FW: SANS FLASH ALERT: Widespread SNMP Vulnerability

Tue, 12 Feb 2002 14:19:25 -0700

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

--Boundary_(ID_Na2+9bxIt9A7CCYLLZ+eYw)
Content-type: text/plain;	charset="iso-8859-1"

Just thought you all might want to know about this... Sorry about the HTML
email (I'm at work on Outlook...)

Kirt

To: William Karl (SD586249)
From: Alan Paller, Director of Research, The SANS Institute

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SANS FLASH ALERT: Widespread SNMP Vulnerability
1:30 PM EST 12 February, 2002

Note: This is preliminary data! If you have additional information,
please send it to us at snmp@sans.org

In a few minutes wire services and other news sources will begin
breaking a story about widespread vulnerabilities in SNMP (Simple
Network Management Protocol).  Exploits of the vulnerability cause
systems to fail or to be taken over.  The vulnerability can be found in
more than a hundred manufacturers' systems and is very widespread -
millions of routers and other systems are involved.

As one of the SANS alumni, your leadership is needed in making sure that
all systems for which you have any responsibility are protected. To do
that, first ensure that SNMP is turned off. If you absolutely must run
SNMP, get the patch from your hardware or software vendor. They are all
working on patches right now. It also makes sense for you to filter
traffic destined for SNMP ports (assuming the system doing the filtering
is patched).

To block SNMP access, block traffic to ports 161 and 162 for tcp and
udp.  In addition, if you are using Cisco, block udp for port 1993.

The problems were caused by programming errors that have been in the
SNMP implementations for a long time, but only recently discovered.

CERT/CC is taking the lead on the process of getting the vendors to get
their patches out.  Additional information is posted at
http://www.cert.org/advisories/CA-2002-03.html

Two final notes.

Note 1:  Turning off SNMP was one of the strong recommendations in the
Top 20 Internet Security Vulnerabilities that the FBI's NIPC and SANS
and the Federal CIO Council issued on October 1, 2001.  If you didn't
take that action then, now might be a good time to correct the rest of
the top 20 as well as the SNMP problem.  The Top 20 document is posted
at http://www.sans.org/top20.htm

Note 2:  If you have Cisco routers (that's true for 85% of our readers)
you are going to have to patch them to fix this problem. This is a great
time to make the other fixes that will protect your Cisco routers from
an increasingly common set of increasingly bad attacks.

A great new free tool will be announced on Thursday that checks Cisco
routers, finds most problems, and provides specific guidance on fixing
each problem it finds.  We've scheduled a web broadcast for Thursday
afternoon at 1 PM EST (18:00 UTC) to tell you about it and how to get
it.

Mark your calendar now and we'll supply complete data in tomorrow's
Newsbites and on the SANS web site tomorrow, as well.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org

iD8DBQE8aXi0+LUG5KFpTkYRAmksAJ9v5uxY/QyJwnZqFEi6nij/EYrl5ACgmCTq
I5KTfkG/aJdAUVluafEtjOE=
=Ko/X
-----END PGP SIGNATURE-----

--Boundary_(ID_Na2+9bxIt9A7CCYLLZ+eYw)
Content-type: text/html;	charset="iso-8859-1"
Content-transfer-encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2655.35">
<TITLE>FW: SANS FLASH ALERT: Widespread SNMP Vulnerability</TITLE>
</HEAD>
<BODY>

Just thought you all might want to know about this... =
Sorry about the HTML email (I'm at work on Outlook...)

<P><FONT SIZE=3D2>Kirt</FONT>
</P>

<P><FONT SIZE=3D2>To: William Karl (SD586249)</FONT>
<BR><FONT SIZE=3D2>From: Alan Paller, Director of Research, The SANS =
Institute</FONT>
</P>

<P><FONT SIZE=3D2>-----BEGIN PGP SIGNED MESSAGE-----</FONT>
<BR><FONT SIZE=3D2>Hash: SHA1</FONT>
</P>
<BR>

<P><FONT SIZE=3D2>SANS FLASH ALERT: Widespread SNMP =
Vulnerability</FONT>
<BR><FONT SIZE=3D2>1:30 PM EST 12 February, 2002</FONT>
</P>
<BR>

Note: This is preliminary data! If you have =
additional information,
 please send it to us at snmp@sans.org

<P><FONT SIZE=3D2>In a few minutes wire services and other news sources =
will begin</FONT>
<BR><FONT SIZE=3D2>breaking a story about widespread vulnerabilities in =
SNMP (Simple</FONT>
<BR><FONT SIZE=3D2>Network Management Protocol).&nbsp; Exploits of the =
vulnerability cause</FONT>
<BR><FONT SIZE=3D2>systems to fail or to be taken over.&nbsp; The =
vulnerability can be found in</FONT>
<BR><FONT SIZE=3D2>more than a hundred manufacturers' systems and is =
very widespread -</FONT>
<BR><FONT SIZE=3D2>millions of routers and other systems are =
involved.</FONT>
</P>

As one of the SANS alumni, your leadership is needed =
in making sure that
 all systems for which you have any responsibility =
are protected. To do
 that, first ensure that SNMP is turned off. If you =
absolutely must run
 SNMP, get the patch from your hardware or software =
vendor. They are all
 working on patches right now. It also makes sense =
for you to filter
 traffic destined for SNMP ports (assuming the system =
doing the filtering
 is patched).

<P><FONT SIZE=3D2>To block SNMP access, block traffic to ports 161 and =
162 for tcp and</FONT>
<BR><FONT SIZE=3D2>udp.&nbsp; In addition, if you are using Cisco, =
block udp for port 1993.</FONT>
</P>

<P><FONT SIZE=3D2>The problems were caused by programming errors that =
have been in the</FONT>
<BR><FONT SIZE=3D2>SNMP implementations for a long time, but only =
recently discovered.</FONT>
</P>

<P><FONT SIZE=3D2>CERT/CC is taking the lead on the process of getting =
the vendors to get</FONT>
<BR><FONT SIZE=3D2>their patches out.&nbsp; Additional information is =
posted at</FONT>
<BR><FONT SIZE=3D2><A =
HREF=3D"http://www.cert.org/advisories/CA-2002-03.html" =
TARGET=3D"_blank">http://www.cert.org/advisories/CA-2002-03.html</A></FO=
NT>
</P>

<P><FONT SIZE=3D2>Two final notes.</FONT>
</P>

<P><FONT SIZE=3D2>Note 1:&nbsp; Turning off SNMP was one of the strong =
recommendations in the</FONT>
<BR><FONT SIZE=3D2>Top 20 Internet Security Vulnerabilities that the =
FBI's NIPC and SANS</FONT>
<BR><FONT SIZE=3D2>and the Federal CIO Council issued on October 1, =
2001.&nbsp; If you didn't</FONT>
<BR><FONT SIZE=3D2>take that action then, now might be a good time to =
correct the rest of</FONT>
<BR><FONT SIZE=3D2>the top 20 as well as the SNMP problem.&nbsp; The =
Top 20 document is posted</FONT>
<BR><FONT SIZE=3D2>at <A HREF=3D"http://www.sans.org/top20.htm" =
TARGET=3D"_blank">http://www.sans.org/top20.htm</A></FONT>
</P>

Note 2:&nbsp; If you have Cisco routers (that's true =
for 85% of our readers)
 you are going to have to patch them to fix this =
problem. This is a great
 time to make the other fixes that will protect your =
Cisco routers from
 an increasingly common set of increasingly bad =
attacks.

<P><FONT SIZE=3D2>A great new free tool will be announced on Thursday =
that checks Cisco</FONT>
<BR><FONT SIZE=3D2>routers, finds most problems, and provides specific =
guidance on fixing</FONT>
<BR><FONT SIZE=3D2>each problem it finds.&nbsp; We've scheduled a web =
broadcast for Thursday</FONT>
<BR><FONT SIZE=3D2>afternoon at 1 PM EST (18:00 UTC) to tell you about =
it and how to get</FONT>
<BR><FONT SIZE=3D2>it.</FONT>
</P>

<P><FONT SIZE=3D2>Mark your calendar now and we'll supply complete data =
in tomorrow's</FONT>
<BR><FONT SIZE=3D2>Newsbites and on the SANS web site tomorrow, as =
well.</FONT>
</P>
<BR>

<P><FONT SIZE=3D2>-----BEGIN PGP SIGNATURE-----</FONT>
<BR><FONT SIZE=3D2>Version: GnuPG v1.0.6 (BSD/OS)</FONT>
<BR><FONT SIZE=3D2>Comment: For info see <A =
HREF=3D"http://www.gnupg.org" =
TARGET=3D"_blank">http://www.gnupg.org</A></FONT>
</P>

<P><FONT =
SIZE=3D2>iD8DBQE8aXi0+LUG5KFpTkYRAmksAJ9v5uxY/QyJwnZqFEi6nij/EYrl5ACgmCT=
q</FONT>
<BR><FONT SIZE=3D2>I5KTfkG/aJdAUVluafEtjOE=3D</FONT>
<BR><FONT SIZE=3D2>=3DKo/X</FONT>
<BR><FONT SIZE=3D2>-----END PGP SIGNATURE-----</FONT>
</P>

</BODY>
</HTML>=

--Boundary_(ID_Na2+9bxIt9A7CCYLLZ+eYw)--