If you have not already seen this advisory, and you have a cable modem, DSL modem, or any other externally accessible equipment, you should read this:
Internet Security Systems Security Alert
February 12, 2002
PROTOS Remote SNMP Attack Tool
Synopsis:
ISS X-Force has learned of a powerful SNMP (Simple Network Management
Protocol) attack tool that may be circulating in the computer
underground. The PROTOS SNMP stress-testing tool sends thousands of test
cases to SNMP daemons from a remote system to discover programming flaws
or exploitable vulnerabilities. This tool has the immediate ability to
crash SNMP daemons and hardware devices running SNMP. The circulation of
this tool may lead to a the widespread use of new exploits to crash or
compromise vulnerable systems. SNMP is ubiquitous as a network
management protocol on the Internet. Nearly every operating system,
router, switch, cable or DSL modem, and firewall is shipped with an SNMP
service.
Affected Versions:
The PROTOS Project has provided the following list as a sample of
vendors that support SNMPv1 implementations in their products. The
following vendors may or may not be vulnerable to the PROTOS SNMP tool:
3Com, Alcatel, Amber Networks, Arbor, Banyan Networks, Canon, Cisco,
Compaq, Computer Associates, D-Link, Dell, Digi, Ericsson, Extreme
networks, F5, Foundry, Fujitsu Siemens, HP, Hitachi, IBM, ICL, Intel,
Juniper Networks, Lantronix, Laurel, Lotus Lucent, Marconi-Fore,
Microsoft, Multitech, NET-SNMP, NetGear, Nokia, Nortel, Novell, SMC,
Shiva, Siemens, Sumimoto, Sun Microsystems, Telebit, Teledat, Windriver,
Xerox, Xylan, Zyxel
CERT has stated that over 100 vendors are vulnerable.
Description:
The University of Oulu of Linnanmaa, Finland launched the PROTOS Project
to develop thorough testing procedures for uncovering programming faults
and potentially exploitable vulnerabilities. The basis of the PROTOS
effort is to develop thousands of test cases and launch them against
implementations of the target protocol to uncover programming
weaknesses. This method is also often referred to as "fuzz testing," or
"black box testing." The PROTOS project was very successful in
uncovering weaknesses and exploitable vulnerabilities in many LDAP and
HTTP implementations.
The PROTOS SNMP attack tool was released in a limited fashion, but ISS
X-Force believes that the computer underground is actively using the
tool to assess SNMP weaknesses and to develop new exploits. The PROTOS
team has proven that many implementations of SNMP are vulnerable to
numerous flaws tested by the tool. X-Force testing has verified the
claims of the PROTOS team.
This tool is extremely thorough and is perceived to be the most
exhaustive SNMP testing tool available. It launches various combinations
of six main types of test cases:
- - bit pattern exception
- - BER (Basic Encoding Rules) encoding exception
- - format string exception
- - integer value exception
- - missing symbol exception
- - overflow exception
The effectiveness of the tool is increased by targeting broadcast
addresses. As a result, the reach of the tool can be greatly extended by
simultaneously attacking many devices.
Recommendations:
The PROTOS SNMP attack tool has proven very effective against networks
and devices that are not protected by firewalls or any type of packet
filter. It is well known that SNMP traffic can be dangerous and should
be heavily filtered at the perimeter.
ISS X-Force recommends that all system administrators immediately assess
their exposure to SNMP traffic (ports 161 and 162 tcp/udp). Individual
users should assess their exposure or contact their cable modem, DSL
modem, or router vendor to inquire about potential issues. X-Force
recommends that home users consider installing perimeter defenses in the
form of a router with filtering capabilities, and personal firewall
software with intrusion detection capabilities.
Cisco users should be aware that it has been reported that some Cisco
routers and switches will not filter packets even if configured to, if
there is an SNMP community string defined with an ACL on it, and an
'snmp-server host' is configured with the same community string. In this
configuration, a packet could be sent to the router or switch that
ignores all ACL's on the device.
An Internet Scanner FlexCheck has been developed to detect all
potentially vulnerable SNMPv1 networked devices. Additional assessment
support will be added in an upcoming Internet Scanner X-Press Update.
The FlexCheck is available now at:
https://www.iss.net/cgi-bin/download/customer/download_product.cgi
RealSecure Network Sensor may trigger several different signatures in
response to an SNMP attack using the PROTOS SNMP attack tool. RealSecure
administrators should closely examine the following events if they are
detected by RealSecure:
- - SNMP_Activity
- - SNMP_Set
- - SNMP_Community
An X-Press Update for RealSecure Network Sensor will be released as soon
as possible that includes detection support for the various attacks used
in PROTOS SNMP attack tool. In an effort to provide the X-Press Update
to customers as quickly as possible, XPUs for different versions of
Network Sensor will be released as they are completed. Detection
support will also be added in a future update for BlackICE products.
RealSecure Network Sensor administrators can configure connection events
to detect SNMP traffic on the network, including both normal SNMP
traffic and attacks against SNMP. Use the instructions below to create
the following four connection events and apply them to your policy:
- - SNMP over TCP (a connection event that will trigger anytime traffic is
destined to TCP port 161)
- - SNMP over UDP (a connection event that will trigger anytime traffic is
destined to UDP port 161)
- - SNMP Traps over TCP (a connection event that will trigger anytime
traffic is destined to TCP port 162)
- - SNMP Traps over UDP (a connection event that will trigger anytime
traffic is destined to UDP port 162)
To add new connection events:
1. Choose the policy that you want to use, and then click Customize.
2. Select the Connection Events tab.
3. In the right pane, click Add.
To create a Connection Event for SNMP over TCP:
1. Type in a name of the event, such as SNMP_TCP.
2. In the Response field for the event, select the responses you want
to use.
3. In the Protocol field, select TCP.
4. In the Src Port/Type field, leave the default value of Any
selected.
5. In the Dest Port/Type field, select the entry for SNMP (port 161).
6. Click OK.
To create a Connection Event for SNMP over UDP:
1. Type in a name of the event, such as SNMP_UDP.
2. In the Response field for the event, select the responses you want
to use.
3. In the Protocol field, select UDP.
4. In the Src Port/Type field, leave the default value of Any
selected.
5. In the Dest Port/Type field, select the entry for SNMP (port 161).
6. Click OK.
To create a Connection Event for SNMP Traps over TCP:
1. Type in a name of the event, such as SNMPTRAP_TCP.
2. In the Response field for the event, select the responses you want
to use.
3. In the Protocol field, select TCP.
4. In the Src Port/Type field, leave the default value of Any
selected.
5. In the Dest Port/Type field, select the entry for SNMPTRAP (port
162).
6. Click OK.
To create a Connection Event for SNMP Traps over UDP:
1. Type in a name of the event, such as SNMPTRAP_UDP.
2. In the Response field for the event, select the responses you want
to use.
3. In the Protocol field, select UDP.
4. In the Src Port/Type field, leave the default value of Any
selected.
5. In the Dest Port/Type field, select the entry for SNMPTRAP (port
162).
6. Click OK.
To enable the new connection events:
1. Save the changes, and then close the window.
2. Click 'Apply to Sensor' or 'Apply to Engine', depending on the
version of RealSecure you are using.
BlackICE products may trigger several different signatures in response
to an SNMP attack using the PROTOS SNMP attack tool. BlackICE users and
administrators should closely examine the following events if they are
detected by BlackICE:
- - SNMP community long
- - SNMP sysName overflow
- - SNMP Crack
- - SNMP Port Probe
- - SNMP Corrupt
- - SNMP Backdoor
- - SNMP SET sysContact
- - SNMP discovery broadcast
- - UDP Port Probe
Detection support will be added in a future update for BlackICE
products.
Additional Information:
ISS X-Force Database,
http://www.iss.net/security_center/static/8115.php
This alert is available at:
http://www.iss.net/security_center/alerts/advise110.php
[Note: It may take up to 24 hours from the original posting of this
alert for it to appear on the Web site.]
Internet Security Systems Security Alert
February 12, 2002
PROTOS Remote SNMP Attack Tool
Synopsis:
ISS X-Force has learned of a powerful SNMP (Simple Network Management
Protocol) attack tool that may be circulating in the computer
underground. The PROTOS SNMP stress-testing tool sends thousands of test
cases to SNMP daemons from a remote system to discover programming flaws
or exploitable vulnerabilities. This tool has the immediate ability to
crash SNMP daemons and hardware devices running SNMP. The circulation of
this tool may lead to a the widespread use of new exploits to crash or
compromise vulnerable systems. SNMP is ubiquitous as a network
management protocol on the Internet. Nearly every operating system,
router, switch, cable or DSL modem, and firewall is shipped with an SNMP
service.
Affected Versions:
The PROTOS Project has provided the following list as a sample of
vendors that support SNMPv1 implementations in their products. The
following vendors may or may not be vulnerable to the PROTOS SNMP tool:
3Com, Alcatel, Amber Networks, Arbor, Banyan Networks, Canon, Cisco,
Compaq, Computer Associates, D-Link, Dell, Digi, Ericsson, Extreme
networks, F5, Foundry, Fujitsu Siemens, HP, Hitachi, IBM, ICL, Intel,
Juniper Networks, Lantronix, Laurel, Lotus Lucent, Marconi-Fore,
Microsoft, Multitech, NET-SNMP, NetGear, Nokia, Nortel, Novell, SMC,
Shiva, Siemens, Sumimoto, Sun Microsystems, Telebit, Teledat, Windriver,
Xerox, Xylan, Zyxel
CERT has stated that over 100 vendors are vulnerable.
Description:
The University of Oulu of Linnanmaa, Finland launched the PROTOS Project
to develop thorough testing procedures for uncovering programming faults
and potentially exploitable vulnerabilities. The basis of the PROTOS
effort is to develop thousands of test cases and launch them against
implementations of the target protocol to uncover programming
weaknesses. This method is also often referred to as "fuzz testing," or
"black box testing." The PROTOS project was very successful in
uncovering weaknesses and exploitable vulnerabilities in many LDAP and
HTTP implementations.
The PROTOS SNMP attack tool was released in a limited fashion, but ISS
X-Force believes that the computer underground is actively using the
tool to assess SNMP weaknesses and to develop new exploits. The PROTOS
team has proven that many implementations of SNMP are vulnerable to
numerous flaws tested by the tool. X-Force testing has verified the
claims of the PROTOS team.
This tool is extremely thorough and is perceived to be the most
exhaustive SNMP testing tool available. It launches various combinations
of six main types of test cases:
- - bit pattern exception
- - BER (Basic Encoding Rules) encoding exception
- - format string exception
- - integer value exception
- - missing symbol exception
- - overflow exception
The effectiveness of the tool is increased by targeting broadcast
addresses. As a result, the reach of the tool can be greatly extended by
simultaneously attacking many devices.
Recommendations:
The PROTOS SNMP attack tool has proven very effective against networks
and devices that are not protected by firewalls or any type of packet
filter. It is well known that SNMP traffic can be dangerous and should
be heavily filtered at the perimeter.
ISS X-Force recommends that all system administrators immediately assess
their exposure to SNMP traffic (ports 161 and 162 tcp/udp). Individual
users should assess their exposure or contact their cable modem, DSL
modem, or router vendor to inquire about potential issues. X-Force
recommends that home users consider installing perimeter defenses in the
form of a router with filtering capabilities, and personal firewall
software with intrusion detection capabilities.
Cisco users should be aware that it has been reported that some Cisco
routers and switches will not filter packets even if configured to, if
there is an SNMP community string defined with an ACL on it, and an
'snmp-server host' is configured with the same community string. In this
configuration, a packet could be sent to the router or switch that
ignores all ACL's on the device.
An Internet Scanner FlexCheck has been developed to detect all
potentially vulnerable SNMPv1 networked devices. Additional assessment
support will be added in an upcoming Internet Scanner X-Press Update.
The FlexCheck is available now at:
https://www.iss.net/cgi-bin/download/customer/download_product.cgi
RealSecure Network Sensor may trigger several different signatures in
response to an SNMP attack using the PROTOS SNMP attack tool. RealSecure
administrators should closely examine the following events if they are
detected by RealSecure:
- - SNMP_Activity
- - SNMP_Set
- - SNMP_Community
An X-Press Update for RealSecure Network Sensor will be released as soon
as possible that includes detection support for the various attacks used
in PROTOS SNMP attack tool. In an effort to provide the X-Press Update
to customers as quickly as possible, XPUs for different versions of
Network Sensor will be released as they are completed. Detection
support will also be added in a future update for BlackICE products.
RealSecure Network Sensor administrators can configure connection events
to detect SNMP traffic on the network, including both normal SNMP
traffic and attacks against SNMP. Use the instructions below to create
the following four connection events and apply them to your policy:
- - SNMP over TCP (a connection event that will trigger anytime traffic is
destined to TCP port 161)
- - SNMP over UDP (a connection event that will trigger anytime traffic is
destined to UDP port 161)
- - SNMP Traps over TCP (a connection event that will trigger anytime
traffic is destined to TCP port 162)
- - SNMP Traps over UDP (a connection event that will trigger anytime
traffic is destined to UDP port 162)
To add new connection events:
1. Choose the policy that you want to use, and then click Customize.
2. Select the Connection Events tab.
3. In the right pane, click Add.
To create a Connection Event for SNMP over TCP:
1. Type in a name of the event, such as SNMP_TCP.
2. In the Response field for the event, select the responses you want
to use.
3. In the Protocol field, select TCP.
4. In the Src Port/Type field, leave the default value of Any
selected.
5. In the Dest Port/Type field, select the entry for SNMP (port 161).
6. Click OK.
To create a Connection Event for SNMP over UDP:
1. Type in a name of the event, such as SNMP_UDP.
2. In the Response field for the event, select the responses you want
to use.
3. In the Protocol field, select UDP.
4. In the Src Port/Type field, leave the default value of Any
selected.
5. In the Dest Port/Type field, select the entry for SNMP (port 161).
6. Click OK.
To create a Connection Event for SNMP Traps over TCP:
1. Type in a name of the event, such as SNMPTRAP_TCP.
2. In the Response field for the event, select the responses you want
to use.
3. In the Protocol field, select TCP.
4. In the Src Port/Type field, leave the default value of Any
selected.
5. In the Dest Port/Type field, select the entry for SNMPTRAP (port
162).
6. Click OK.
To create a Connection Event for SNMP Traps over UDP:
1. Type in a name of the event, such as SNMPTRAP_UDP.
2. In the Response field for the event, select the responses you want
to use.
3. In the Protocol field, select UDP.
4. In the Src Port/Type field, leave the default value of Any
selected.
5. In the Dest Port/Type field, select the entry for SNMPTRAP (port
162).
6. Click OK.
To enable the new connection events:
1. Save the changes, and then close the window.
2. Click 'Apply to Sensor' or 'Apply to Engine', depending on the
version of RealSecure you are using.
BlackICE products may trigger several different signatures in response
to an SNMP attack using the PROTOS SNMP attack tool. BlackICE users and
administrators should closely examine the following events if they are
detected by BlackICE:
- - SNMP community long
- - SNMP sysName overflow
- - SNMP Crack
- - SNMP Port Probe
- - SNMP Corrupt
- - SNMP Backdoor
- - SNMP SET sysContact
- - SNMP discovery broadcast
- - UDP Port Probe
Detection support will be added in a future update for BlackICE
products.
Additional Information:
ISS X-Force Database,
http://www.iss.net/security_center/static/8115.php
This alert is available at:
http://www.iss.net/security_center/alerts/advise110.php
[Note: It may take up to 24 hours from the original posting of this
alert for it to appear on the Web site.]
