Complete.Org: Mailing Lists: Archives: discussion: February 2002:
[aclug-L] FW: Ready, Set, Patch!
Home

[aclug-L] FW: Ready, Set, Patch!

[Top] [All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
To: "Aclug Discussion" <discussion@xxxxxxxxx>
Subject: [aclug-L] FW: Ready, Set, Patch!
From: "Dale W Hodge" <dwh@xxxxxxxxxxxxxxxx>
Date: Tue, 26 Feb 2002 09:27:56 -0600
Reply-to: discussion@xxxxxxxxx

-----Original Message-----
From: Linux_Security@xxxxxxxxxxxxxxxxxxx
[mailto:Linux_Security@xxxxxxxxxxxxxxxxxxx]
Sent: Tuesday, February 26, 2002 1:04 AM


LINUX SECURITY --- February 26, 2002
Published by ITworld.com -- changing the way you view IT
http://www.itworld.com/newsletters
____________________________________________________________________________
____

HIGHLIGHTS

* SNMP launched this week's panicky rush to patch vulnerable machines
  and caused many system administrators to reacquaint themselves with
  an old friend, nmap.
____________________________________________________________________________
____

SPONSORED LINK

WEBCAST: LEARN STORAGE ANALYSIS TECHNIQUES THAT WILL IMPROVE ROI

Discover the importance of analyzing the business value of today's
storage technologies and using it to maximize storage ROI. Author and
storage veteran Jon Toigo chats with technology editor Bill Laberis
during this one-hour webcast. Watch "MAXIMIZING STORAGE ROI" now.
http://itw.itworld.com/GoNow/a14724a53278a76028222a4
____________________________________________________________________________
__

Ready, Set, Patch!
By Brian Hatch

Every so often, a vulnerability in a widespread piece of software
causes security and administrative folk stop all existing projects to
madly apply patches and upgrade program on every machine. This week,
our culprit of lost-time is SNMP, the Simple Network Management
Protocol.

SNMP, a UDP-based protocol (though infrequently it uses TCP instead),
lets network devices provide tons of information that monitoring agents
and management tools can use, as well as provide alerts. 'Community
strings', which are effectively a simple password (usually PUBLIC and
PRIVATE), protect access to this information.

Almost all SNMP-enabled devices use version 1 of the protocol, which
has a number of shortcomings. Prevent ip spoofing is not possible --
there is no privacy or encryption and no authentication methods other
than community strings are available. Many folks have referred to SNMP
as the 'Security Not My Problem' protocol. Newer SNMP specifications
offer more security, but few products actually use these yet.

Bugs in numerous SNMP implementations were found by the Oulu University
Secure Programming Group, and details were released on February 12th,
2002. These are not bugs in the SNMPv1 protocol, but bugs in various
implementations. For detailed information, see the CERT advisory at
http://www.cert.org/advisories/CA-2002-03.html .

The Short Version
If you have any machines running SNMP, then you could be in some
serious trouble. Some of the bugs leave a device vulnerable to a
Denial of Service attack, while others can trigger buffer overflows or
format string bugs that could allow arbitrary code to run on the
affected system.

The net-snmp (formerly ucd-snmp) package is provided with most Linux
distributions and the 4.2.2 version is vulnerable. Most users have no
need for an SNMP server on their Linux box; however, some distributions
enable it by default when installing the machine with a server
configuration. If this is the first time you've heard of SNMP, then
it's definitely not something you need enabled on your systems.

So it's time to visit all your Linux machines and upgrade your net-snmp
packages to 4.2.2 or later. Or better yet, remove the server SNMP
packages entirely.

Linux security doesn't end with your Linux machines themselves --
security is dependent on each and every machine with which they
interact. Many other devices on your network probably have SNMP
enabled by default as well.  Almost all switches, routers, network
printers, and other just-plug-them-in devices are SNMP ready. And due
to the bugs found by OUSPG, we now know that 'SNMP ready' is merely a
synonym for 'vulnerable.'

SANS has created a tool named SNMPing that you can use to find systems
that have SNMP enabled. To get a copy, send an email to
snmptool@xxxxxxxx and they'll send you the download information.
Unfortunately, the tool only runs on Windows NT/2000.  I haven't tried
the tool myself, but given SANS' technical know-how, it's probably
quite effective.

If you want to do a quick search of your own networks the Unix way,
Nmap is your true and eternal friend. Some devices listen on more than
just the standard 161/udp and 162/udp ports.  The following is a fairly
complete list:

   snmp              161/udp   # SNMP
   snmp-trap         162/udp   # SNMP management messages (traps)
   snmp              161/tcp   # SNMP (TCP version)
   snmp-trap         162/tcp   # SNMP system management messages (TCP
version)
   smux              199/tcp   # SNMP Unix Multiplexer
   smux              199/udp   # SNMP Unix Multiplexer
   synoptics-relay   391/tcp   # SynOptics SNMP Relay Port
   agentx            705/tcp   # AgentX
   snmp-tcp-port    1993/tcp   # cisco SNMP TCP port
   snmp-tcp-port    1993/udp   # cisco SNMP TCP port

Since we want to check both tcp and udp ports, we'll need to run two
rounds of nmap.  Below is an example to check all machines on the
192.168.1.0/24 network for the ports listed above.  Naturally you
should tailor the example appropriately.

    root# nmap -sU -p 161,162,199,1993 192.168.1.0/24
    root# nmap -p 162,199,391,705,1993 192.168.1.0/24

Any machines that has open ports will show results similar to the
following:

    Interesting ports on someprinter.example.com (192.168.1.100):
    Port       State       Service
    161/udp    open        snmp

Then it's time for you to turn off SNMP on that device or upgrade the
SNMP software.

Somewhere, right now, someone is probably writing a worm to attack
vulnerable SNMP installations. Make sure that you update your machines
before it hits the Internet. Luckily, the nature of the
vulnerabilities is that an exploit that would succeeded against one
type of machine, say a router, would crash the SNMP service on a
different machine like your Linux server. However, loosing your
connectivity isn't a bundle of fun either.

____________________________________________________________________________
____

SPONSORED LINK

WE NEED YOUR OPINION ON NEWSLETTERS AND YOU COULD WIN $500

To improve the ITworld.com newsletters for our subscribers, we are
conducting a short survey and would like to hear how you view and use
this information. Your contribution is greatly appreciated, and as our
thanks, you can enter a drawing for a $500 American Express gift
certificate at the end of the survey. Please respond now!

http://itw.itworld.com/GoNow/a14724a53278a76028222a0
____________________________________________________________________________
____


About the author(s)
-------------------
Brian Hatch is Chief Hacker at Onsight, inc and author of Hacking Linux
Exposed and Building Linux VPNs. He has been securing and breaking into
computers since before he traded in his Apple ][+ for his first Unix
system. Brian can be reached at brian@xxxxxxxxxxxxxxxxxxxxxxx.
____________________________________________________________________________
____

ADDITIONAL RESOURCES

Welcome To The NET-SNMP Home Page
http://itw.itworld.com/GoNow/a14724a53278a76028222a11

SNMP - Simple Network Management Protocol
http://itw.itworld.com/GoNow/a14724a53278a76028222a6

SNMP vulnerability poses major threat
http://itw.itworld.com/GoNow/a14724a53278a76028222a10

SNMP vulnerability: fundamental infrastructure problem?
http://itw.itworld.com/GoNow/a14724a53278a76028222a2

SNMP Vulnerability A 'Triple Threat'
http://itw.itworld.com/GoNow/a14724a53278a76028222a1

ANALYSIS: Dealing With New SNMP Vulnerabilities
http://itw.itworld.com/GoNow/a14724a53278a76028222a3
____________________________________________________________________________
____

ITWORLD.COM NEWSLETTER ARCHIVE

Index of Linux Security
http://itw.itworld.com/GoNow/a14724a53278a76028222a9

Attacking Linux, Part 1
http://itw.itworld.com/GoNow/a14724a53278a76028222a7

Attacking Linux, Part 2
http://itw.itworld.com/GoNow/a14724a53278a76028222a8
____________________________________________________________________________
____

CUSTOMER SERVICE

SUBSCRIBE/UNSUBSCRIBE:
- Go to: http://www.itworld.com/newsletters
- Click on "View my newsletters" to log in and manage your account
- To subscribe, check the box next to the newsletter
- To unsubscribe, uncheck the box next to the newsletter
- When finished, click submit

Questions? Please e-mail customer service at: mailto:support@xxxxxxxxxxx
____________________________________________________________________________
____

CONTACTS

* Editorial: Andrew Santosusso, Newsletter Editor,
  andrew_santosusso@xxxxxxxxxxx
* Advertising: Clare O'Brien, Vice President of Sales,
  clare_obrien@xxxxxxxxxxx
* Career Corner: Janis Crowley, Vice President/General Manager, IDG
  Recruitment Solutions, janis_crowley@xxxxxxxxxxxxx
* Other inquiries: Jodie Naze, Senior Product Marketing Manager,
  jodie_naze@xxxxxxxxxxx

____________________________________________________________________________
____

PRIVACY POLICY

ITworld.com has been TRUSTe certified
http://www.itworld.com/Privacy/

Copyright 2002 ITworld.com, Inc., All Rights Reserved.
http://www.itworld.com

-- This is the discussion@xxxxxxxxx list.  To unsubscribe,
visit http://www.complete.org/cgi-bin/listargate-aclug.cgi


[Prev in Thread] Current Thread [Next in Thread]
  • [aclug-L] FW: Ready, Set, Patch!, Dale W Hodge <=