Embed Size (px)
Citation preview
““Vulnerabilities in SNMP ImplementationsVulnerabilities in SNMP Implementations” ”
CSCI 5931- Web SecurityCSCI 5931- Web SecurityInstructor: Dr. Andrew YangInstructor: Dr. Andrew Yang
Presented By: Harini VaratharajanPresented By: Harini Varatharajan
Introduction to SNMPIntroduction to SNMP
What is SNMP ?What is SNMP ? SNMP ComponentsSNMP Components
Agents ( Managed device)Agents ( Managed device) Managers ( Management Entity)Managers ( Management Entity) Network Management System ( NMS)Network Management System ( NMS)
SNMP Management Information Base SNMP Management Information Base
SNMP ArchitectureSNMP Architecture
SNMP CommunicationsSNMP Communications
Protocol Data Unit (PDU) message typeProtocol Data Unit (PDU) message type GetRequestGetRequest GetNextRequestGetNextRequest GetResponseGetResponse SetRequestSetRequest TrapsTraps
UDP Port 161 for Gets and SetsUDP Port 161 for Gets and Sets UDP Port 162 for TrapsUDP Port 162 for Traps
Why the Concern about vulnerability ?Why the Concern about vulnerability ?
CERT/CC SNMP Advisory CERT/CC SNMP Advisory – Issued Feb 12Issued Feb 12thth, 2002, 2002– Identified multiple vulnerabilitiesIdentified multiple vulnerabilities
OUSPG PROTOS ProjectOUSPG PROTOS Project– Tested HTTP, WAP/WSP, LDAP and SNMPTested HTTP, WAP/WSP, LDAP and SNMP– Additional protocol testing will followAdditional protocol testing will follow
SNMP is huge targetSNMP is huge target– Nearly every device from every vendor could be affectedNearly every device from every vendor could be affected– Many exploits are theoretically possibleMany exploits are theoretically possible– A few exploits work nowA few exploits work now– More exploits will be developedMore exploits will be developed
SNMP ProblemsSNMP Problems
Community String access modesCommunity String access modes READ-ONLYREAD-ONLY READ-WRITE READ-WRITE Passed in clear textPassed in clear text
Limited error handlingLimited error handling Additional exceptions must be handled by Additional exceptions must be handled by
vendor’s implementationvendor’s implementation– Violations to Basic Encoding Rules of ASN.1Violations to Basic Encoding Rules of ASN.1
– Invalid variable typesInvalid variable types
Where the Vulnerabilities are?Where the Vulnerabilities are?
Trap handlingTrap handling Request handlingRequest handling What makes things worse ?What makes things worse ?
Insecure settingsInsecure settings SpoofingSpoofing
ImpactImpact
Denial of service attacksDenial of service attacks Format String VulnerabilityFormat String Vulnerability Unstable behaviorsUnstable behaviors Unauthorized privileged accessUnauthorized privileged access Buffer overflowsBuffer overflows
- Crash SNMP agent- Crash SNMP agent
- Reboot device- Reboot device
- Overwrite valid SNMP variables- Overwrite valid SNMP variables
- Overwrite other applications or OS- Overwrite other applications or OS
- Allow unauthorized access - Allow unauthorized access
SolutionsSolutions
SNMP scannersSNMP scanners SNScanSNScan Windows based utility by Foundstone Windows based utility by Foundstone
CERT Advisory ImplicationsCERT Advisory Implications Apply patch from vendorApply patch from vendor Disable SNMP serviceDisable SNMP service Ingress filteringIngress filtering Egress filteringEgress filtering Filter SNMP traffic from non-authorized internal hostsFilter SNMP traffic from non-authorized internal hosts Change default community stringsChange default community strings Update signatures from vendorsUpdate signatures from vendors Segregate SNMP traffic onto a separate managementSegregate SNMP traffic onto a separate management
network network
SolutionsSolutions
Other SolutionsOther Solutions Protect Network perimeterProtect Network perimeter Protect Management systemsProtect Management systems Manage Community stringsManage Community strings Eliminate or protect other accessEliminate or protect other access Limit Network access Limit Network access Watch for uncharted access and servicesWatch for uncharted access and services Play it safe with vendors, partners, customers and Play it safe with vendors, partners, customers and
employees employees
Will SNMPv3 Help?Will SNMPv3 Help?
AdvantagesAdvantages– Improved authentication and access controlImproved authentication and access control– Encryption of SNMP packetsEncryption of SNMP packets– Remote management of SNMP agentsRemote management of SNMP agents
DisadvantagesDisadvantages– Additional overheadAdditional overhead– RFCs have yet to be adopted as a standardRFCs have yet to be adopted as a standard– Few vendors have working implementations in their hardware/ Few vendors have working implementations in their hardware/
softwaresoftware– Existing implementations may still be vulnerable to buffer Existing implementations may still be vulnerable to buffer
overflow exploitsoverflow exploits
The Bottom LineThe Bottom Line
SNMP exploits are real SNMP exploits are real Integration of network management and security is Integration of network management and security is
imperative imperative Time to rethink overall network management strategy Time to rethink overall network management strategy
including architecture, applications and future direction.including architecture, applications and future direction.
ReferencesReferences
““CERT Advisory CA-2002-03CERT Advisory CA-2002-03: Multiple Vulnerabilities in Many : Multiple Vulnerabilities in Many Implementations of the Simple Network Management Protocol (SNMP),” 12 Implementations of the Simple Network Management Protocol (SNMP),” 12 Feb. 2002, (current 11 March 2002). Feb. 2002, (current 11 March 2002).
““PROTOS: Security Testing of Protocol ImplementationsPROTOS: Security Testing of Protocol Implementations,” 19 July 2001 ,” 19 July 2001 (current 11 March 2002). (current 11 March 2002).
““PROTOS Test-Suite: c06-snmpv1PROTOS Test-Suite: c06-snmpv1,” 12 Feb. 2002 (current 11 March 2002). ,” 12 Feb. 2002 (current 11 March 2002).
““M-042: Multiple Vulnerabilities in Multiple Implementations of SNMPM-042: Multiple Vulnerabilities in Multiple Implementations of SNMP,”12 ,”12 Feb. 2002 (current 11 Feb. 2002 (current 11
Questions ?Questions ?
