The Simple Network Management Protocol (SNMP) is a widespread protocol
allowing network administrators to obtain information on and even configure
various network devices remotely. It is very common on all but the most
basic networking hardware (hubs, switches, routers, etc), and many other
networked devices (networked printers, terminal servers, etc). Many
workstations/PCs also have SNMP clients running on them as well, and most
network management packages (commercial and non-commercial) make extensive
use of SNMP for information gathering.
Most devices that provide SNMP allow enormous amounts of data to be
accessed over it. The exact information available depends on the type of
device, its manufacturer and model, but generally include
details of the hardware and OS type, information on the various network
interfaces, statistics on the various network protocols, and general and
vendor-specific details about what the device does and is
doing. The volume of data available is generally too much to be useful to a
systems administrator without some management code to sort through it. The
security risks of allowing a potential intruder access to
this information depends largely on what type of device it is, but realize
that if the data is known to the device, it is probably accessible via SNMP.
Many devices allow themselves to be configured remotely via SNMP as well.
Devices which do so generally can be completely configured in such a
manner. This can definitely be of use to systems
administrators, but also is an obvious security concern.
Despite its popularity, SNMP v1 and v2 have rather basic access control,
using passwords called community strings. Most devices are set up with two
community strings, a (Read) community for viewing information and a Set or
Write community for changing configurations. Many devices come out of the
box with SNMP operational and a read community string of "public". Write
access often has to be turned on manually, but not always. Needless to say,
care should be taken with both settings.
This community stringmay allow unauthorized access to certain SNMP
variables. Attackers may use this hidden community to learn about network
topology as well as modify MIB variables.
All hosts in a managed network rely on the proper delivery and collection
of SNMP data. This vulnerability allows remote attackers access to
portions of the MIB tree used for configuration and maintenance of the
SNMP agent.
Attackers may use this hidden community from remote to gain
information otherwise reserved for authorized users. Attackers can also
use this community to disrupt collection of data over SNMP as well as
sever communication between Collection Agents and Management stations.
At 01:06 PM 8/30/00 -0700, married wrote:
>First time question to the list. Hopefully it is clear. If more info is
>required, let me know.
>
>A cisco rouer managed by an HP OpenView box gets compromised. The person
>who compromised the router now has the RO and RW community string of the
>OpenView box. Can the OV box now be compromised from the Cisco router? Can
>any information be gleaned now from the OV box about the networks it
>manages...?
>
>Thanks a lot for your responses.
>
>Married :-)
>
>
>* Get free, secure online email at http://www.ziplip.com/ *
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
