140 likes | 147 Vues
“ Vulnerabilities in SNMP Implementations ” CSCI 5931- Web Security Instructor: Dr. Andrew Yang Presented By: Harini Varatharajan. Introduction to SNMP. What is SNMP ? SNMP Components Agents ( Managed device) Managers ( Management Entity) Network Management System ( NMS)
E N D
“Vulnerabilities in SNMP Implementations” CSCI 5931- Web SecurityInstructor: Dr. Andrew YangPresented By: Harini Varatharajan
Introduction to SNMP • What is SNMP ? • SNMP Components • Agents ( Managed device) • Managers ( Management Entity) • Network Management System ( NMS) • SNMP Management Information Base
SNMP Communications • Protocol Data Unit (PDU) message type • GetRequest • GetNextRequest • GetResponse • SetRequest • Traps • UDP Port 161 for Gets and Sets • UDP Port 162 for Traps
Why the Concern about vulnerability ? • CERT/CC SNMP Advisory • Issued Feb 12th, 2002 • Identified multiple vulnerabilities • OUSPG PROTOS Project • Tested HTTP, WAP/WSP, LDAP and SNMP • Additional protocol testing will follow • SNMP is huge target • Nearly every device from every vendor could be affected • Many exploits are theoretically possible • A few exploits work now • More exploits will be developed
SNMP Problems • Community String access modes • READ-ONLY • READ-WRITE • Passed in clear text • Limited error handling • Additional exceptions must be handled by vendor’s implementation • Violations to Basic Encoding Rules of ASN.1 • Invalid variable types
Where the Vulnerabilities are? • Trap handling • Request handling • What makes things worse ? • Insecure settings • Spoofing
Impact • Denial of service attacks • Format String Vulnerability • Unstable behaviors • Unauthorized privileged access • Buffer overflows - Crash SNMP agent - Reboot device - Overwrite valid SNMP variables - Overwrite other applications or OS - Allow unauthorized access
Solutions • SNMP scanners • SNScan Windows based utility by Foundstone • CERT Advisory Implications • Apply patch from vendor • Disable SNMP service • Ingress filtering • Egress filtering • Filter SNMP traffic from non-authorized internal hosts • Change default community strings • Update signatures from vendors • Segregate SNMP traffic onto a separate management network
Solutions • Other Solutions • Protect Network perimeter • Protect Management systems • Manage Community strings • Eliminate or protect other access • Limit Network access • Watch for uncharted access and services • Play it safe with vendors, partners, customers and employees
Will SNMPv3 Help? • Advantages • Improved authentication and access control • Encryption of SNMP packets • Remote management of SNMP agents • Disadvantages • Additional overhead • RFCs have yet to be adopted as a standard • Few vendors have working implementations in their hardware/ software • Existing implementations may still be vulnerable to buffer overflow exploits
The Bottom Line • SNMP exploits are real • Integration of network management and security is imperative • Time to rethink overall network management strategy including architecture, applications and future direction.
References • “CERT Advisory CA-2002-03: Multiple Vulnerabilities in Many Implementations of the Simple Network Management Protocol (SNMP),” 12 Feb. 2002, (current 11 March 2002). • “PROTOS: Security Testing of Protocol Implementations,” 19 July 2001 (current 11 March 2002). • “PROTOS Test-Suite: c06-snmpv1,” 12 Feb. 2002 (current 11 March 2002). • “M-042: Multiple Vulnerabilities in Multiple Implementations of SNMP,”12 Feb. 2002 (current 11