From: Frank Jimenez (franjime@xxxxxxxxx)
Date: Fri Feb 15 2002 - 00:57:34 GMT-3
More information on the SNMP warnings that I thought the board might
find interesting:
While I don't usually defend Cisco on these boards, it does appear that
pretty much the whole tech world got hit over the head with this one,
Cisco, Microsoft, Novell, Nortel, Sun, Juniper, and so on.... So we
really should have to tar everyone with the same brush.
Anyway, the links....
And if you're an uber-geek, you can read this: (From the folks who
discovered the problem to begin with...)
http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/
And more info for non-Cisco specific products:
http://www.cert.org/advisories/CA-2002-03.html
The black-hats of the world are starting to catch on, too: (Note the
increasing port 162 traffic at the bottom of this page:)
http://www.dshield.org/snmp.html
Back to the studies....
Good luck all,
Frank Jimenez, CCIE #5738
Systems Engineer
Cisco Systems, Inc.
franjime@cisco.com
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Brian Apley
Sent: Thursday, February 14, 2002 3:35 PM
To: ccielab@groupstudy.com; security@groupstudy.com
Subject: Re: SNMP warning from CERT yesterday
Read the advisory closely- specifically on CCO. Believe it or not,
Cisco's SNMP implementation is all jacked up.
-SNMP is vunerable whether or not the exploiter has the correct ro or rw
community.
-Even if you include an ACL at the end of your community (snmp-server
community public ro 5), if you have a trap community defined, your
router will be vunerable via the *freaking* trap community. (not the
trap community "freaking," any trap community).
-My favorite- You put an ACL at the end of your community. You put an
ACL at the end of the trap community that blocks all inbound traffic.
Well, then you're fine and dandy- until you reload the router. After a
reload, the order in which the system processes the startup config will
open the hole again.
I don't need to repeat word for word what's already on the web-
checkitout
at-
http://www.cisco.com/warp/public/707/cisco-malformed-snmp-msgs-pub.shtml
Read the bottom for the nitty-gritty. The best part is when they list
affected products (everything but hubs), then non-affected products
(hubs).
Brian Apley
CCIE #7599, CCDP, CSS1
----- Original Message -----
From: "Jay Hennigan" <jay@west.net>
To: <ccielab@groupstudy.com>
Sent: Thursday, February 14, 2002 1:37 AM
Subject: RE: SNMP warning from CERT yesterday
> On Wed, 13 Feb 2002, Matt Wagner wrote:
>
> > right. Sorry, I forgot to state that the initial warning
> > recommended turning off SNMP entirely. Subsequent warnings took
> > into account that
we
> > can't just do that, but warned of a failure of a configured ACL to
actually
> > filter the SNMP traffic (with no explicit reason why).
>
> SNMP uses UDP. Because there is no three-way handshake with random
> sequence numbers as with TCP, it is trivial to spoof the source of a
> UDP packet.
>
> So, in addition to configured ACLs limiting SNMP to defined machines
> that really need it, ACLs at your borders filtering traffic that
> claims to originate within your network are a good thing. Likewise as
> a good neighbor (unless you're providing transit) you should filter
> traffic leaving your network that claims to originate elsewhere.
>
> The advisory also suggested disabling UDP port 7 (echo) to prevent
bouncing
> an SNMP packet off of a host allowed by any ACL in place.
>
> And, for heaven's sake, don't use "public" for RO and "private" for RW
> !
>
> --
> Jay Hennigan - CCIE #7880 - Network Administration - jay@west.net
> NetLojix Communications, Inc. - http://www.netlojix.com/
> WestNet: Connecting you to the planet. 805 884-6323
This archive was generated by hypermail 2.1.4 : Thu Jun 20 2002 - 13:46:23 GMT-3