February 12, 2002 5:40 PM PST
Flaws in common software threaten Net
- Related Stories
Basic network flaw threatens Net's usersFebruary 12, 2002
As previously reported, the Computer Emergency Response Team (CERT) Coordination Center, a major clearinghouse for security-related information on the Internet, issued an advisory and urged system administrators and network engineers to test any device that is centrally managed using the Simple Network Management Protocol. SNMP is a popular digital language for communicating with routers, switches and other network devices.
"These vulnerabilities may allow unauthorized privileged access, denial-of-service attacks or cause unstable behavior," said the CERT/CC in its advisory, which listed the responses of nearly 50 companies that make products affected by the flaw, including Microsoft, Sun Microsystems, Cisco Systems, 3Com, Nortel Networks and Hewlett-Packard.
The security problems are caused by software flaws inadvertently included in popular implementations of SNMP. The digital language allows engineers to glean status and performance information as well as more easily manage the components of their network.
In the Tuesday advisory, the CERT/CC warned that the flaws could be used to attack those basic components of the Internet. While the advisory had a large number of responses, an even larger number of other companies--nearly 250--had products that may be vulnerable to the problems, said Martin Lindner, team leader for incident handling at the CERT/CC.
"It is a very prevalent protocol," Lindner said. "It's used everywhere."
Hubs and switches from 3Com and Cisco are affected by the SNMP security problems. Some operating systems, such as Hewlett-Packard's HP-UX, use the protocol to allow a remote administrator to manage the system. Printers and all-in-one office systems from companies such as HP and Canon may also be vulnerable.
Among the surprises on the list: Networked medical equipment, such as imaging units and oscilloscopes, some uninterruptible power supplies, and digital cameras may also be at risk.
The main problem is that the software was never meant to be secure, only to work, said Paul McNabb, deputy director of the Center for Advanced Research in Information Security at the University of Illinois at Urbana-Champaign.
Gartner analyst Bill Gassman says enterprises must act quickly to head off the hacker attacks that
will almost certainly result from the security
holes known to be in the Simple Network Management Protocol.
"These protocols were not designed for security," McNabb said. "There are assumptions that are made (in the protocols) that are no longer valid in today's world."
The flaws were found last year by the Oulu University's Secure Programming Group (OUSPG) in Finland. The group found the problems during a research project aimed at testing the security of fundamental protocols on which the Internet is based. The group notified the CERT/CC about the holes last summer, and the watchdog has been working since then to warn network-hardware makers and telecommunications companies about the problems.
The Simple Network Management Protocol was developed in the late 1980s and quickly became the common way to manage a mixed network of devices. The Oulu University group only studied version 1 of the protocol, so the CERT advisory pertains only to that--the earliest--version. The latest version of the standard, version 3, was released in 2001 and addresses many of the security concerns. But it is still not widely deployed.
After a meeting last week with major telecommunications providers, word of the SNMP security problems started leaking out, said one source, who requested anonymity. The leaks broke almost five months of near silence.
As rumors started circulating around the Internet about the flaw, CERT officials--worried the hints would spur hackers to look more closely at SNMP--rushed the release of an advisory. CERT released the warning at 10 a.m. PST on Tuesday with various companies' responses.
The speed with which the advisory was published caught many companies--including Silicon Graphics, Sun, Microsoft, Red Hat and Cisco--by surprise, leaving them unable to get patches up immediately.
"We have identified the vulnerabilities and are producing patches," said Steve Langdon, a spokesman for network hardware maker Cisco.
Engineers typically use the SNMP to centrally manage the various devices connected to one another via the same network.
"SNMP and basic pinging of devices are the two things network engineers rely on to gauge the basic health of their network," said David Dittrich, a senior security engineer at the University of Washington.
Routers and switches--the hardware devices responsible for directing data around office networks and the Internet--are the most common devices with functions that use SNMP. But any remotely managed device is likely to have the software onboard, Dittrich said, including PCs and printers.
"Using SNMP, a printer can tell you if it's out of paper," Dittrich said.
Although many network-hardware makers have patched the software for their devices, CERT's Lindner believes that the majority of network devices connected to the Internet are vulnerable.
The problems acutely affect large Internet service providers, the providers of large-bandwidth data services that form the backbone of the Internet. Those services typically make use of hundreds, if not thousands, of routers and switches, which in many cases are centrally managed.
But many telecommunications providers have not trusted SNMP data, said Christopher Budd, program manager for Microsoft's security response center. Much of the data is sent in the clear, without encryption, leaving the protocol with little security.
"It's untrusted by default, so those big network operation centers would be using it in a very limited, controlled manner," Budd said. Large companies tend to have an entirely separate network for their SNMP data to keep it safe from prying eyes, he said.
Microsoft's products do not load SNMP by default, but are vulnerable if the network service has been loaded, said Budd. Microsoft released its own advisory on Tuesday, highlighting a way to work around the problem until the software giant posts a patch.