Users face a major risk using Internet-based management software
based on SNMP, the simple network management protocol used in
system management software
CERT/CC, the federally funded computer security body CERT/CC
(Computer Emergency Response Team/Coordination Center identified a
number of issues with SNMP version 1.0. The flaws, it stated, could
allow attackers to stage denial of service attacks, take over
systems and threaten the Internet.
Information about the vulnerabilities has already begun to surface
in attacker communities. CERT/CC advised administrators to act
quickly by applying available patches.
The vulnerabilities were first discovered by the Secure Programming
Group of Finland's Oulu University. The team at Oulu found multiple
vulnerabilities in the way SNMP version one is implemented in many
vendors' products. The vulnerabilities involve the way in which
SNMP implementations handle warning and error messages, along with
requests.
The CERT/CC alert stated that the flaws in the products are
particularly serious because "many of the affected products provide
key services to the Internet infrastructure. Large-scale outages of
these devices could disable significant portions of the global
network CERT/CC said in its alert.
CERT/CC's Marty Lindner, team leader handling this security issue
said an automated attack tool could be written to take advantage of
the flaws.
SNMP is a protocol used by many suppliers to enable network and
systems administrators to remotely monitor and configure any number
of network devices, including routers, switches and operating
systems.
SNMP "is very, very widely used," according to Russ Cooper, an IT
expert who heads up security firm TruSecure. "It's used in most
corporations and certainly in all ISPs (Internet service
providers)."
Vendors whose products are affected include Avaya Inc., 3Com Corp.,
Caldera Systems Inc., Cisco Systems Inc., Compaq Computer Corp.,
Computer Associates International Inc., Hewlett-Packard Co.,
Juniper Networks Inc., Lotus Software Group, Lucent Technologies
Inc., Microsoft Corp., Netscape Communications Corp., Nokia Corp.,
Novell Inc., Silicon Graphics Inc. and Sun Microsystems Inc.
Different vendors have responded to the vulnerabilities in
different ways, with many of them already offering patches, though
some have not, according to the alert.
Though some vendors have issued fixes, the challenge to network
administrators may still be great, according to CERT/CC's alert.
Administrators will need to apply patches and make changes to many
different kinds of devices throughout their networks, changes which
may not be easy to make, the organization said.
TruSecure, Cooper's company, obtained a copy of the suite of tests
created by the Oulu team from contacts in the "black hat," or
malicious, underground. He said that this indicated that potential
attackers already have knowledge of the vulnerabilities and may be
working on attack tools. As these attacks generally take a long
time to runusers may not see an immediate threat Copper explained.