End of Forwarded Message

For archives see:
http://www.interesting-people.org/archives/interesting-people/