Re: SNMP warning from CERT yesterday

From: Brian Apley (ccie7599@xxxxxxxxx)
Date: Thu Feb 14 2002 - 18:35:19 GMT-3

• Next message: Sean Chao: "Re: OSPF External routes in Database, not table"
• Previous message: Jason Graun: "OT: A little off topic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Read the advisory closely- specifically on CCO. Believe it or not, Cisco's
SNMP implementation is all jacked up.

-SNMP is vunerable whether or not the exploiter has the correct ro or rw
community.

-Even if you include an ACL at the end of your community (snmp-server
community public ro 5), if you have a trap community defined, your router
will be vunerable via the *freaking* trap community. (not the trap community
"freaking," any trap community).

-My favorite- You put an ACL at the end of your community. You put an ACL at
the end of the trap community that blocks all inbound traffic. Well, then
you're fine and dandy- until you reload the router. After a reload, the
order in which the system processes the startup config will open the hole
again.

I don't need to repeat word for word what's already on the web- checkitout
at-

http://www.cisco.com/warp/public/707/cisco-malformed-snmp-msgs-pub.shtml

Read the bottom for the nitty-gritty. The best part is when they list
affected products (everything but hubs), then non-affected products (hubs).

Brian Apley
CCIE #7599, CCDP, CSS1

----- Original Message -----
From: "Jay Hennigan" <jay@west.net>
To: <ccielab@groupstudy.com>
Sent: Thursday, February 14, 2002 1:37 AM
Subject: RE: SNMP warning from CERT yesterday

> On Wed, 13 Feb 2002, Matt Wagner wrote:
>
> > right. Sorry, I forgot to state that the initial warning recommended
> > turning off SNMP entirely. Subsequent warnings took into account that
we
> > can't just do that, but warned of a failure of a configured ACL to
actually
> > filter the SNMP traffic (with no explicit reason why).
>
> SNMP uses UDP. Because there is no three-way handshake with random
> sequence numbers as with TCP, it is trivial to spoof the source of a
> UDP packet.
>
> So, in addition to configured ACLs limiting SNMP to defined machines
> that really need it, ACLs at your borders filtering traffic that claims
> to originate within your network are a good thing. Likewise as a good
> neighbor (unless you're providing transit) you should filter traffic
> leaving your network that claims to originate elsewhere.
>
> The advisory also suggested disabling UDP port 7 (echo) to prevent
bouncing
> an SNMP packet off of a host allowed by any ACL in place.
>
> And, for heaven's sake, don't use "public" for RO and "private" for RW !
>
> --
> Jay Hennigan - CCIE #7880 - Network Administration - jay@west.net
> NetLojix Communications, Inc. - http://www.netlojix.com/
> WestNet: Connecting you to the planet. 805 884-6323

• Next message: Sean Chao: "Re: OSPF External routes in Database, not table"
• Previous message: Jason Graun: "OT: A little off topic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 20 2002 - 13:46:23 GMT-3