[Air-l] widespread snmp problems

jeremy hunsinger jhuns at vt.edu
Tue Feb 12 12:48:33 PST 2002

Well by now you've all seen it, big problems with simple network 
management protocol.  What you might not have seen is how I saw it, so 
I'll share because I think it is interesting and should be for others. 
 Way back in 99 SANS issued a top 10 problems document that said to turn 
of snmp unless absolutely necessary, this is for a wide variety of 
reasons, but overall it is not very well secured protocol or management 
system, though it is quite effective.  So earlier today, I get an e-mail 
from SANS saying:

1:30 PM EST 12 February, 2002

In a few minutes wire services and other news sources will begin
breaking a story about widespread vulnerabilities in SNMP (Simple
Network Management Protocol).  Exploits of the vulnerability cause
systems to fail or to be taken over.  The vulnerability can be found in
more than a hundred manufacturers' systems and is very widespread -
millions of routers and other systems are involved.

As one of the SANS alumni, your leadership is needed in making sure that
all systems for which you have any responsibility are protected. To do
that, first ensure that SNMP is turned off. If you absolutely must run
SNMP, get the patch from your hardware or software vendor. They are all
working on patches right now. It also makes sense for you to filter
traffic destined for SNMP ports (assuming the system doing the filtering
is patched).

To block SNMP access, block traffic to ports 161 and 162 for tcp and
udp.  In addition, if you are using Cisco, block udp for port 1993.

The problems were caused by programming errors that have been in the
SNMP implementations for a long time, but only recently discovered.

CERT/CC is taking the lead on the process of getting the vendors to get
their patches out.  Additional information is posted at

Low and behold, I check yahoo at 3:30pm and there it is, posted at 2:53, an hour and 23 minutes reponse between effective announcement ot security professionals and public. Now granted that is not alot of time, but for highly efficient organizations, it probably was sufficient.

After the sans announcement came out, i checked our(cddc/aoir) systems just to be sure.  at 2:40 i received the cert announcement, which is a broad announcement which generated the media most likely.  

what amazes me is the increasing systematization of information security and the professionalization that goes along with it, how does having an 1 hour period before announcement help sustain the appearance of professionalism, or the top 10 list, I haven't made that argument yet, but I'd be interested in opinions.

jeremy hunsinger		http://www.cddc.vt.edu/jeremy
cddc/political science		http://www.cddc.vt.edu
526 major williams hall 0130	http://www.dromocracy.com
virginia tech			-under construction
blacksburg, va 24061

More information about the Air-l mailing list