[geeks] snmp vunerabilities

Greg A. Woods woods at weird.com
Wed Feb 13 01:10:09 CST 2002 

--- Bill Bradford <mrbill at mrbill.net> wrote:
> "oops"
> 
> http://www.cert.org/advisories/CA-2002-03.html

It's really sad this kind of bug needs this much attention to get fixed.
It has never been a good idea to leave SNMPv1 stuff publicly accessible,
unless you can guarantee you run them as a non-privileged user and that
they only give read-only access to information you consider to be
publicly available anyway.

Until too many security unconsious idiots had spread SNMPv1 too far and
wide in the public Internet as well as in many essentially "open"
private networks, no well meaning security person ever really worried
too much about the many known bugs in common implementations -- we
didn't believe anyone would be stupid enough to use it in any critical
place!  A recent post on BUGTRAQ suggests these bugs were known back in
the early 1990's (which would even be before I did anything substantial
with SNMP of any kind, and I learned about the known bugs and security
limitations almost immediately when I first started to use SNMP).  I've
been building separate private administrative networks in any
infrastructure sensitive places for quite a few years now, and it always
stuns me to find that other people aren't doing the same things.

It seems the fix in NET-SNMP, if I read the ChangeLog and diffs right,
was in a core ASN1 decoding routine -- a simple check for an
out-of-bounds array index was missing (four additional lines in the way
they implemented the fix).  I don't know if that's how other
implementations are broken, or not, though it wouldn't be surprised if
all known implementations use this same bit of code....

Even though advanced code checkers like SPlint (www.splint.org) can
really make your code look downright ugly with all their necessary
annotations, they do seem to be one of the better ideas.  So far splint
has helped me find a few minor bugs in some of my code.  I'm also going
to be trying out a new GCC extension that works like StackGuard
(immunix.org) but does more and is much more portable (and is freely
available, of course) (I have a nasty bug in my Xserver that gdb seems
hopeless at tracking down and perhaps this gcc extension will help).

-- 
								Greg A. Woods

+1 416 218-0098;  <gwoods at acm.org>;  <g.a.woods at ieee.org>;  <woods at robohack.ca>
Planix, Inc. <woods at planix.com>; VE3TCP; Secrets of the Weird <woods at weird.com>

More information about the geeks mailing list