SNMP vulnerability offers 3,200 reasons to worry

The past few weeks haven't been a complete disaster, but I have to dig deep to find the silver lining in recent events.

It started when the Finland-based University of Oulu's security research team released a series of vulnerability warnings about Simple Network Management Protocol (SNMP) v1 implementations. Last year, the team released a similar warning about the Lightweight Directory Access Protocol (LDAP) that was entirely accurate, so I was sure it was right again.

LDAP servers aren't that common we have four, which we patched quickly. SNMP servers are a different story. Everything seems to come with an SNMP interface; I hear even some digital cameras are affected by SNMP problems. Certainly, every major system and network operating system is at risk.

We have 4,312 network devices. Of those, 75 percent about 3,200 run SNMP and need to be patched. Luckily, we block SNMP from the outside world and don't publish anything to third parties via SNMP.

By the time you read this, however, I expect some bright spark will have written a chunk of malicious code that spreads via the SNMP bug and also uses Web sites or e-mail to propagate itself. Despite our excellent layered antivirus strategy, I'd be kidding myself if I didn't think it was possible for such code to get into the company. And once it got there ouch!

Since almost every system, from desktops to servers and printers to networks, is vulnerable, this is one attack that could cripple everything. I'd rather not think about that; I just have to start the race to get the patches in or the SNMP servers disabled before a new virus appears.

We've also taken a closer look at SNMP probes of our firewalls to see if this weakness is already being attacked. Although there has been some growth in the number of probes, it hasn't been an explosive increase, like the one we saw in secure-shell probing when bugs were announced regarding CRC32 handling in the protocol.

We did detect one of our software providers trying to send thousands of SNMP traps to our central network-monitoring systems. It seems we sent the company an example of our configuration, including where to send alerts, for testing purposes. The provider has been using the configuration on a system that can see the Internet, and it's been merrily sending alerts to our firewall. As we renumber our internal networks to RFC1918 private address ranges rather than the Class B addresses we currently use, this kind of problem should disappear.

An Insidious IM Virus

While we wait for the ax to fall with an automated exploit of the SNMP weaknesses, my thoughts have turned to other virus writers. In general, I pity and hate people who write viruses. The majority of virus codes show no particular skill and are obviously lifted wholesale from previous successful viruses. I'd much rather these people spent their time doing something constructive. I expect that the people who clean graffiti off subway trains have similar feelings toward vandals.

But I bet that those workers sometimes come across a piece of graffiti that transcends the medium and almost becomes art. The recent MSN Instant Messenger (IM) virus includes some impressive features, and I have to show some grudging respect to its author.

In an obvious display of originality, the virus uses a new medium to spread in this case, IM. When initiated, the code sends a message to all your buddies telling them to visit a Web site. It also lets them know that if they're sick of these messages, they can go to another Web site to stop the invitations. The first Web site contains 60 lines of malicious JavaScript that takes advantage of an Internet Explorer bug to run without constraint and open the messaging software and spread further.

The unsubscribe site just takes you to the first site, ensuring that once you've infected all your buddies and their messages have flooded you, you reinfect yourself while trying to unsubscribe.

The code itself is better-written than most commercial code I buy. It checks to make sure that you're vulnerable and that you have the right version of IE before running so it doesn't pop up with errors that might help you realize you have a virus. If your security settings are configured so that it can't run, the virus shows you a "warning" and explains how to reduce your settings to supposedly get the most out of the site you're visiting.

I don't use IM myself, but several members of my team got hundreds of copies of the message, which spreads quickly. This version doesn't do anything other than propagate and disrupt IM communications, but because the code is freely available for download on the link sent to everyone, it won't be long before someone releases a destructive variant. To protect ourselves, I've pulled the plug on IM until we have patches in place.

But this week hasn't been all bad news. Yes, we are wide open to the SNMP bugs and will have to work hard to patch devices before the sky falls. Yes, a whole new arena of virus threats has been invented, meaning we have to disable a service until we can be certain it's safe. These are hardly victories in the war for a secure company. But at least we have been able to complete the next phase of our perimeter testing.

We had been using phone hacker Chris Lamprecht's ToneLoc program for phone testing, but the software isn't very user-friendly. Instead, we have just tested PhoneSweep from Sandstorm Enterprises Inc. in Cambridge, Mass. This professional tool allows us to scan and probe our private branch exchange and other lines to make sure no workers have connected via an unauthorized modem to bypass our firewall. Now we can focus on the next stage wireless LAN identification and tracking while our modems ring every number in the company.

Join the newsletter!

Error: Please check your email address.

More about MSNSandstorm Enterprises

Show Comments

Market Place