SNMP is one of the most widely-used monitoring protocols in the world. Countless network hardware manufacturers include SNMP with devices to make it easier for an enterprise to monitor infrastructure. However, despite its popularity, SNMP isn’t without its limitations.
Cybercriminals can leverage vulnerabilities in the protocol to break into a network, steal your private information, and launch DoS attacks. Knowing just a little about the basics of SNMP vulnerabilities can help you to prepare your defenses accordingly.
In this article, we’re going to look at some common SNMP vulnerabilities and how you can protect against them.
How does SNMP Work? And how is it Vulnerable to Attackers? (Public Community Strings)
SNMP is a protocol that network administrators use to monitor devices such as computers, routers, switches, servers, printers, and printers. SNMP works by having an SNMP manager send Get requests alongside an SNMP agent located inside an SNMP-enable device. The requests also contain a community string with an ID or password.
Each request has an Object Identifier (OID) or query string to retrieve specific information from the device. Based on the Get requests, the SNMP agent pulls data from managed objects in the Management Information Base (MIB) on the local device. The agent then sends the collected data from the MIB to the SNMP manager where a human user can view it through a URL.
The agent can also initiate alert messages or SNMP traps that tell the manager when a piece of hardware overheats or fails. SNMP traps provide periodic performance information so that a user can tell when a device is working or not.
There are two modes that SNMP operates in:
- Read-only – A mode where an agent can query devices and read information but cannot alter configurations. Contains a “public” community string.
- Read-write – A mode where an agent can make changes to a device and its configurations. Contains a “private” community string.
One of the key vulnerabilities of a number of versions of the SNMP protocol (SNMPv1 and SNMPv2) is that SNMP messages are sent across the network unencrypted, meaning that someone with a packet sniffer can read the community string in plain text. In other words, they can steal the login credentials and then use them to eavesdrop on the message content or take control of the SNMP-enabled devices.
SNMP Protocol Versions (SNMPv1, SNMPv2c, SNMPv3)
There are three types of SNMP that you need to be aware of:
The original SNMP protocol, which only supports 32-bit counters. SNMPv1 is easy to set up but is only protected by a community string. A plain text community string is sent from devices within a range of permitted IP addresses.
So if malicious entities gain access to the network then they’ll be able to discover the community string in plain text. Once they have the community string they can create a spoofed IP address and interact with your network. The best way to control this risk is by restricting devices to SNMP read-only access unless absolutely necessary to provide write access.
An updated version of SNMP rebased in 1993 that added support for 64-bit counters with improved error handling and SET commands. Enhanced error handling support now means you can view expanded error codes to differentiate between errors.
It’s important to note that this version of SNMP still sends community strings as clear text with no encryption options, leaving it vulnerable to the same security concerns as SNMPv1.
The latest version of SNMP with additional security features such as the User-based Security Model (USM), and View-based Access Control Model (VACM), authentication, and encryption. To ensure that SNMP messages can’t be read by unauthorized entities, SNMPv3 encrypts SNMP trap messages. Perhaps the only drawback of SNMPv3 is that it’s more complex than other versions because of the improved security features.
Which SNMP Version is Best?
In terms of security, SNMPv3 blows SNMPv1 and SNMPv2c out of the water. The lack of privacy, authentication, and access control make SNMPv1 and SNMPv2 much more vulnerable to being compromised than SNMPv3. SNMPv3’s encryption restricts who can view SNMP traffic while SHA and MD5 authenticate that SNMP messages can only be read by authorized users.
Although SNMPv3 is the most secure, its complexity and network performance footprint mean that you should only use it if you need to maintain read-write access for a prolonged period of time. Otherwise, you’ll most likely be okay using SNMPv1 or SNMPv2c and setting read-only permissions.
Key SNMP Vulnerabilities
Now that we’ve briefly looked at the different versions of SNMP, we’re going to look at the security concerns that SNMPv1, SNMPv2c, and SNMPv3 have. It’s important to emphasize that even SNMPv3 isn’t without its security vulnerabilities.
SNMP Vulnerabilities: Public Community Strings in SNMPv1 and SNMPv2c
The CVE is a list of known security vulnerabilities that you can use to identify risk factors within your IT environment. The CVE includes an extensive list of SNMP vulnerabilities that you can use to keep track of risks to your network. There are too many to list here, so we’re going to look at a couple of these vulnerabilities below:
- CVE-2002-0013 – Attackers can exploit SNMPv1 to launch a DoS attack or gain access privileges by overwhelming SNMP by sending a high number of GetRequest, GetNextRequest, or SetRequest messages.
- CVE-2002-0012 – Attackers can use SNMPv1 trap handling to execute a DoS attack or gain access privileges.
CVE-2002-0013 and CVE-2002-0012 are particularly devastating because a hacker can launch a DoS attack or gain admin access to your files. Most DoS attacks occur when an attacker uses a packet sniffer to infiltrate your network and obtain the plain-text community strings.
Once hackers have the community string they can use it to break into multiple devices and send a high volume of GetRequests, GetNextRequests, or SetRequest messages to overwhelm the network’s resources with malicious traffic. Such attacks will result in the network service being unavailable to other users and cause costly downtime.
Alternatively, the cybercriminal can take a more passive approach and launch a man-in-the-middle attack, and eavesdrop on the communication between two hosts to gather private data. Man-in-the-middle attacks are dangerous because they cause data leaks.
Both the original SNMPv1 and SNMPv2c are vulnerable to this type of attack because they display community strings in clear-text. As a consequence, one of the best ways to protect against DoS and man-in-the-middle attacks is to avoid using SNMPv1 and SNMPv2c, while restricting SNMP-enabled devices to read-only access.
SNMPv3’s Discovery Mechanism Vulnerability
SNMPv3 attempted to address the public community string vulnerability of SNMPv1, and SNMPv2c head-on by adding encryption and authentication to make it harder for cybercriminals to sniff SNMP traffic. While authentication and encryption were useful additions to SNMP, SNMPv3 there is still a vulnerability hackers can use to read encrypted communications and create spoofed messages.
In the Under New Management: Practical Attacks on SNMPv3 report, Nigel Lawrence and Patrick Traynor suggest that SNMP has a “fundamental flaw,” and that the discovery mechanism of SNMPv3 “can be manipulated to allow an attacker to select the encryption and authentication keys used by the protocol.”
If attackers gain control of SNMPv3’s encryption and authentication keys then they would not only be able to collect information about devices but also control the devices. Fortunately, there are a number of steps that administrators can use to protect against this vulnerability, including:
- Ensure no SNMP agents are using DHCP (reduced chance of spoofing).
- Use IPsec (to protect the discovery process).
- Use the Transport Security Model (TSM) to secure traffic.
SNMP Command Injection (GE and Symantec Web Gateway)
With SNMP you not only need to worry about protocol vulnerabilities but also updating your devices. Outdated device firmware could give attackers the opportunity to start executing commands, causing a whole host of problems.
We’ve listed two known command injection vulnerabilities below:
- General Electric Industrial Solutions UPS SNMP/Web adapter devices with outdated firmware (4.8 and below) allow remote users to execute commands.
- SNMPConfig.php in the Symantec Web Gateway console allows remote users to execute commands (in versions 5.2.1 and below)
Keeping your network firmware updated whether manually or with a configuration management tool eliminates vulnerabilities for attackers to exploit. This makes it harder for them to gain access to your devices and launch command injection attacks.
How to Find SNMP Vulnerabilities: Penetration Testing
One simple way to identify configuration issues is to conduct penetration testing. Penetration testing is where you take on the role of an attacker and attempt to hack into your network with the aim of discovering vulnerabilities so you can fix them before a real attacker has a chance to exploit them.
In this section, we’re going to look at how to find SNMP community strings with NMAP (Network Mapper) on Linux. NMAP is a free vulnerability scanning tool that functions through the command line. SNMP functions at UDP port 161. You can run a UDP scan in NMAP by entering the following command (sU specifies the port, sV specifies version detect, and IP address of your router):
-sU -p161, 162 -sV 220.127.116.11
The UDP scan will take a few minutes to complete. Once the scan is finished you’ll see the STATE, SERVICE, and VERSION of ports 161 and 162
After verifying that the port is open, you can run an NMAP script to brute force the community string credentials. You can do this by entering the following command:
-sU -p161 18.104.22.168 - -script snap-brute
Once the scan is finished, you’ll see a list of community strings discovered by NMAP. If no credentials are found then NMAP won’t produce any output.
As you can see, if you’re using an earlier version of SNMP it’s very easy for a hacker to scan for community strings. Using SNMPv3 shuts down this potential entry point so cybercriminals have to work much harder to get access to your information.
How to Protect Against SNMP Vulnerabilities: Best Practices
While SNMP opens up lots of options for networking, it needs to be secured carefully to avoid security breaches. If it isn’t secured properly, then the intruder will be able to obtain information on ARP tables, usernames, and TCP connections. You can keep SNMP secure by following the best practices below:
1. Disable SNMP on hosts when you’re not using them
If you’re not using SNMP on a host then disable it. Disabling SNMP will stop the protocol from acting as an entry point for attackers so that there is no opportunity for unauthorized listening.
2. Change the default SNMP community read string
Most SNMP-enabled device vendors provide equipment with the default community string “public.” While the default community string is convenient for setting up a device it needs to be changed otherwise an attacker can use to gather information from your network.
3. Block SNMP traffic to ports 161 and 162
If UDP ports 161 and 162 are open, then attackers have an opportunity to access your SNMP traffic, and potentially the opportunity to reconfigure your devices and disrupt normal operation. To combat this, you can block traffic to ports 161 and 162 at the firewall. Alternatively, you can opt to monitor the traffic to watch out for malicious activity.
4. Create Access Control Lists (ACLs)
Access Control Lists (ACLs) are useful because they allow you to restrict access to computers so that only authorized computers can access an SNMP device. Filtering access keeps out attackers and decreases the likelihood of a data breach. Create an ACL for all devices with read and/or write SNMP permissions.
5. Regularly update software throughout your network
Updating the software of your devices regularly makes sure that there are no unpatched vulnerabilities that hackers can use to breach your device. Keeping device software updated is also recommended for general network security and for avoiding other types of threats like malware and ransomware.
6. Restrict access to SNMP devices
Restrict access to SNMP-enabled devices by limiting which nodes have read-write permissions and assign read-only permissions where possible. Configuring devices with read-only permissions will restrict the users’ ability to change device parameters, lowering the risk of DoS attacks and other malicious changes if a device is compromised.
7. Choose strong community strings
Community strings are like passwords in that they should be made as strong as possible. Create community strings that are over 20 characters, with a mixture of uppercase letters, lowercase letters, numbers, and special characters. It’s also a good idea to avoid dictionary words or words related to you or your company. Remember that attackers can try to brute force your password without being locked out!
8. Avoid NoAuthNoPriv and Use AuthNoPriv or AuthPriv (SNMPv3)
Avoid using the NoAuthNoPriv mode as it doesn’t encrypt transmissions. Instead, use the AuthNoPriv mode to encrypt authentication credentials and configure it to use MD5 and SHA for extra security. If you require more security you can use the AuthPriv mode to encrypt authentication credentials and device responses at the cost of system performance.
9. Configure SNMP users with views (SNMPv3)
Use the SNMP view command to restrict which OIDs and performance data they can view. Limiting access to performance data means that if a device becomes compromised the intruder only has access to partial information.
Are SNMP Vulnerabilities Still a Threat?
While you’re far more likely to be targeted by threats like malware, phishing attempts, and malware, SNMP vulnerabilities shouldn’t be ignored when a single attack can result in a costly data breach or DoS attack that puts you out of action. Taking the time to implement some basic configurations is well worth the time invested when you consider the average cost of downtime is $5,600 per minute.
Opt for SNMPv3 (If You Can!)
SNMP is an essential network monitoring protocol for network administrators and provides a ton of valuable monitoring information, but it’s important to be aware of the risks. We’ve just scratched the service of some of the vulnerabilities that SNMP has, from weaknesses in the protocol itself to exploits through third-party devices.
So when using SNMP you want to make sure that you pay particular attention to what version you’re using (ideally SNMPv3 – but remember there are still vulnerabilities to defend against!) and to the firmware versions of your network devices. Simply keeping your devices updated can make your life much easier.
Remember that SNMP versions 1, 2, and 2c present the highest level of risk because community strings are communicated in clear text, and can be used by attackers during an attack.