- Email: [email protected]
SNMP — all safe?
stop press
SNMP — all safe? The initial noise that accompanied the SNMP vulnerabilities has started to die down now, but just because it is quiet does not mean that all is safe. There may even be attacks that administrators do not notice because everyone may not be able to recognize the signs of an SNMP attack. It is possible that a malicious code is being written right now that exploits the bug but maybe this time the vulnerability will be patched and fixed before the virus writers answer with a vicious attack. Researchers at the Oulu University in Finland first uncovered the holes. Knowledge of the vulnerability was witheld from the public for a considerable time to give vendors the opportunity to release fixes and patches. Hundreds of products that rely on SNMP are affected including routers, switches, servers, cable modems and firewalls. The Simple Network Protocol
(SNMP) is probably the most prevalent tool in existence. It was developed in 1988 by the Internet Task Force (IETF). It has since become the most widely used way to manage a mixed device network. Unfortunately the original SNMP arhitects didn’t include fundamental security features, for example encryption and authentication, Locating and patching all these instances of SNMP takes time but if you don’t do it an attacker’s worm or virus could hit your system. The CERT Coordination Center has released guidelines for enterprises to protect against potential attacks and released a list of companies that contain vulnerabilities in their products. Vendors that are affected by the vulnerability in their products include Microsoft, Sun Microsystems, 3Com Cisco Systems and more. The CERT/CC announced that these vulnerabilities may enable unauthorized privileged access, denialof-service attacks or be responsible for unstable behaviour. According to CERT, some measures of precautions to
be undertaken are as follows but it is important that you should weigh up the impact that these actions may have on your network operations: • Install a vendor patch. • Disable SNMP within the system. • Filter SNMP traffic. Also a variety of organizations have produced tools and services to enable everyone to cope with the threat. Qualys, a security vulnerability assessment company is willing to perform a free assessment to discover what systems are SNMPenabled and what vulnerabilities occur and how to fix them. Foundstone Inc., has produced a tool, SNScan, which can be downloaded from http://www.foundstone.com/knowledge/free_tools.html. The tool discovers SNMP-enabled systems and assesses the threat. The CERT advisory, which is a very comprehensive knowledge source, can be found at http://www.cert.org/advisories/CA-2002-03.html.
Events Calendar THE 2002 TECHNO SECURITY CONFERENCE 7-10 April 2002 Location: Myrtle Beach, CA, USA Website: www.techsec.com/html/Conferences.html
INFORMATION SECURITY WORLD ASIA 2002 16-18 April 2002 Location: Singapore Contact:Elizabeth Ho Tel: +65 322 2709 Fax: +65 226 3264 E-mail: [email protected] Website: www.isec-worldwide.com/isec_asia2002/
INFOSECURITY EUROPE
23-25 April 2002 Location: London, UK Website: www.infosec.co.uk/page.cfm/NewSection=Yes
SOUTHWEST CYBERTERRORISM SUMMIT 4 May 2002 Location: Dallas, TX, USA Website: www.dallascon.com
NORTH AMERICA CACS
5-10 May 2000 Location:, San Francisco, CA, USA 20
SEC’2002; TC11
7-9 May 2002, Location: Cairo, Egypt Email contact: [email protected] (Dr. Mahmoud El-Hadidi) Website: http://www.sec2002.eun.eg
IEEE SYMPOSIUM ON SECURITY AND PRIVACY 12-15 May 2002 Location: Oakland, CA, USA Website: www.ieee-security.org/TC/SP02/sp02index.html
NETSec
17-19 June 2002 Location: San Francisco, CA, USA Tel: +1 415-947-6320 Email: [email protected]
CUTTING-EDGE HIGH TECH CRIME FIGHTING: BEST PRACTICES IN COMPUTER FORENSICS 17-18 June 2002 Washington DC, USA Tel: 800-280-8440 Email: [email protected] Website: http://www.frallc.com/page733562.htm
SNMP — all safe? The initial noise that accompanied the SNMP vulnerabilities has started to die down now, but just because it is quiet does not mean that all is safe. There may even be attacks that administrators do not notice because everyone may not be able to recognize the signs of an SNMP attack. It is possible that a malicious code is being written right now that exploits the bug but maybe this time the vulnerability will be patched and fixed before the virus writers answer with a vicious attack. Researchers at the Oulu University in Finland first uncovered the holes. Knowledge of the vulnerability was witheld from the public for a considerable time to give vendors the opportunity to release fixes and patches. Hundreds of products that rely on SNMP are affected including routers, switches, servers, cable modems and firewalls. The Simple Network Protocol
(SNMP) is probably the most prevalent tool in existence. It was developed in 1988 by the Internet Task Force (IETF). It has since become the most widely used way to manage a mixed device network. Unfortunately the original SNMP arhitects didn’t include fundamental security features, for example encryption and authentication, Locating and patching all these instances of SNMP takes time but if you don’t do it an attacker’s worm or virus could hit your system. The CERT Coordination Center has released guidelines for enterprises to protect against potential attacks and released a list of companies that contain vulnerabilities in their products. Vendors that are affected by the vulnerability in their products include Microsoft, Sun Microsystems, 3Com Cisco Systems and more. The CERT/CC announced that these vulnerabilities may enable unauthorized privileged access, denialof-service attacks or be responsible for unstable behaviour. According to CERT, some measures of precautions to
be undertaken are as follows but it is important that you should weigh up the impact that these actions may have on your network operations: • Install a vendor patch. • Disable SNMP within the system. • Filter SNMP traffic. Also a variety of organizations have produced tools and services to enable everyone to cope with the threat. Qualys, a security vulnerability assessment company is willing to perform a free assessment to discover what systems are SNMPenabled and what vulnerabilities occur and how to fix them. Foundstone Inc., has produced a tool, SNScan, which can be downloaded from http://www.foundstone.com/knowledge/free_tools.html. The tool discovers SNMP-enabled systems and assesses the threat. The CERT advisory, which is a very comprehensive knowledge source, can be found at http://www.cert.org/advisories/CA-2002-03.html.
Events Calendar THE 2002 TECHNO SECURITY CONFERENCE 7-10 April 2002 Location: Myrtle Beach, CA, USA Website: www.techsec.com/html/Conferences.html
INFORMATION SECURITY WORLD ASIA 2002 16-18 April 2002 Location: Singapore Contact:Elizabeth Ho Tel: +65 322 2709 Fax: +65 226 3264 E-mail: [email protected] Website: www.isec-worldwide.com/isec_asia2002/
INFOSECURITY EUROPE
23-25 April 2002 Location: London, UK Website: www.infosec.co.uk/page.cfm/NewSection=Yes
SOUTHWEST CYBERTERRORISM SUMMIT 4 May 2002 Location: Dallas, TX, USA Website: www.dallascon.com
NORTH AMERICA CACS
5-10 May 2000 Location:, San Francisco, CA, USA 20
SEC’2002; TC11
7-9 May 2002, Location: Cairo, Egypt Email contact: [email protected] (Dr. Mahmoud El-Hadidi) Website: http://www.sec2002.eun.eg
IEEE SYMPOSIUM ON SECURITY AND PRIVACY 12-15 May 2002 Location: Oakland, CA, USA Website: www.ieee-security.org/TC/SP02/sp02index.html
NETSec
17-19 June 2002 Location: San Francisco, CA, USA Tel: +1 415-947-6320 Email: [email protected]
CUTTING-EDGE HIGH TECH CRIME FIGHTING: BEST PRACTICES IN COMPUTER FORENSICS 17-18 June 2002 Washington DC, USA Tel: 800-280-8440 Email: [email protected] Website: http://www.frallc.com/page733562.htm