SNMP threat being addressed, not over yet

Vendors and those using their equipment continue to act to counter the threat of hackers disrupting monitoring programmes running on SNMP.

Vendors and those using their equipment continue to act to counter the threat of hackers disrupting monitoring programmes running on SNMP.

Last week, Computerworld reported that CERT, the US government Computer Emergency Response Team, issued an alert that hackers may be planning attacks on SNMP after flaws in the 12-year-old, widely used network equipment monitoring protocol were discovered by researchers in Finland.

SNMP (simple network monitoring protocol) governs how applications monitoring the performance of networking equipment run.

Its simplicity means it is used by most major vendors, who include network equipment monitoring programs called agents, based on SNMP, in their products. (Agents run on networking equipment and record the performance of the devices by tracking data packets).

Because SNMP is so widely used, a successful attack could potentially put core internet infrastructure out of action.

In New Zealand, MetService communications specialist Jeff Downs says the service's IT department received the notification from CERT two weeks ago and is taking action.

"It's something we're taking seriously."

Downs says even before the alert, anyone in a network management position should have had precautions in place against an attack on SNMP-based monitoring agents; the MetService did.

"We have a security access host that allows certain hosts access to SNMP information and we've made sure the configuration of the solution is still in a state where it protects SNMP."

The alert "has encouraged me to double check that we're still protected”.

Potentially, the threat of hackers devising code to attack network monitoring agents running on SNMP is great, he says.

"If a hacker can get access to SNMP strings on a core internet router and take it out of commission, the potential impact could be huge."

North Shore City Council IS manager Tony Carpinter says "we looked at the report when it first came out and we don't believe we have any great vulnerability, as our use of SNMP is purely internal."

One of CERT's recommendations is for IT staff to make sure SNMP traffic from outside the organisation is filtered out.

In the US, questions are being asked as to why SNMPv1, the oldest and most commonly deployed version of the protocol, has largely been left unpatched over the past 12 years when the more recent versions, SNMPv2 and v3, have been attended to by developers.

The IDG News Service reports that at the SANS Institute conference in California earlier this month, it was noted that ASN.1 (Abstract Syntax Notation One), the coding method used in SNMPv1, is also a telecommunications presentation layer protocol, which has the seal of approval of ITU (International Telecommunications Union).

That raises the possibility of as-yet-undiscovered vulnerabilities in telco systems, aircraft and the commonly used SSL (secure sockets layer), which also uses ASN.1, IDG News says.

Progress on vendor response to the SNMP situation can be found here.

Join the newsletter!

Error: Please check your email address.

Tags SNMP

More about CERT AustraliaComputer Emergency Response TeamIDGITUNorth Shore City CouncilSANS InstituteSNMP

Show Comments
[]