Multiple vendor SNMPv1 GetRequest, GetNextRequest, and SetRequest message handling implementations contain vulnerabilities that may allow unauthorized privileged access, denial-of-service conditions, or unstable behavior. If your site uses SNMP in any capacity, the CERT/CC encourages you to read the information provided below.
The Oulu University Secure Programming Group (OUSPG) has reported numerous vulnerabilities in multiple vendor SNMPv1 implementations. By applying the PROTOS c06-SNMPv1 test suite to a variety of popular SNMPv1-enabled products, the OUSPG revealed a number of vulnerabilities across a wide range of products. This vulnerability note focuses on vulnerabilities occurring in code responsible for SNMPv1 request handling.
SNMPv1 supports five different types of messages: GetRequest, SetRequest, GetNextRequest, GetResponse, and Trap. A single SNMP message is referred to as a Protocol Data Unit (PDU). These messages are described using Abstract Syntax Notation One (ASN.1) and translated into binary format using Basic Encoding Rules (BER). SNMP request messages are sent from managers to agents. Request messages can poll the agent for current performance or configuration data, ask for the next SNMP object in a Management Information Base (MIB), or modify configuration settings. SNMP agents should reliably decode request messages and process the resulting application data. OUSPG performed two sets of tests of SNMP request message handling: one test focused on ASN.1 decoding, the second looked for exceptions in the processing of the decoded data.
History has shown that the techniques used by the OUSPG have discovered a large number of previously undetected problems in the products and protocols they have tested. In 2001, the OUSPG produced a comprehensive test suite for evaluating implementations of the Lightweight Directory Access Protocol (LDAP). This test suite was developed with the strategy of stressing protocol implementations in unsupported and unexpected ways, and it was very effective in uncovering a wide variety of vulnerabilities across several products. This approach can reveal vulnerabilities that would not manifest themselves under normal operating conditions.
After completing its work on LDAP, OUSPG moved its focus to SNMPv1. As with LDAP, they designed a custom test suite, began testing a selection of products, and found a number of vulnerabilities. Because OUSPG's work on LDAP was similar in procedure to its current work on SNMP, you may wish to review the LDAP Test Suite and CERT Advisory CA-2001-18, which outlined results of application of the test suite.
In order to test the security of protocols like SNMPv1, the PROTOS project presents a server with a wide variety of sample packets containing unexpected values or illegally formatted data. As a member of the PROTOS project consortium, the OUSPG used the PROTOS c06-snmpv1 test suite to study several implementations of the SNMPv1 protocol. Results of the test suites run against SNMP indicate that there are many different vulnerabilities on many different implementations of SNMP.
The Simple Network Management Protocol (SNMP) is the most popular protocol in use to manage networked devices. SNMP was designed in the late 80's to facilitate the exchange of management information between networked devices, operating at the application layer of the ISO/OSI model. The SNMP protocol enables network and system administrators to remotely monitor and configure devices on the network (devices such as switches and routers). Software and firmware products designed for networks often make use of the SNMP protocol. SNMP runs on a multitude of devices and operating systems, including, but not limited to,
Consumer Broadband Network Devices (Cable Modems and DSL Modems)
Consumer Electronic Devices (Cameras and Image Scanners)
Networked Office Equipment (Printers, Copiers, and FAX Machines)
Network and Systems Management/Diagnostic Frameworks (Network Sniffers and Network Analyzers)
Networked Medical Equipment (Imaging Units and Oscilloscopes)
Manufacturing and Processing Equipment
The SNMPv1 protocol is formally defined in RFC1157. Quoting from that RFC:
Additionally, SNMP is discussed in a number of other RFC documents:
RFC 1212 Concise MIB Definitions
RFC 1213 Management Information Base for Network Management of TCP/IP-based Internets: MIB-II
RFC 1215 A Convention for Defining Traps for use with the SNMP
RFC 1270 SNMP Communications Services
RFC 2570 Introduction to Version 3 of the Internet-standard Network Management Framework
RFC 2571 An Architecture for Describing SNMP Management Frameworks
RFC 2572 Message Processing and Dispatching for the Simple Network Management Protocol (SNMP)
RFC 2573 SNMP Applications
RFC 2574 User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)
RFC 2575 View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP)
RFC 2576 Coexistence between Version 1, Version 2, and Version 3 of the Internet-standard Network Management Framework
These vulnerabilities may cause denial-of-service conditions, service interruptions, and in some cases may allow an attacker to gain access to the affected device. Specific impacts will vary from product to product.
Note that many of the mitigation steps recommended below may have significant impact on your everyday network operations and/or network architecture. Care should therefore be taken to ensure that any changes made based on the following recommendations will not negatively impact your ongoing network operations capability.
The CERT Coordination Center thanks the Oulu University Secure Programming Group for reporting these vulnerabilities to us, for providing detailed technical analyses, and for assisting us in preparing this advisory. We also thank the many vendors who provided feedback regarding their respective vulnerabilities.
This document was written by Ian A. Finlay.