|
| PROBLEM: |
The messaging protocol used in the SNMPv1 protocol has been found to be vulnerable to many types of remote attacks including: denial-of-service, unauthorized privilege access, and unstable behavior.
|
| PLATFORM: |
A list of tested platforms is in the CERT bulletin. However, essentially all platforms that use SNMP are vulnerable. Typical platforms that use SNMP for management include routers, switches, hubs, workstations, and servers. Of particular importance are platforms where SNMP is installed by default.
|
| DAMAGE: |
Remote users can crash systems, make systems unstable, and gain privileged access to systems.
|
| SOLUTION: |
Where possible, apply vendor patches. Until patches are available, you should do the following:
1. Block SNMP traffic at the border routers of your network. This includes blocking traffic (TCP and UDP) going in both directions at the border routers for ports 161, 162, 199, 391, 705, and 1993. Blocking the outgoing traffic prevents a site from becoming a source of an attack.
2. Remove or disable SNMP on all border devices.
3. Remove or disable SNMP on any systems that do not need it.
4. Where possible, manage systems with protocols other than SNMP.
5. Filter or segregate internal SNMP traffic to limit access to the SNMP ports on managed systems.
6. Change the default community strings.
|
|
VULNERABILITY
ASSESSMENT: |
The risk is HIGH. The use of SNMP is widespread within the government, military, and public. Most implementations of SNMP are vulnerable. The vulnerability has been made public. The vulnerabilities can result in remote privileged access to systems.
|
|
ADVISORY NOTICE