SNMP Vulnerabilities: Read Community String Guessable

Impact

SAINT was able to guess a read community string for one of your systems. The full impact will depend largely on exactly what type of device this system is. In general, anyone guessing this read community string can obtian an awful lot of information regarding the device in question, and possibly about the network(s) it is on. You need to decide whether this is a security concern or not.

Background

The Simple Network Management Protocol (SNMP) is a widespread protocol allowing network administrators to obtain information on and even configure various network devices remotely. It is very common on all but the most basic networking hardware (hubs, switches, routers, etc), and many other networked devices (networked printers, terminal servers, etc). Many workstations/PCs also have SNMP clients running on them as well, and most network management packages (commercial and non-commercial) make extensive use of SNMP for information gathering.

Most devices that provide SNMP allow enormous amounts of data to be accessed over it. The exact information available depends on the type of device, its manufacturer and model, but generally include details of the hardware and OS type, information on the various network interfaces, statistics on the various network protocols, and general and vendor-specific details about what the device does and is doing. The volume of data available is generally too much to be useful to a systems administrator without some management code to sort through it. The security risks of allowing a potential intruder access to this information depends largely on what type of device it is, but realize that if the data is known to the device, it is probably accessible via SNMP.

Many devices allow themselves to be configured remotely via SNMP as well. Devices which do so generally can be completely configured in such a manner. This can definitely be of use to systems administrators, but also is an obvious security concern.

Despite its popularity, SNMP v1 and v2 have rather basic access control, using passwords called community strings. Most devices are set up with two community strings, a (Read) community for viewing information and a Set or Write community for changing configurations. Many devices come out of the box with SNMP operational and a read community string of "public". Write access often has to be turned on manually, but not always. Needless to say, care should be taken with both settings.

If you were notified of this vulnerability, SAINT was able to guess a read or write community string for a system you scanned. This is currently done with a simple, brute force algorithm, repeated trying a few guesses. See the code in bin/snmp.saint for details. In order to guess write community strings, it actually attempts to change the sysLocation oid (and then changes it back if succeeded); by leaving off the -w flag in rules/todo you can bypass the write community string check. If it guessed your community string, you should consider changing it.

Assorted Notes

SNMP_communities.pl

SAINT currently avails itself of system identification strings it gets from SNMP when trying to determine the system type. I find this extremely useful in my environment, particularly for segregating out network printers and other odds and ends that are difficult to identify through the traditional SAINT methods (ie examing telnet, ftp, and smtp headers). Of course, in order for SAINT to read this information from the device, it needs to know the SNMP read community string, or to guess it.

Having warned of the potential problems with guessable community strings, I now mention an additional configuration file for providing SAINT with read community strings for a given host. In the file config/SNMP_communities.pl you can list an SNMP read community string for specific hosts, and SAINT will use that to get system information. It will also check if the given string is guessable, unless you tell it not to (also on a host by host basis in that same file).

Restricting SNMP access by host address

Some SNMP clients will allow you to restrict which hosts can send some or all write SNMP commands from, and possibly which hosts can get information as well. It is recommended that you configure such if available.

Clear text password warning

I believe SNMP v1 and v2 send the community strings in clear text.