Systems disclose sensitive data via SNMP
A scan of 2.5 million randomly selected IP addresses by Adrian Pastor of GNUCitizen has revealed 5320 systems that can be accessed using SNMP over the internet.
Communication via SNMP is usually in plain text, including the exchange of passwords or "community strings". For security reasons, if SNMP is in use, it should be blocked at the network perimeter. However this precaution is often omitted, and the community strings are frequently left by administrators at their well-known default values. According to the report by Pastor, the most frequently detected systems were appliances such as Zyxel Prestige routers, Apple AirPort and base stations, Netopia and Cisco routers and Touchstone VoIP modems from Arris. Windows 2000 servers were also encountered. In his test, Pastor queried only the object ID (OID) 220.127.116.11.18.104.22.168.0, which returns the router model and manufacturer. He did not look for specific vulnerabilities. Pastor has previously published an analysis which reveals numerous vulnerabilities in popular routers such as the Zyxel Prestige, including SNMP exposures. In principle, SNMP access has been shown to reveal user name lists on Windows 2000 servers, DSL login data on BT Voyager routers, administrator passwords on HP printers and other parameters including login data for dynamic DNS on Zyxel routers.
The SNMP protocol itself does not represent a fundamental security problem – network and system management tools such as HP OpenView, Cisco Works LMS and Nagios have always largely relied on SNMP. But it is an intrinsically unsecured protocol designed for internal network management. As such, it should be protected from exposure to the internet.
- Exploring the UNKNOWN: Scanning the Internet via SNMP!, report from Adrian Pastor
- ZyXEL Gateways Vulnerability Research (PDF) , report from Adrian Pastor