Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Hole In SNMP

Posted by timothy on from the so-never-mail-passwords dept.

wiredog writes: "From ZDNET comes the news that there is apparently a serious security flaw in the Simple Network Management Protocol, used to control routers and other network devices." An anonymous reader points to the CERT advisory as well.

6 of 267 comments (clear)

  1. Delay in release by Anonymous Coward · · Score: 1, Interesting

    What I would like to know is why it took CERT so long to release this information.

    CERT has a 45 day release policy, which apparently they are ignoring!

    Many vendors have apparently known of this issue since last Fall! A bit longer then the 45 day policy. :P

  2. Re:The scary part is... by 2starr · · Score: 3, Interesting

    Well, yes and no. It sounds like there are some assumptions that are commonly made when processing traps. However, if someone wants to be malicious, those assumptions may not hold. But, the protocol isn't necessarily flawed. It just means that developers need to check their assumptions (like they should all the time).

    --

    "Let your heart soar as high as it will. Refuse to be average." - A. W. Tozer

  3. Apparently crackers already had half a year by Anonymous Coward · · Score: 1, Interesting

    From the article

    The flaws were found last year by a project group at the University of Oulu in Finland, said Lindner. The group informed the CERT Coordination Center last summer, and the watchdog has been working since then to inform network hardware makers of the problems.


    Isn't this like finding a gas tank that occasionally blows up and only telling the vendor (and thus a crime because deliberately witholding information that WILL save lives, and/or prevent a LOT of damage (ie not telling the police about a bomb in a car that you know of))

  4. No security in SNMPv1 by Simpler · · Score: 4, Interesting
    SNMP v1 as defined in RFC 1213 and RFC 1215 has no security features built in to begin with. You have to go to SNMP v2 or v3.

    This means that if you like to configure yoru routers using SNMPv1 and someone intercepts your UDP packet, they can read the community string (normally used as an ad-hock password) you use and have access to your NE (network element).

    This is a common security failure with a LOT of telecom equipment. Normally, if you enable SNMP on your boxes, keep the conguration port (normally found outside of service ports) inside a private LAN and hope for the best!

    And the kicker is, I work for a telecom company implementing SNMP solutions on OOSes and EMSes. Even after 5 years or SNMPv2 being out (SNMPv3 has also come out in the last few years), most NE's being produced on the market (save for the big boys -- Nortel, Cisco, etc) come with standard SNMPv1 managment and configuration capabilities. Safe surfing.

  5. Re:SNMP's a pretty damned scary protocol anyway by Simpler · · Score: 2, Interesting
    Sure... but a frail minority of network devices support V3. SNMPv1 is still the norm for all but a few device providers (CISCO).

    Face it... if you must use SNMPv1, make sure the router configuration port is on a private LAN and not accessible to the service ports you are providing. And pray someone doesn't break through.

  6. Re:Not a SNMP hole by hardaker · · Score: 3, Interesting

    Actually, that's not true. Of a survey I recently took of SNMP users, 33% did use SNMPv3 and what's even better is that 15% of the total didn't use v1 at all.

    People are beginning to use v3 as the product vendors are beginning to ship it in the majority of the products. Unfortunately, it's still not "all", as you well know.

    (and as for dnssec, the reason it can't be used effectively now is that verisign won't let it be used because they refuse to sign the .com/.org/.net roots)

    --
    The next site to slashdot will be ready soon, but subscribers can beat the rush and start slashdotting it early!