x
Optical/IP

Internet Security Scare

Potentially one of the largest Internet security holes was discoved today by a group of computer scientists in Finland.

The Oulu University Secure Programming Group has found a hole in Simple Network Management Protocol (SNMP) through which hackers can launch denial-of-service attacks.

The CERT Coordination Center, a security research center at Carnegie Mellon University in the United States, issued an advisory on the security hole at 3:20 PM today. According to the CERT Alert, this security hole is likely to affect a large amount of the networking gear in use. Most vendors were already scrambling to provide customers with software patches as we write. Cisco Systems Inc. (Nasdaq: CSCO) has also issued its own security alert, saying the loophole could affect most of Cisco's switching and routing product families.

The CERT alert states that numerous vulnerabilities have been reported in multiple vendors' SNMP implementations. Specifically, these vulnerabilities could allow unauthorized privileged access or denial-of-service attacks (which occur when networking devices are flooded with millions of incoming packets), or cause unstable behavior.

SNMP is a widely deployed protocol that is commonly used to monitor and manage network devices. Version 1 of the protocol (SNMPv1) defines several types of SNMP messages that are used to request information or configuration changes, respond to requests, enumerate SNMP objects, and send unsolicited alerts, according to CERT.

Some experts believe that these vulnerabilities could cause serious problems. Greg Shipley, chief technology officer at security firm Neohapsis, says there is no way to know how much damage could be caused through these security loop holes, but he says they must be taken seriously.

"The implications are substantial, simply because of the number of products that this affects," he says. "The other thing is you in a complex situation like this the first hole is usually just the tip of the iceberg."

CERT/CC recommends that service providers disable SNMP and turn on several different filtering mechanisms on products for additional protection, until the problem can be resolved.

According to an unconfirmed report, WorldCom Inc.'s (Nasdaq: WCOM) UUNet, one of the largest Internet service providers in the world, has alredy seen interruptions in its backbone network, though it's unclear whether this is related to the SNMP security hole.

Products from most of the major networking companies are listed in the advisory as being affected. These include gear from 3Com Corp. (Nasdaq: COMS), Cisco, Enterasys Networks Inc. (NYSE: ETS), Hewlett-Packard Co. (NYSE: HWP), Juniper Networks Inc. (Nasdaq: JNPR), Lucent Technologies Inc. (NYSE: LU), Marconi PLC (Nasdaq/London: MONI), Nortel Networks Corp. (NYSE/Toronto: NT), and Redback Networks Inc. (Nasdaq: RBAK), to name a few.

We'll provide more information as it becomes available.

--R. Scott Raynovich, US Editor, and Marguerite Reardon, Senior Editor, Light Reading
http://www.lightreading.com
netskeptic 12/4/2012 | 10:56:38 PM
re: Internet Security Scare This problem does not have anything to do with protocol per se, it is pure an implementation issue. So, once patches are issued it will go away.

As far as devices managed by SNMPv1 and SNMPv2c are concerned this problem does constitue mostly marginal additional threat: if you can access any box running this protocol, you can screw up them in a pretty straight forward way without trouble of using malformed transactions.

The worst case are SNMPv3 boxes being used in a hostile environment, however, even that is not that bad either: these are relatively new/actively developed products, so we can expect fast patch turnaround and there are not that many of them and considering the fact that most SNMPv3 implementations are not that suitable to work in hostile environment, it is not that dangerous either.

The real scare is how wide spread these problems are - there is no reason to beleive that other high level protocol implementations do not have similar problems on the similar scale.

Thanks,

Aleksey






signmeup 12/4/2012 | 10:56:39 PM
re: Internet Security Scare Except that people refuse to properly configure their exterior firewall/routers to prevent this from happening.

Or what about the employee who thinks its cool to disrupt the network so they don't have to do any real work - just blame it on the network being down....

Finally, to RJ-45... Yes my response was the answer. This has nothing to do with 'community strings' as you first assumed... It has everything to do with denial of service attacks, which is what my answer was.
flanker 12/4/2012 | 10:56:40 PM
re: Internet Security Scare 1. This is not the answer. Any port can be a target of denial of service attack, if left open to the Internet...

2. Why this isn't that scary: A properly managed Internet-facing network device already has SNMP disabled or has acls blocking it from the Internet.


OK, so two posters believe properly configured networks can already handle such an attack, correct?
remelio 12/4/2012 | 10:56:41 PM
re: Internet Security Scare This latest SNMP security hole problem has been buzzing around for several days now. Get with the program people.
RJ-45 12/4/2012 | 10:56:42 PM
re: Internet Security Scare This is not the answer. Any port can be a target of denial of service attack, if left open to the Internet...


lots....

read the security vunerability. it deals with denial of service, not the security of the community string.

kbkirchn 12/4/2012 | 10:56:42 PM
re: Internet Security Scare For those that don't care to read the advisory:

A malformed SNMP get request sent to an SNMP-enabled device may cause that device to crash/reboot.

Since SNMP uses udp transport, it is connectionless and the malious get requests will probably have forged source addresses.

The UofO has provided a pre-compiled downloadable java applet as part of their source code & research documentation.

Why this isn't that scary: A properly managed Internet-facing network device already has SNMP disabled or has acls blocking it from the Internet. Like many security discoveries, this will hurt the disorganized the most.
signmeup 12/4/2012 | 10:56:43 PM
re: Internet Security Scare lots....

read the security vunerability. it deals with denial of service, not the security of the community string.

RJ-45 12/4/2012 | 10:56:43 PM
re: Internet Security Scare I'm trying to understand and I can't. SNMPv1 vulnerability was known for years: the only security measure, the so called "community string", travels in clear over network. The way to secure a SNMPv1 management network was always to put it behind a firewall. What am I missing?
mu-law 12/4/2012 | 10:56:43 PM
re: Internet Security Scare This is by no means a newly discovered phenomenon.
Stating such is akin to insisting that a technology does not exist until a Dummies book is written about it.

The operational impacts of the CERT advisory will be limited to those carrier networks that are mis-managed, or mis-configured; most of these have long since been found by the initiated hobbyists.
HOME
Sign In
SEARCH
CLOSE
MORE
CLOSE