<div dir='auto'></div><div class="gmail_quote">---------- Forwarded message ----------<br>From: US-CERT <US-CERT@ncas.us-cert.gov><br>Date: Jun 5, 2017 9:19 PM<br>Subject: TA17-156A: Reducing the Risk of SNMP Abuse<br>To: w3hwn@arrl.net<br>Cc: <br><br type="attribution"><blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<table width="700" border="0" cellspacing="0" cellpadding="0" align="center"><tbody><tr><td>
<p><img src="http://content.govdelivery.com/attachments/fancy_images/USDHSUSCERT/2015/11/675988/us-cert-banner-700x100-2_original.png" alt="U.S. Department of Homeland Security US-CERT" width="700" height="100" /></p>
<p>National Cyber Awareness System:</p>
<p> </p>
<div style="margin-bottom:2em">
<div style="font-weight:bold;font-size:120%;margin:0 0 0.3em;padding:0"><a href="https://www.us-cert.gov/ncas/alerts/TA17-156A">TA17-156A: Reducing the Risk of SNMP Abuse</a></div>
<div style="font-size:90%;font-style:italic;color:#666666;margin:0 0 0.3em;padding:0">06/05/2017 08:11 PM EDT</div>
<br />
<div style="margin:0 0 0.3em;padding:0">Original release date: June 05, 2017<br />
<h3>Systems Affected</h3>
<p>SNMP enabled devices</p>
<h3>Overview</h3>
<p>The Simple Network Management Protocol (SNMP) may be abused to gain unauthorized access to network devices. SNMP provides a standardized framework for a common language that is used for monitoring and managing devices in a network.</p>
<p>This Alert provides information on SNMP best practices, along with prevention and mitigation recommendations.</p>
<h3>Description</h3>
<p>SNMP depends on secure strings (or “community strings”) that grant access to portions of devices’ management planes. Abuse of SNMP could allow an unauthorized third party to gain access to a network device. </p>
<p>SNMPv3 should be the only version of SNMP employed because SNMPv3 has the ability to authenticate and encrypt payloads. When either SNMPv1 or SNMPv2 are employed, an adversary could sniff network traffic to determine the community string. This compromise could enable a man-in-the-middle or replay attack.</p>
<p>Although SNMPv1 and SNMPv2 have similar characteristics, 64-bit counters were added to SNMPv2 so it could support faster interfaces. SNMPv3 replaces the simple/clear text password sharing used in SNMPv2 with more securely encoded parameters. All versions run over the User Datagram Protocol (UDP).</p>
<p>Simply using SNMPv3 is not enough to prevent abuse of the protocol. A safer approach is to combine SNMPv3 with management information base (MIB) whitelisting using SNMP views. This technique ensures that even with exposed credentials, information cannot be read from or written to the device unless the information is needed for monitoring or normal device re-configuration. The majority of devices that support SNMP contain a generic set of MIBs that are vendor agnostic. This approach allows the object identifier (OID) to be applied to devices regardless of manufacturer.</p>
<h3>Impact</h3>
<p>A remote attacker may abuse SNMP-enabled network devices to access an organization’s network infrastructure.</p>
<h3>Solution</h3>
<p>A fundamental way to enhance network infrastructure security is to safeguard networking devices with secure configurations. US-CERT recommends that administrators:</p>
<ul><li>Configure SNMPv3 to use the highest level of security available on the device; this would be <em>authPriv</em> on most devices. <em>authPriv</em> includes authentication and encryption features, and employing both features enhances overall network security. Some older images may not contain the cryptographic feature set, in which case <em>authNoPriv</em> needs to be used. However, if the device does not support Version 3 <em>authPriv</em>, it should be upgraded.</li><li>Ensure administrative credentials are properly configured with different passwords for authentication and encryption. In configuring accounts, follow the principle of least privilege. Role separation between polling/receiving traps (reading) and configuring users or groups (writing) is imperative because many SNMP managers require login credentials to be stored on disk in order to receive traps.</li><li>Refer to your vendor’s guidance for implementing SNMP views. SNMP view is a command that can be used to limit the available OIDs. When OIDs are included in the view, all other MIB trees are inherently denied. The SNMP <em>view</em> command must be used in conjunction with a predefined list of MIB objects.</li><li>Apply extended access control lists (ACLs) to block unauthorized computers from accessing the device. Access to devices with read and/or write SNMP permission should be strictly controlled. If monitoring and change management are done through separate software, then they should be on separate devices.</li><li>Segregate SNMP traffic onto a separate management network. Management network traffic should be out-of-band; however, if device management must coincide with standard network activity, all communication occurring over that network should use some encryption capability. If the network device has a dedicated management port, it should be the sole link for services like SNMP, Secure Shell (SSH), etc.</li><li>Keep system images and software up-to-date.</li></ul>
<h3>References</h3>
<ul><li><a href="https://www.ietf.org/rfc/rfc2233.txt">The Interfaces Group MIB using SMIv2</a></li></ul>
<h3>Revision History</h3>
<ul><li>June 5, 2017: Initial Release</li></ul>
<hr />
<p>This product is provided subject to this <a href="http://www.us-cert.gov/privacy/notification">Notification</a> and this <a href="http://www.us-cert.gov/privacy/">Privacy & Use</a> policy.</p>
</div>
</div>
<div>
<hr />
<table style="width:100%" border="0" cellspacing="0" cellpadding="0"><tbody><tr><td style="color:#757575;font-size:10px;font-family:'arial'" width="89%" height="60">A copy of this publication is available at <a href="https://www.us-cert.gov">www.us-cert.gov</a>. If you need help or have questions, please send an email to <a href="mailto:info@us-cert.gov">info@us-cert.gov</a>. Do not reply to this message since this email was sent from a notification-only address that is not monitored. To ensure you receive future US-CERT products, please add US-CERT@ncas.us-cert.gov to your address book.</td></tr></tbody></table>
<table style="width:400px" border="0" cellspacing="0" cellpadding="0"><tbody><tr><td style="color:#666666;font-family:'arial' , sans-serif;font-size:12px" valign="bottom" height="24">OTHER RESOURCES:</td></tr><tr><td style="color:#666666;font-family:'arial' , sans-serif;font-size:12px" valign="middle" height="24">
<a href="http://www.us-cert.gov/contact-us/">Contact Us</a> | <a href="http://www.us-cert.gov/security-publications">Security Publications</a> | <a href="http://www.us-cert.gov/ncas">Alerts and Tips</a> | <a href="http://www.us-cert.gov/related-resources">Related Resources</a>
</td></tr></tbody></table>
<table style="width:150px" border="0" cellspacing="0" cellpadding="0"><tbody><tr><td style="color:#666666;font-family:'arial' , sans-serif;font-size:12px" colspan="7" valign="bottom" height="24">STAY CONNECTED:</td></tr><tr><td width="41"><a href="http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new"><img src="https://service.govdelivery.com/banners/GOVDELIVERY/SOCIAL_MEDIA/envelope.gif" border="0" alt="Sign up for email updates" width="25" height="25" /></a></td></tr></tbody></table>
<p style="color:#666666;font-family:'arial' , sans-serif;font-size:12px">SUBSCRIBER SERVICES:<br /><a href="http://public.govdelivery.com/accounts/USDHSUSCERT/subscribers/new?preferences=true">Manage Preferences</a> | <a href="https://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/one_click_unsubscribe?verification=5.b03cc84c90ac58ffb6e970add416fb2d&destination=w3hwn%40arrl.net">Unsubscribe</a> | <a href="https://subscriberhelp.govdelivery.com/">Help</a></p>
</div>
<div>
<hr />
<table style="width:100%" border="0" cellspacing="0" cellpadding="0"><tbody><tr><td style="color:#757575;font-size:10px;font-family:'arial'" width="89%">This email was sent to w3hwn@arrl.net using GovDelivery, on behalf of: United States Computer Emergency Readiness Team (US-CERT) · 245 Murray Lane SW Bldg 410 · Washington, DC 20598 · (888) 282-0870
</td><td align="right" width="11%"><a href="http://www.govdelivery.com/portals/powered-by"><img src="https://service.govdelivery.com/banners/GOVDELIVERY/logo_gd_poweredby.gif" border="0" alt="Powered by GovDelivery" width="115" height="35" /></a></td></tr></tbody></table>
</div>
</td></tr></tbody></table>
</div>
</blockquote></div><br>