From: Larson, Chris (Contractor) (Chris.Larson@xxxxxx)
Date: Wed Feb 13 2002 - 15:25:15 GMT-3
I think the problem with an access list is also part of the vulnerability. I
thought I had read that if you broadcast an SNMP it will process the SNMP
before it check the community strings. It may only be certain SNMP set or
gets or it may be a special malformed request that allows this to happen,
but I am quite certain there is a way around the access-list by sending the
SNMP to an all 1's address.
-----Original Message-----
From: Joseph Ezerski [mailto:jezerski@broadcom.com]
Sent: Wednesday, February 13, 2002 12:59 PM
To: 'Matt Wagner'; ccielab@groupstudy.com
Subject: RE: SNMP warning from CERT yesterday
I think the easiest first step (until you can upgrade your border router and
DMZ devices to the new code) is to drop an ACL on the SNMP community. It is
the easiest way and only takes a second. It buys you the time to plan for
the upgrade, if that is your goal.
-Joe
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Matt Wagner
Sent: Wednesday, February 13, 2002 9:04 AM
To: ccielab@groupstudy.com
Subject: OT: SNMP warning from CERT yesterday
Any thoughts on the SNMP warning from CERT yesterday? The recommendations
were for obvious things: only explicitly permit traffic; don't open LAN
protocols on your perimeter, take your management subnet out of band, etc.
One thing was troubling, though. X-Force says that Cisco routers configured
to filter SNMP traffic might fail to do so and permit a DoS attack. Huh?
Anybody have better information on less obvious steps to take? Turning off
SNMP on my private network seems a bit extreme since I'm using Network
Management Software.
Matt
This archive was generated by hypermail 2.1.4 : Thu Jun 20 2002 - 13:46:21 GMT-3