SNMP Vulnerability

Simple network Management Protocol(SNMP) runs UDP port 161 and 162 and is a widely deployed protocol used to monitor and Manage network Devices: to obtain information on and even configure various network devices remotely. It runs on any network device from hubs to routers and network printers to servers. SNMP clients also run in many workstations and Personal Computers. SNMP is also used in most of the network management packages for information gathering.

Thought type and amount of data that can be accessed via SNMP depends upon the device on which it runs, it generally provides details of the hardware and OS type, network interfaces , network protocols statistics, vendor-specific details- like model number and about device functionality. Many devices can be remotely configured using SNMP.

All of the above feature makes it easier for network admin to manage and monitor network but same raises a huge security risk since some or all of the above task could also be done by an attacker if SNMP is compromised.

Attackers can probe the devices to provide snmp information (snmpwalk) and overwhelm the victim’s device with massive traffic after spoofing its source IP or completely reconfigure them and cause service interruption.

Open SNMP vulnerability exist mainly due to the fact that it is enabled by default with community strings: “private” for write/ management access and “Public” for read access in devices that don’t even require it and the administrators are not even aware of its existence.

To configure or disable SNMP, it is recommended to consult the product documentation since it runs on a variety of systems and configuration in each depends.

Impact:

If left unprotected such network devices or computers can be easily used to abuse other networks on the Internet and your network resources will be involved in organizing such malicious activities. Also unprotected SNMP service can leak sensitive technical information from the vulnerable device.
Cause DOS/DDOS.

Mitigations:

  • General security practice is to disable any services or applications that is not required, thus simple step is to disable SNMP in all the devices that doesn’t require it.
  • Upgrade to SNMPv3 which employs better encryption.
  • Apply ingress filtering: configure firewall to block UDP ports 161 and 162 and any other custom-configured port for SNMP traffic to the outside world. If you have some public servers: allow inbound traffic from internet to only those servers. If all of above is not possible , at least monitor activity on all ports utilizing SNMP.
  • Apply egress filtering to block servers from initiating outbound traffic to internet, since there is hardly a need for it.
  • To reduce risk from internal attack by applying filter to allow SNMP request from only authorized devices.
  • Change Default Community String :Community string acts as password for SNMP communication thus it is recommended to set complex community string.
  • Create a separate management network for SNMP traffic if it is not possible to block or disable it, it would make the hacking process difficult.
  • Some devices will allow you to restrict SNMP access.If available, it is recommended that you configure which hosts can send SNMP write command, and possibly which hosts can get information.
  • Limit SNMP access to only those device that require snmp for monitoring.
  • Getif and SNMPUTIL are some of the snmp enumeration tools.

References:

https://www.cert.org/historical/advisories/CA-2002-03.cfm
https://www.sans.org/security-resources/idfaq/using-snmp-for-reconnaissance/9/11
https://www.esecurityplanet.com/trends/article.php/973801/SNMP-Vulnerability-A-Triple-Threat.htm
https://www.techrepublic.com/article/lock-it-down-dont-allow-snmp-to-compromise-network-security/
https://isc.sans.edu/forums/diary/SNMP+The+next+big+thing+in+DDoS+Attacks/18089/
https://bechtsoudis.com/archive/2011/08/28/snmp-reflected-denial-of-service/index.html