SNMP flaw affects online devices
A serious security flaw in the application of the SNMP (Simple Network Management Protocol) allows an attacker to gain control over at least 78 cable modem models. SNMP flaw affects online devices which gives a green signal to the attackers.
SNMP (Simple Network Management Protocol) is used for automated network device identification, monitoring and remote configuration. It is used for collecting information from, and configuring, network devices, such as servers, printers, hubs, switches, and routers on an Internet Protocol (IP) network.
It was reported by the security researchers Ezequiel Fernandez and Bertin Bervis that the problem entitle StringBleed vulnerability and tracked as CVE 2017-5135,
The Simple Network Management protocol supports three methods for client authentication and to authenticate requests on remote SNMP devices. Two of them are affected by the authentication bypass issue.
Versions 1 and 2 of the SNMP protocol do not have strong and powerful authentication to begin with. They provide either read-only or write access to a device’s configuration through passwords called community strings.
The StringBleed vulnerability is an Incorrect Access Control issue, remote attackers could utilize and target the issue to execute code on the vulnerable affected devices and gain full read/write remote permissions using any string/integer value.
The researchers said that “We know there are 3 ways to authenticate the client and requests in the remote SNMP device, SNMP version 1 & 2 use a human-readable string datatype value called “community string” (usually public or private) in SNMP version 3 you have the option to use a user, password and authentication methods. ”
The researchers used a simple python script to build a “snmpget” request that used the sysDescr OID, then they started scanning the Internet for devices that would respond to the request. The experts were searching for sysDescr OID information provided by the devices in response to requests using test strings like ‘admin’, ‘root’, and ‘user.’
Researchers added a new conversation that “We wrote a simple python script from scratch using sockets in order to build the “snmpget” request, in the request we used the sysDescr OID , if the string value we are testing (admin,root etc etc) is the same stored in the SNMP agent for authentication , we are going to retrieve the sysDescr OID information successfully, is like a kind of “brute force”. After some days of scanning we noticed something weird, some devices/fingerprints were always responding no matter which value we used, so what’s going here???”
The results of the Internet Scan were alarming, an attacker could use random or any value string or integer to authenticate the SNMP agent on the flawed devices.
Most Popular Training Courses at Indian Cyber Security Solutions