|I'm getting many emails from advisory organizations (SANS , CERT , etc.) regarding a huge hole in the SNMP protocol itself. This effects most vendors of networking software and hardware. |
Here is the advisory from SANS:
"SANS FLASH ALERT: Widespread SNMP Vulnerability 2:30 PM EST 12 February, 2002
Note: This is preliminary data! If you have additional information,please send it to us at email@example.com
In a few minutes wire services and other news sources will beginbreaking a story about widespread vulnerabilities in SNMP (SimpleNetwork Management Protocol). Exploits of the vulnerability causesystems to fail or to be taken over. The vulnerability can be found inmore than a hundred manufacturers' systems and is very widespread -millions of routers and other systems are involved.
Your leadership is needed in making sure that all systems for which you have any responsibility are protected. To do that, first ensure thatSNMP is turned off. If you absolutely must run SNMP, get the patch fromyour hardware or software vendor. They are all working on patches rightnow. It also makes sense for you to filter traffic destined for SNMP ports (assuming the system doing the filtering is patched). To block SNMP access, block traffic to ports 161 and 162 for tcp and udp. In addition, if you are using Cisco, block udp for port 1993.
The problems were caused by programming errors that have been in the SNMP implementations for a long time, but only recently discovered.CERT/CC is taking the lead on the process of getting the vendors to gettheir patches out. Additional information is posted at http://www.cert.org/advisories/CA-2002-03.html "
2/12/02 :: Buzzkill