Researchers reveal major SNMP holes

The very foundation of the Internet stands in question today as many network vendors have acknowledged that everything from routers and switches to operating systems, firewalls and printers can be knocked offline or hacked because of newly publicized vulnerabilities within one of the oldest IP-based protocols: SNMP.

It was a research paper from Finland's Oulu University last week that sent shudders through the network industry and its customers. The paper revealed that SNMPv1 has four-dozen known vulnerabilities that can be exploited by attack tools in ways that might cripple the Internet and corporate networks.

Attackers could exploit technical weaknesses related to six classes of vulnerability: overflow exceptions, format-string exceptions, bit-pattern exceptions, basic encoding rules, missing symbol exceptions and integral-value exceptions.

Oulu University also provided test tools to prove the point, prompting security experts to predict that it's only a matter of time before hackers develop automated computer worms and "malware" to blast or take over equipment that isn't patched.

"This is unprecedented for the Internet," says firewall security expert Bill Cheswick, chief scientist at Lumeta, a network management and security company. "I really think it could bring down the Internet."

"Basically, most everything on the Internet is impacted," agrees Chris Rouland, director of Internet Security Systems' threat assessment group, the X-Force.

Oulu University disclosed its findings as quietly as possible a few weeks ago to the CERT Coordination Center, which issues alerts on important security problems and works with the industry to address shortcomings. Last week, as the research paper landed like a bombshell, about 50 vendors scrambled to disclose vulnerabilities in their equipment.

"The faulty SNMP code has been identified on all affected Cisco products," says Catherine Stewart, a Cisco spokeswoman. "We're correcting the software images for all the affected products and making those images available on our Web site." An image is software that runs on switches and routers. Late last week, Cisco had managed to make available about a third of the software.

"The cost of applying all these fixes across 50 of so vendors' equipment is tremendous," says Alfred Huger, vice president of engineering at SecurityFocus, a San Mateo, Calif. firm that provides security expertise primarily for ISPs. "Few people introduce patches without extreme testing. It will take months. And I know that these [hacker] exploits are going to start soon."

Many security services, including Counterpane, Guardent Technologies and Secure Interiors, were moving swiftly to ensure that SNMP traffic from outside their customers' corporate networks was filtered out. This is one of CERT's recommended actions [see graphic for others].

"We were already doing that for our customers because we perceive SNMP as a risk," says Jeff Schmidt, founder and CTO at Columbus, Ohio managed security provider Secure Interiors. "SNMP has no business passing beyond a company's network border."

The SNMP security alert reverberated through corporations.

"It's potentially huge for us," says Troy Tate, corporate network manager at CTS, an electronics maker in Elkhart, Ind. "Our routers are managed by AT&T, and I don't know what type of security they've got on them."

When Tate asked AT&T officials on a conference call how the company would protect its customers from potential attacks, he says he received little assurance. "They said they were investigating it, but with so many people on the line, it was an awfully long silence."

An AT&T spokesman says the company has been aware of the SNMP vulnerabilities for "a number of weeks" and has been working closely with CERT and AT&T Labs to ensure the AT&T net, as well as customer networks, are secure.

At Eastern Bank in Lynn, Mass., the SNMP warning is seen as less of a threat because most of the bank's Cisco and 3Com switches that are vulnerable to an SNMP attack sit on a LAN behind secure routers and firewalls, says Henry Greener, the bank's vice president of network architect. "The only thing we have to consider with something like this is the fact that most network mischief is usually caused from the inside of a network," he says.

In this instance, SNMP is a problem and part of the solution for Eastern Bank. While the bank's IT staff must now install new software on dozens of networked machines, Greener says this task will be relatively painless thanks to network management software the bank uses from Cisco and Aprisma - both SNMP-based. This software will let staff update its hardware in less than a day from a single PC, he adds.

Richard Glasburg, director of data communications for the Commonwealth of Massachusetts, says he found out about the SNMP security issues prior to the Oulu University findings and took steps to protect his network, which he declined to detail.

"Most folks who have done their homework know that SNMP is not secure," he says. "And now with the CERT advisory, more people will know not to let SNMP fly all over the place on their nets."

More than a few people last week remarked that problems with SNMP have been known for years but largely ignored by the network industry.

The SNMP protocol, written in the summer of 1988, was not originally designed for the type of security needed today, says Jeff Case, an author of the SNMP standard and CTO at SNMP Research, a developer and distributor of management protocols. What is a revelation, Case concedes, is that there are bugs in the original code known by one of three names: the CMU code, the UC Davis code or the Net-SNMP code.

This code, originally written by Steve Waldbusser at Carnegie Mellon University and adapted into the work of the University of California at Davis, now falls under the moniker of Net-SNMP because of its association with Net-SNMP, a loosely knit development organization that distributes a free and unsupported version of SNMP code.

Case says SNMP Research discovered and addressed these bugs late last year and distributed a CD with patches to all its customers, including Cisco, Nortel, Hewlett-Packard and Siemens. Case says an SNMP customer pointed out the bugs to SNMP Research in October, and the organization worked to fix the bugs in their code, while the university also performed its research regarding the same problems in the code. But he said it's more than likely that not all the vendors have upgraded their SNMP implementations.

Case says now that the protocol's weaknesses are published, users with widespread SNMP implementations are more at risk.

"In truth, anyone could have done what [the Finnish researchers] did," Case says. "However, now they don't have to because the results are published. Now [potential hackers] don't have to be smart to attack SNMP, they just have to read the results."

Several industry insiders said the results of the Finnish research were released about a week earlier than expected. The news prompted a hastily organized session on SNMP at last week's SANS Institute conference in Monterrey, Calif., which about 500 security professionals attended.

"The routing fabric of the Internet is at risk right now," says conference attendee Marty Roesch, president of Source Fire, a start-up being launched to commercialize an intrusion-detection freeware tool called SNORT.

But while the SNMPv1 standard itself could use improvement, the principal blame last week was being put on the UC Davis SNMP Library implementation of SNMP, Roesch says. In fact, developers have included security measures in SNMPv2 as well as SNMPv3: Unfortunely neither is as widely deployed as SNMPv1. Case says the patches to SNMPv1 also will automatically fix any other versions of SNMP being used on a network device.

"The ASN.1 coding in that implementation of SNMP has a lot of stuff that no one has examined for 10 years," Roesch says. Commenters at the conference also noted that ASN.1 is an old telecom presentation-layer protocol approved by the International Telecommunication Union, so there potentially could be vulnerabilities uncovered in telecom systems, aircraft and even Secure Sockets Layer, which uses ASN.1.

A few vendors said their products aren't affected by the SNMP vulnerabilities. They included IBM with its AIX software, and Foundry, with its switches. Both vendors said they ran their respective software and hardware through the vulnerability tests outlined by CERT and found their products were not affected.