ALERT: vulnerabilita' del protocollo SNMP [ ID: A-02001C ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
******************************************************************
Alert ID: A-02001C
Data di creazione: Thu Feb 14 16:35:24 CET 2002
Titolo: Vulnerabilita' in molte implementazioni del protocollo SNMP
Gravita': alta
******************************************************************
1) Descrizione del problema:
E' stata segnalata [1] una vulnerabilita' in numerose implementazioni del
protocollo SNMP che consente attacchi di tipo "denial of service" o
acquisizione di accessi non autorizzati ai sistemi che supportano tale
protocollo.
2) Piattaforme interessate:
Al momento sembrano risultare vulnerabili molte delle piattaforme piu'
diffuse (numerosi sistemi operativi di derivazione Unix, apaprati di rete
(switch, router, printeserver), tutte le piattaforme Microsoft [2]) e
all'interno dell'alert rilasciato da CERT.ORG sono presenti le informazioni
fornite dai vari produttori riguardo al problema su indicato.
3) Impatto:
L'impatto varia a seconda delle piattaforme e va dal denial of service
all'acquisizione di accessi non autorizzati ai sistemi.
Una descrizione piu' articolata circa i problemi riscontrati nelle varie
implementazioni SNMP e' reperibile all'url [3], unitamente a un
"Test-Material Package".
4) Soluzioni:
Oltre ovviamente ad applicare le patch eventualmente rilasciate dai vari
produttori, puo' essere utile introdurre un meccanismo di filtro degli
accessi a livello di router.
Riporto un estratto di un altro advisory (fonte SANS.ORG [4]):
...
Note 1: Turning off SNMP was one of the strong recommendations in the Top 20
Internet Security Threats that the FBI's NIPC and SANS and the Federal CIO
Council issued on October 1, 2001. If you didn't take that action then, now
might be a good time to correct the rest of the top 20 as well as the SNMP
problem. The Top 20 document is posted at http://www.sans.org/top20.htm
Note 2: If you have Cisco routers (that's true for 85% of our readers) you
are going to have to patch them to fix this problem. This is a great time to
make the other fixes that will protect your Cisco routers from an
increasingly common set of increasingly bad attacks.
A great new free tool will be announced on Thursday that checks Cisco
routers, finds most problems, and provides specific guidance on fixing each
problem it finds. We've scheduled a web broadcast for Thursday afternoon at
1 PM EST (18:00 UTC) to tell you about it and how to get it.
...
Relativamente ai router CISCO, ecco un estratto del loro alert [5]:
...
Turn SNMP off in the device. This is an effective workaround, but removes
management capability to the device. This can be done using the following
configure command:
no snmp-server
Removing the community string public with the configure command:
no snmp-server community public ro
is not sufficient as the SNMP server will still be running and the device
will be vulnerable. The command no snmp server must be used instead. Verify
SNMP server status by using the enable command show snmp. You should see a
response of "%SNMP agent not enabled".
Apply an extended access list (ACL) to deny protocol UDP, port 161 and 162,
at the interface level such that SNMP access to the device is allowed only
from the network management workstations. This can be done using the
following configure commands:
access-list 100 permit ip host 1.1.1.1 any
access-list 100 deny udp any any eq snmp
access-list 100 deny udp any any eq snmptrap
access-list 100 permit ip any any
where 1.1.1.1 is the trusted network management station. This access list
must be applied to all interfaces using the following configure commands:
interface serial 0
ip access-group 100 in
This will not prevent spoofed IP packets with the source IP address set to
that of the network management station from reaching the switch's management
interface.
The access-list statement containing "snmptrap" will prevent notification
messages from entering the network when it is applied at the network edge.
...
5) Riferimenti:
[1] Cert.org, ultima revisione: February 13, 2002 (15:21 EST):
http://www.cert.org/advisories/CA-2002-03.html
[2]
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/b
ulletin/MS02-006.asp
[3] http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/
[4] http://www.sans.org/alerts/SNMP.php
[5] http://www.cisco.com/warp/public/707/cisco-malformed-snmp-msgs-pub.shtml
Appendice
GARR-CERT Home Page: http://www.cert.garr.it
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE8a+AMiddTNPkaZLURAihhAKCY6NUTPYjXe9XtiKuPAgPu42xyogCgg/40
C8BuVCNifInkVpG9TSRtJjc=
=S5h8
-----END PGP SIGNATURE-----
Hash: SHA1
******************************************************************
Alert ID: A-02001C
Data di creazione: Thu Feb 14 16:35:24 CET 2002
Titolo: Vulnerabilita' in molte implementazioni del protocollo SNMP
Gravita': alta
******************************************************************
1) Descrizione del problema:
E' stata segnalata [1] una vulnerabilita' in numerose implementazioni del
protocollo SNMP che consente attacchi di tipo "denial of service" o
acquisizione di accessi non autorizzati ai sistemi che supportano tale
protocollo.
2) Piattaforme interessate:
Al momento sembrano risultare vulnerabili molte delle piattaforme piu'
diffuse (numerosi sistemi operativi di derivazione Unix, apaprati di rete
(switch, router, printeserver), tutte le piattaforme Microsoft [2]) e
all'interno dell'alert rilasciato da CERT.ORG sono presenti le informazioni
fornite dai vari produttori riguardo al problema su indicato.
3) Impatto:
L'impatto varia a seconda delle piattaforme e va dal denial of service
all'acquisizione di accessi non autorizzati ai sistemi.
Una descrizione piu' articolata circa i problemi riscontrati nelle varie
implementazioni SNMP e' reperibile all'url [3], unitamente a un
"Test-Material Package".
4) Soluzioni:
Oltre ovviamente ad applicare le patch eventualmente rilasciate dai vari
produttori, puo' essere utile introdurre un meccanismo di filtro degli
accessi a livello di router.
Riporto un estratto di un altro advisory (fonte SANS.ORG [4]):
...
Note 1: Turning off SNMP was one of the strong recommendations in the Top 20
Internet Security Threats that the FBI's NIPC and SANS and the Federal CIO
Council issued on October 1, 2001. If you didn't take that action then, now
might be a good time to correct the rest of the top 20 as well as the SNMP
problem. The Top 20 document is posted at http://www.sans.org/top20.htm
Note 2: If you have Cisco routers (that's true for 85% of our readers) you
are going to have to patch them to fix this problem. This is a great time to
make the other fixes that will protect your Cisco routers from an
increasingly common set of increasingly bad attacks.
A great new free tool will be announced on Thursday that checks Cisco
routers, finds most problems, and provides specific guidance on fixing each
problem it finds. We've scheduled a web broadcast for Thursday afternoon at
1 PM EST (18:00 UTC) to tell you about it and how to get it.
...
Relativamente ai router CISCO, ecco un estratto del loro alert [5]:
...
Turn SNMP off in the device. This is an effective workaround, but removes
management capability to the device. This can be done using the following
configure command:
no snmp-server
Removing the community string public with the configure command:
no snmp-server community public ro
is not sufficient as the SNMP server will still be running and the device
will be vulnerable. The command no snmp server must be used instead. Verify
SNMP server status by using the enable command show snmp. You should see a
response of "%SNMP agent not enabled".
Apply an extended access list (ACL) to deny protocol UDP, port 161 and 162,
at the interface level such that SNMP access to the device is allowed only
from the network management workstations. This can be done using the
following configure commands:
access-list 100 permit ip host 1.1.1.1 any
access-list 100 deny udp any any eq snmp
access-list 100 deny udp any any eq snmptrap
access-list 100 permit ip any any
where 1.1.1.1 is the trusted network management station. This access list
must be applied to all interfaces using the following configure commands:
interface serial 0
ip access-group 100 in
This will not prevent spoofed IP packets with the source IP address set to
that of the network management station from reaching the switch's management
interface.
The access-list statement containing "snmptrap" will prevent notification
messages from entering the network when it is applied at the network edge.
...
5) Riferimenti:
[1] Cert.org, ultima revisione: February 13, 2002 (15:21 EST):
http://www.cert.org/advisories/CA-2002-03.html
[2]
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/b
ulletin/MS02-006.asp
[3] http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/
[4] http://www.sans.org/alerts/SNMP.php
[5] http://www.cisco.com/warp/public/707/cisco-malformed-snmp-msgs-pub.shtml
Appendice
GARR-CERT Home Page: http://www.cert.garr.it
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE8a+AMiddTNPkaZLURAihhAKCY6NUTPYjXe9XtiKuPAgPu42xyogCgg/40
C8BuVCNifInkVpG9TSRtJjc=
=S5h8
-----END PGP SIGNATURE-----