Original URL: http://www.theregister.co.uk/2008/03/05/snmp_vuln_scan/

Networks left open to SNMP scans

Minority of networks leave out welcome mat for hackers

By John Leyden

Posted in Security, 5th March 2008 14:27 GMT

Some sysadmins are leaving their networks open to hacking attack by allowing Simple Network Management Protocol (SNMP) configurations to be read across the internet.

Using SNMP scans, a range of devices including Windows servers, BT Voyager 2000 routers, and HP JetDirect printers might be prompted to cough up username credentials and passwords, according to Adrian Pastor of GNUCitizen.

SNMP is a core component of the internet management architecture and is used in tools such as HP Openview and Cisco Works. The protocol is unsecured, but defending against attacks is a simple matter of blocking external SNMP requests at the firewall.

However, a scan of 2.5 million random IP addresses by GNUCitizen revealed that 5,320 (about one in 500) responded to the submitted SNMP requests. Read access to SNMP configuration lets hackers spy on targeted networks.

The security weakness might easily enable hackers to change device configurations using a spoofed IP address - if a valid write community string is identified or cracked. This invasive hacking attack was not tested by the GNUCitizen scan.

Read-only access might be bad news, Pastor notes. "Even if a cracker only gained read access to a device or server via a SNMP community string, sometimes it would be possible to extract sensitive information such as user names and passwords which would eventually lead to a compromise of the targeted systems." ®