Forwarded From: "Betty G.O'Hearn" <betty@infowar.com>
Plugging Holes In SNMP
11/7/98 8:49 AM
Nov. 06, 1998 (InternetWeek - CMP via COMTEX) -- Hackers seeking back
doors into corporate networks could target weaknesses in SNMP management
systems, security experts warned last week.
Vulnerabilities in the Simple Network Management Protocol, a 9-year-old
Internet Engineering Task Force (IETF) standard, were brought to light by
a team of network penetration experts from Internet Security Systems Inc.,
which issued alerts about management software from Hewlett-Packard and Sun
Microsystems.
Community strings, hidden passwords for user authentication found in
SNMPv1 and v2, could allow attackers to change system parameters, kill
processes and disrupt network services, according to ISS experts. Both
vendors have issued patches to plug the security holes, but the alerts are
likely to prompt many IT managers to upgrade to the more secure SNMPv3
sooner than planned.
Since its inception, SNMP has lacked strong authentication and privacy
functions; these features were planned for later versions, said Jeff Case,
a co-author of SNMP and president of SNMP Research International, a
developer of SNMP products and toolkits.
"I don't doubt there are vulnerabilities. What these reports are saying
is that SNMPv1 is not safe. Well, it has never been and never will be,"
Case said.
But SNMPv3 was developed with security in mind. The protocol provides
users with stronger access control, authorization, authentication and
privacy, Case said.
Other vendors are getting the message, too. A number of vendors have
SNMPv3-compliant products in the works. They include Advent Network
Management, Cisco, Hewlett-Packard, IBM/Tivoli Systems, Interworking Labs,
Liebert and Nortel/Bay Networks.
Some implementations will be available by year's end. For example,
SNMPv3 will be incorporated in Cisco Internetwork Operating Software
version 12.0.3 by December. The vendor plans to incorporate the protocol
into all of its routers, a spokesman said.
An SNMPv3-compliant version of Bay Networks' System 5000 switch will
ship in April, and the Accelar Layer 3 routing switch will support the
protocol by mid-year, said Chris Mangan, a Bay product manager.
Owners of penetration services, home to so-called "ethical hackers,"
said user ignorance of SNMP vulnerabilities exposes organizations to
attacks. "SNMP is the way we break into machines," said Jeff Moss,
director of Secure Computing Inc.'s penetration services. "Even if you
don't have access to community strings, you can cause a lot of confusion."
Users of SNMP-based management systems usually leave them "turned on to
routers or firewalls, and a [hacker] can pull information off the router
and look at router tables," Moss explained. Although this might not get
the hacker into the network, it's yet another piece of information that
can be used to gain access, he added.
Companies will have to be more vigilant as attackers not only target
operating systems but other devices such as network management systems,
said Chris Ruoland, director of ISS' X Force penetration team.
However, Drew Williams, the head of Axent Technologies' SWAT team,
questioned whether hackers are targeting SNMP systems.
"I don't believe that there is an influx of framework-targeted
attacks," he said. Instead, there is a trend among users to integrate more
security functions such as intrusion detection with their management
frameworks, he said.
The community string vulnerability lets a remote attacker take over
root privileges and gain unauthorized access to SNMP variables, according
to ISS' Ruoland.
But SNMPv3 doesn't use community strings, Case said. Users can retain
them for backward compatibility to SNMPv1 and v2, but v3 uses a
cryptographic technique to secure data.
HP systems affected by the vulnerability include HP OpenView 5.02 and
HP-UX 9.x and HP-UX 10.x. SNMP agent software installed with OpenView as
well as HP OpenView Solaris 2.x. HP OpenView for Windows NT is not
vulnerable, ISS said.
The vulnerability affects Sun Solstice Enterprise Agent software
version 1.0.2 or earlier as well as the Solaris 2.6 operating systems.
The company has issued a fix and expects to implement SNMPv3 in the
future, a Sun spokesman said.
By: Rutrell Yasin
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Sun Nov 8 20:27:53 1998