-----BEGIN PGP SIGNED MESSAGE----- =============================================================================== SingCERT Advisory SA-98.05.SNMP_vulnerability_summary Original issue date: 19 November 1998 Topic: SNMP agent vulnerability summary - --------------------------------------------------------------------------------- To aid in the wide distribution of essential security information, SingCERT is forwarding the following vulnerability information that have recently surfaced relating to Simple Network Management Protocol (SNMP) agents. The excerpts of SNMP agent alerts forwarded in this advisory are [ISSa] Internet Security Systems Inc, "Hidden SNMP community in HP OpenView", 2nd November 98 [ISSb] Internet Security Systems Inc, "Hidden community string in SNMP implementation", 2nd November 98 [ISSc] Internet Security Systems Inc, "ISS Security Update", 16th November 98 [NAI] Network Associates Security Labs, "Windows NT SNMP Security Permissions by NAI", 17th November 98 SingCERT urges you to act on this information as soon as possible. Administrators are advised to temporarily disable SNMP deamons of affected systems until a solution is provided by each respective vendors. The contact information is included in the forwarded text below. Please contact the authors if you have any questions or need further information. - -----------------------------BEGIN INCLUDED TEXT-------------------- -------------------------------------------------------------------- [ISSa] See NOTES for copyright information -------------------------------------------------------------------- ISS Security Advisory November 2nd, 1998 Hidden SNMP community in HP OpenView Synopsis: Internet Security Systems (ISS) X-Force has researched a hidden SNMP community string that exists in HP OpenView. This community may allow unauthorized access to certain SNMP variables. Attackers may use this hidden community to learn about network topology as well as modify MIB variables. Affected Versions: ISS X-Force has confirmed that this vulnerability is present in HP OpenView Version 5.02. Earlier versions are believed to be vulnerable. HP-UX 9.X and HP-UX 10.X SNMP agents are vulnerable if OpenView is installed. OpenView for Solaris 2.X is also vulnerable. OpenView for Windows NT is not vulnerable. Fix Information: HP has made the following patches available: PHSS_16800: HP-UX Version 10.X PHSS_16799: HP-UX Version 9.X PHOV_02190: Solaris Version 2.X Description: All hosts in a managed network rely on the proper delivery and collection of SNMP data. This vulnerability allows remote attackers access to portions of the MIB tree used for configuration and maintenance of the SNMP agent. Attackers may use this hidden community from remote to gain information otherwise reserved for authorized users. Attackers can also use this community to disrupt collection of data over SNMP as well as sever communication between Collection Agents and Management stations. Additional Information: ISS Internet Scanner and ISS RealSecure real-time intrusion detection software have the capability to detect these vulnerabilities. -------------------------------------------------------------------- [ISSb] See NOTES for copyright information -------------------------------------------------------------------- ISS Security Advisory November 2nd, 1998 Hidden community string in SNMP implementation Synopsis: Internet Security System (ISS) X-Force has discovered a serious vulnerability in Sun Microsystems Solstice Enterprise Agent and the Solaris operating system. This vulnerability allows attackers to execute arbitrary commands with root privileges, manipulate system parameters and kill processes. Affected Systems: ISS X-Force has discovered that this vulnerability is present on the Solaris Operating System version 2.6. Earlier versions are vulnerable. Solaris 2.7 beta is also not vulnerable. Fix Information: Sun has made the following patch available: 106787-02: Solaris 5.6 Many administrators have no need for host based SNMP agents. Administrators can disable the SNMP daemons temporarily by executing the following commands: # /etc/init.d/init.snmpdx stop # mv /etc/rc3.d/S76snmpdx /etc/rc3.d/DISABLED_S76snmpdx Description: The vulnerabilities are present in the SNMP daemons shipping with Solaris 2.6. Solaris 2.6 is configured by default to support SNMP. A hidden and undocumented community string is present in the SNMP subagent which may allow remote attackers change most system parameters. Remote attackers may kill any process, update routes, potentially sidestep firewalls or disable network interfaces. Most notably, attackers may indirectly execute arbitrary commands with superuser privileges. This vulnerability is compounded by the fact that these SNMP daemons are configured and executed by default. Attackers do not need local access to the target host to exploit this vulnerability. Additional Information: ISS Internet Scanner and ISS RealSecure real-time intrusion detection software have the capability to detect these vulnerabilities. -------------------------------------------------------------------- [ISSc] See NOTES for copyright information -------------------------------------------------------------------- ISS Security Update November 16th, 1998 This update contains updated patch information for the ISS Security Advisories "Hidden community string in SNMP implementation" released on November 2, 1998. _____ Hidden community string in SNMP implementation Synopsis: Internet Security System (ISS) X-Force has discovered a serious vulnerability in Sun Microsystems(r) Solstice(tm) Enterprise Agent(tm) and the Solaris operating system. This SNMP hidden community string is hard coded into the binary and can not be configured nor is it in the configuration files. The hidden Sun SNMP community word is not the same as the hidden HP SNMP community string. This vulnerability allows attackers to execute arbitrary commands with root privileges, manipulate system parameters, and kill processes. To determine if you are vulnerable: Run pkginfo to determine the revision of SEA you are running on your system. If you are running SEA 1.0 or 1.0.1 on Solaris 2.4 or 2.5, disable the agents or upgrade your operating system. If you are running 2.5.1 or higher you may upgrade to SEA 1.0.3. SEA 1.0 and 1.0.1 agents will display: % pkginfo SUNWmibii system SUNWmibii Solstice Enterprise Agent SNMP daemon For SEA 1.0.2: % pkginfo SUNWmibii system SUNWmibii Solstice Enterprise Agents 1.0.2 SNMP daemon Updated Fix Information: The patch information initially provided in the November 2nd advisory was incorrect. Sun Microsystems advises all its Solaris 2.6, 2.6_x86. 2.5.1, and 2.5.1_x86 customers to upgrade to Solstice Enterprise Agents version1.0.3. This version is available at http://www.sun.com/solstice/products/ent.agents. Many system administrators have no need for host-based SNMP agents. Administrators can temporarily disable the SNMP daemons by executing the following commands as root: # /etc/init.d/init.snmpdx stop # mv /etc/rc3.d/S76snmpdx /etc/rc3.d/DISABLED_S76snmpdx -------------------------------------------------------------------- NOTES [ISSa], [ISSb], [ISSc] Copyright (c) 1998 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of X-Force. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://www.iss.net/xforce/sensitive.html as well as on MIT's PGP key server and PGP.com's key server. X-Force Vulnerability and Threat Database: http://www.iss.net/xforce Please send suggestions, updates, and comments to: X-Force of Internet Security Systems, Inc. -------------------------------------------------------------------- [NAI] -------------------------------------------------------------------- ======================================================================= Network Associates, Inc. SECURITY ADVISORY #30 November 17, 1998 Windows NT SNMP Security Permissions ======================================================================= SYNOPSIS This advisory addresses a vulnerability in the common configuration of the Windows NT SNMP Service. This vulnerability allows individuals to remotely configure network parameters that are critical to the security and proper operation of the system. ======================================================================= DETAILS The SNMP Service implements the Simple Network Management Protocol in Windows NT. This service allows for the remote management of the network components of Windows NT. The SNMP Service is installed through the Network control panel by selecting the Services panel, clicking the Add button and then selecting the SNMP Service. It is not installed as part of the normal Windows NT installation process. When the SNMP Service is installed, the default configuration that is provided leaves the system vulnerable to attack. In the default configuration the SNMP service answers to a single SNMP community ``public'', which is given read-write permissions. The community is a name that is used much like an account name or a password to restrict who can access the SNMP functions and in what capacity. SNMP provides two levels of access, read-only and read-write. The Windows NT SNMP Service prior to Service Pack 4 does not allow communities to be configured as read-only, so all SNMP communities have the ability to write. If the SNMP Service is reconfigured with a more secure community name, the system is still vulnerable to attack from users with an account on the system. The SNMP Service parameters are stored in the registry and are readable by all users. A user with an account on the system can read the list of configured community names and use the community name to access the SNMP Service. With write access to the SNMP community, a user can perform actions that are usually restricted to users with privileged access. In addition to restricting access to a list of community names, the Windows NT SNMP Service has an option to restrict access to a list of IP addresses. Although this may seem to provide a way to limit exposure to attacks from unknown systems, it is not very effective. The SNMP protocol uses UDP packets to exchange commands and their replies. Because the UDP protocol is connectionless, forging the source address of command packets is trivial. SNMP ``set'' operations can be sent with any source address since the reply is not needed. Restricting the set of addresses that can communicate to the SNMP service is not effective at preventing malicious ``set'' operations if the attacker knows which addresses are allowed to communicate with the SNMP service. Like the community name, the list of addresses that can communicate with SNMP is stored in the community and accessible to users with an account on the system. ======================================================================= AFFECTED SYSTEMS All versions of Windows NT where the administrator has enabled the SNMP service and not reconfigured the security parameters are vulnerable to attack from users that can reach the system over the network. All versions of Windows NT where the administrator has enabled the SNMP Service are vulnerable to attack from users with accounts on the system. These systems are vulnerable to attack from remote users if the administrator has not removed the ``public'' community from the SNMP Service configuration and replaced it with a hard-to-guess name. ======================================================================= IMPACT Remote individuals with network access to a machine running the Windows NT SNMP Service can query and set any of the system management variables that are supported. Information that can be queried includes: - the LAN Manager domain name - a list of users - a list of shares - a list of running services - a list of active TCP connections - a list of active UDP connections - a list of network interfaces and their associated IP and hardware addresses - the IP routing table and the ARP table as well as a number of networking performance statistics. By setting variables, an attacker can modify the IP routing table and the ARP table. An attacker can also bring interfaces up and down and set critical networking parameters such as the default IP time-to-live (TTL) and IP forwarding. These settings allow an attacker to redirect network traffic, impersonate other machines or deny the machine access to the network. The ability to modify the routing table, and enable IP forwarding on an NT host is especially dangerous if the host is a firewall with SNMP enabled. ======================================================================= RESOLUTION Service Pack 4 (SP4) provides a solution to this problem by adding access control and allowing communities to be configured READ ONLY, READ WRITE or READE CREATE. By default, when Service Pack 4 is installed, the permissions will be set to READ CREATE, which still allows modification of SNMP entries, and therefore does not close this vulnerability. Ensure that the communities are configured READ ONLY to prevent modification of SNMP entries. To configure the SNMP service go to: "Control Panel" -> "Network" -> "Services" -> "SNMP Service" - - From this window, select the "Security" tab. Once within the security tab, the security settings of each community name can be configured. It is recommended that each community name be configured READ ONLY unless otherwise required. The permissions on the SNMP registry key allow "Everyone" access by default. This access allows any system user to obtain the community names utilized by the SNMP service. The permissions on this registry key should also be set more strictly by the Administrator. Ensure that only Administrator and other authorized users can access the contents of the following registry key: Hive : HKEY_LOCAL_MACHINE Key : System\CurrentControlSet\Services\SNMP\Parameters On NT 5.0, the permissions on this key will be set securely by default. Ensure that the community name is changed from the default "public" community name to a more obscure name. Block SNMP access at your firewall or border router. SNMP utilizes UDP port 161. ======================================================================= CREDITS Documentation and testing of this problem was conducted by Tim Newsham and Jeremy Rauch at the security labs of Network Associates. ======================================================================= ABOUT THE NETWORK ASSOCIATES SECURITY LABS The Security Labs at Network Associates hosts some of the most important research in computer security today. With over 29 published security advisories published in the last 2 years, the Network Associates security auditing teams have been responsible for the discovery of many of the Internet's most serious security flaws. This advisory represents our ongoing commitment to provide critical information to the security community. For more information about the Security Labs at Network Associates, see our website at http://www.nai.com or contact us at . The Security Labs at Network Associates are a participating member of FIRST, the Forum for Incident Response Teams. For more information about FIRST, see http://www.first.org. ======================================================================= - -----------------------------END INCLUDED TEXT---------------------- - --------------------------------------------------------------------------------- This security advisory is provided as a service to SingCERT's constituents. As SingCERT did not write the document quoted above, SingCERT has had no control over its content. The decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. Contact information for the authors of the original document is included in the security advisory above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.singcert.org.sg/advisory.shtml If you believe that your system has been compromised, contact SingCERT. Internet Email: cert@singcert.org.sg Facsimile: +65 872-6198 Telephone: +65 874-6666 SingCERT personnel answer during SingCERT business hours which are GMT+8:00 (SGT). =============================================================================== -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBNlPBinr03uiLwmvpAQHdnQQAtoB9F3kepgvmIZpjFIQ6ZP5dWChK/xrx pBzU19OAObwy4FrKLS3rpNYOO4i1EsfOx/zDHD8BUjW3NFIaK6u2rFG/vOUZXam0 N+kaB2TJOVSPiswWSr/GtQhFFGkBb4Zflu5GNRpLEYDF2xliGOUOwvpk+hiZbtVn O8PBU5D+B50= =thmX -----END PGP SIGNATURE-----