Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Security Best Practice: Protecting against Well-known SNMP Community Strings

Attack ID: CPSA-2005-16
Publish Date:
Category: Information Disclosure
Vulnerable Systems: Network devices that support SNMP
Source:  SmartDefense Research Center
Description:

Simple Network Management protocol (SNMP) allows administrators to remotely manage network devices made by many different vendors, including servers, workstations, routers, firewalls, and so forth.  SNMP Agents can be configured to allow read-only, read-write, or no access to their parameters based on the community string in a request. Community strings (e.g "public" for read-only access, "private" for read-write access) are present in multiple products and can be exploited by attackers to to obtain sensitive information or modify network configuration, i.e create new services, terminate or affect existing sessions, redirect traffic to a different destination and more.

Severity:
Details:
Several network devices have been reported to be vulnerable to this issue:

Cisco 7920 Wireless IP Phone could allow remote attackers to read, write, and erase the configuration of an affected device. The issue is due to the use of the default community strings 'private' and 'public'. For more information about the vulnerability, refer to Cisco ID: 68179.

Cisco Internetwork Operating System Software (IOS) versions 12.1(3) and 12.1(3)T could allow remote attackers to obtain the cable-docsis read-write community string to reconfigure the Cisco device. For more information about the vulnerability, refer to Cisco ID: 13629.

Linksys DSL routers include a default community string of 'private'. By querying a system using this string, an attacker could gain sensitive information about a network managed by a vulnerable Linksys router. For more information about the vulnerability, refer to seclists.org.

Cisco IOS Software releases based on versions 11.x and 12.0 contain a defect that allows a limited number of SNMP objects to be viewed and modified without authorization using a undocumented ILMI community string. For more information about the vulnerability, refer to Cisco ID:13630.  
 
Attack Detection:

Users of VPN-1 NG with Application Intelligence R55W, users of VPN-1 NGX R60 and users of InterSpect will identify the attack by one of the following SmartView Tracker log entries:

Attack Name: SNMP Enforcement Violation
Information:

  • Version earlier than version 3 was detected
  • Bad community was detected
  • ASN integer representation too long
  • An snmp connection attempt with an empty snmp community
Solution:

SmartDefense can allow all SNMP versions while dropping requests with SNMPv1 and SNMPv2 default community strings. In addition, SmartDefense enables you to protect against SNMP vulnerabilities by providing the option of enforcing SNMPv3 (the latest SNMP version) while rejecting previous versions. 

To enable the protection:

1. On the SmartDefense tree, click Application Intelligence > SNMP; the SNMP screen opens.
2. Click Allow all SNMP traffic and enable Drop requests with default community strings for SNMPv1 and SNMPv2. 

3. Click Configure to edit the community strings you wish to allow on your system.

4. Install policy on all modules.
Industry Reference: CVE-2004-1776
Additional Information:

CERT SNMP FAQ