Is SNMP an Open Door to Your Network?
GNUCITIZEN looked for undefended SNMP devices on the Internet. Among its findings were that with only read access available, it could coax some Windows 2000 servers into delivering usernames.
March 11, 2008
SNMP is commonly used to manage all sorts of devices, including servers that run Windows. As with any accessible technology, SNMP needs to be configured so that it doesn't provide an easy inroad for intruders.
Most of the SNMP server software I've seen installs itself with a default community name of Public. Leaving that name unchanged is the equivalent of leaving a default password unchanged, and you know full well what sort of trouble that can bring. Unfortunately, a lot of administrators out there fail to change the default SNMP community name, and as a result, their devices are wide open to any number of attacks.
Recently the folks at GNUCITIZEN ran some tests to see how many undefended SNMP devices they could find across the Internet. GNUCITIZEN said that one reason it decided to probe systems via SNMP is because the protocol provides a relatively anonymous method of manipulation. SNMP is a UDP-based, connectionless protocol; therefore, spoofing the origin IP address of its packets is easier. GNUCITIZEN wrote that this "means that an attacker could change configuration settings from a spoofed IP address provided that a valid write community string is identified or cracked."
SNMP provides both read access and write access to devices, and allowed access varies depending on exact configurations. Nevertheless, as GNUCITIZEN points out, sometimes read access is good enough to gather data, such as usernames and passwords. Once a hacker has that data, other routes can be taken to infiltrate systems and networks.
GNUCITIZEN scanned 2.5 million random IP addresses using SNMP and found that with only read access available, it could coax some Windows 2000 servers into delivering usernames by simply examining the right SNMP object identifier (OID). In other instances, the team found that some devices, such as British Telecommunications' BT Voyager 2000 router and HP Jetdirect print servers, would even reveal passwords. You can read a few more details in GNUCITIZEN's blog at the URL below.
http://www.gnucitizen.org/blog/exploring-the-unknown-scanning-the-internet-via-snmp
Granted, exploits against SNMP in both Windows NT and Win2K Server have been floating around for years, and you've probably already installed all the SNMP-related patches issued by Microsoft. But, because many of you still use those server platforms, you might want to ask yourself whether you have really secured your systems against unwanted SNMP probing and querying.
Back in 2000, Microsoft posted two security bulletins regarding SNMP in Windows NT (at the first URL below) and Win2K Server (at the second URL below). The articles of course discuss security problems, however they also link to some relevant information that can help you lock down your SNMP configurations. For example, the Win2K Server article links to Microsoft's Security Configuration Tool Set, which can be a big help. Microsoft also has an article "HOW TO: Configure Security for a Simple Network Management Protocol Service in Windows 2000," at the third URL below.
http://www.microsoft.com/technet/security/bulletin/ms00-095.mspx
http://www.microsoft.com/technet/security/bulletin/ms00-096.mspx
http://support.microsoft.com/kb/315154
As for Windows Server 2003, the company has an article, "How to configure Network Security for the SNMP Service in Windows Server 2003," available at the URL below.
http://support.microsoft.com/kb/324261
About the Author
You May Also Like