SNMPv1 Vulnerabilities

Information Note Number: IN02-003
15 February 2002

Purpose

The purpose of this Information Note is to provide current information concerning SNMPv1 vulnerabilities and possible solutions vendors may have proposed. You may also find up-to-date information at the Carnegie Mellon website (CERT). For product specific information, contact the vendor of the affected products.

Suggested Action

Vulnerabilities have only been found in SNMP version 1 (SNMPv1), however since the structure and components of SNMP version 2 and version 3 are similar to SNMPv1, it is likely that they are vulnerable as well. Patches for SNMPv1 should apply to the other versions as they share the same base but there may be version-specific issues that will not be addressed.

Currently, the best practice for protecting systems is to block SNMP at the network gateway rather than shutting down networks or servers. Some departments are attempting to block access to the Finland SNMP test suite to prevent internal users from downloading and executing it on their internal network. OCIPEP has received confirmation that some departments have blocked web access to the Finnish site.

At this time, Government of Canada systems have not been impacted by SNMP vulnerabilities. Government departments and agencies have implemented extensive measures to mitigate SNMP vulnerabilities by applying new safeguards and are actively monitoring network environments for any potential threats. It is important that system administrators take action to mitigate the effects of the vulnerability and patch the systems.

The SANS Institute is currently distributing the self-test tool SNMPing, which is a free software package that has the ability to identify where SNMP service is enabled on every system or device connected to a network. Once the tool is utilized, the administrator can patch and protect systems. To receive the software package, you must email snmptool@sans.org. SANS is using this method of distribution in order to maintain a list of users that can be contacted if a problem should arise with the tool and an update is needed. An OCIPEP Advisory titled "Availability of a Tool to Detect SNMP Enabled Devices" (AV02-008) can be found on the OCIPEP website.

Note to Readers

The Canadian Cyber Incident Response Centre (CCIRC) provides a focal point for Canada's cyber threat and vulnerability warning, analysis and response. CCIRC is responsible for assuring the resilience of national critical infrastructure through monitoring threats and coordinating a federal response to cyber security incidents of national interest. CCIRC operates in conjunction with the Government Operations Centre (GOC) within Public Safety Canada and is a key component of the government's all-hazards approach to emergency management and national security.

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: communications@ps-sp.gc.ca