Common SNMP Vulnerabilities Guide

The Simple Network Management Protocol (SNMP) is at the core of just about all of the network device monitoring systems available on the market today. This system involves a device agent and a central controller, called the SNMP Manager. All of the network device vendors install an SNMP agent program on each device before shipping it. The network monitoring package that you install takes the role of the SNMP Manager.

The spec for SNMP is very detailed and it provides a format for device agents to pass extensive details about a switch or a router to the controller. This mechanism is at the heart of all of those network monitoring features that automate the duties of network administrators: network discovery, network mapping, device component alerts, CPU usage, traffic throughput per interface, and interface capacity.

Unfortunately, the original SNMP was designed in an era when it could be assumed that the boundary security was sufficient to keep the network secure. This is no longer a valid assumption. Thus, the protocol is not only vulnerable to hijacking, it can actually be used by hackers to gather intel and to cause chaos. The designers of SNMP addressed these issues by introducing authentication processes into the protocol and you need to make sure that you are using SNMP v3 to be fully secure.

How does SNMP Work? And how is it Vulnerable to Attackers? (Public Community Strings) 

Simple Network Management Protocol

SNMP is a protocol that network administrators use to monitor devices such as computers, routers, switches, servers, printers, and printers. SNMP works by having an SNMP manager send Get requests alongside an SNMP agent located inside an SNMP-enable device. The requests also contain a community string with an ID or password.

Related post: What is SNMP Community String?

Each request has an Object Identifier (OID) or query string to retrieve specific information from the device. Based on the Get requests, the SNMP agent pulls data from managed objects in the Management Information Base (MIB) on the local device. The agent then sends the collected data from the MIB to the SNMP manager where a human user can view it through a URL.

The agent can also initiate alert messages or SNMP traps that tell the manager when a piece of hardware overheats or fails. SNMP traps provide periodic performance information so that a user can tell when a device is working or not.

There are two modes that SNMP operates in:

  • Read-only – A mode where an agent can query devices and read information but cannot alter configurations. Contains a “public” community string.
  • Read-write – A mode where an agent can make changes to a device and its configurations. Contains a “private” community string.

One of the key vulnerabilities of a number of versions of the SNMP protocol (SNMPv1 and SNMPv2) is that SNMP messages are sent across the network unencrypted, meaning that someone with a packet sniffer can read the community string in plain text. In other words, they can steal the login credentials and then use them to eavesdrop on the message content or take control of the SNMP-enabled devices.

For more information on SNMP Community Strings and how to find and create them, click the link.

SNMP Protocol Versions (SNMPv1, SNMPv2c, SNMPv3)

There are three types of SNMP that you need to be aware of:

SNMPv1 

The original SNMP protocol, which only supports 32-bit counters. SNMPv1 is easy to set up but is only protected by a community string. A plain text community string is sent from devices within a range of permitted IP addresses.

So if malicious entities gain access to the network then they’ll be able to discover the community string in plain text. Once they have the community string they can create a spoofed IP address and interact with your network. The best way to control this risk is by restricting devices to SNMP read-only access unless absolutely necessary to provide write access.

SNMPv2c 

An updated version of SNMP rebased in 1993 that added support for 64-bit counters with improved error handling and SET commands. Enhanced error handling support now means you can view expanded error codes to differentiate between errors.

It’s important to note that this version of SNMP still sends community strings as clear text with no encryption options, leaving it vulnerable to the same security concerns as SNMPv1.

SNMPv3

The latest version of SNMP with additional security features such as the User-based Security Model (USM), and View-based Access Control Model (VACM), authentication, and encryption. To ensure that SNMP messages can’t be read by unauthorized entities, SNMPv3 encrypts SNMP trap messages. Perhaps the only drawback of SNMPv3 is that it’s more complex than other versions because of the improved security features.

Which SNMP Version is Best?

In terms of security, SNMPv3 blows SNMPv1 and SNMPv2c out of the water. The lack of privacy, authentication, and access control make SNMPv1 and SNMPv2 much more vulnerable to being compromised than SNMPv3. SNMPv3’s encryption restricts who can view SNMP traffic while SHA and MD5 authenticate that SNMP messages can only be read by authorized users.

Although SNMPv3 is the most secure, its complexity and network performance footprint mean that you should only use it if you need to maintain read-write access for a prolonged period of time. Otherwise, you’ll most likely be okay using SNMPv1 or SNMPv2c and setting read-only permissions.

Key SNMP Vulnerabilities 

Hacker working on laptop

Now that we’ve briefly looked at the different versions of SNMP, we’re going to look at the security concerns that SNMPv1, SNMPv2c, and SNMPv3 have. It’s important to emphasize that even SNMPv3 isn’t without its security vulnerabilities.

SNMP Vulnerabilities: Public Community Strings in SNMPv1 and SNMPv2c 

The CVE is a list of known security vulnerabilities that you can use to identify risk factors within your IT environment. The CVE includes an extensive list of SNMP vulnerabilities that you can use to keep track of risks to your network. There are too many to list here, so we’re going to look at a couple of these vulnerabilities below:

  • CVE-2002-0013 – Attackers can exploit SNMPv1 to launch a DoS attack or gain access privileges by overwhelming SNMP by sending a high number of GetRequest, GetNextRequest, or SetRequest messages.
  • CVE-2002-0012 – Attackers can use SNMPv1 trap handling to execute a DoS attack or gain access privileges.

CVE-2002-0013 and CVE-2002-0012 are particularly devastating because a hacker can launch a DoS attack or gain admin access to your files. Most DoS attacks occur when an attacker uses a packet sniffer to infiltrate your network and obtain the plain-text community strings.

Once hackers have the community string they can use it to break into multiple devices and send a high volume of GetRequests, GetNextRequests, or SetRequest messages to overwhelm the network’s resources with malicious traffic. Such attacks will result in the network service being unavailable to other users and cause costly downtime.

Alternatively, the cybercriminal can take a more passive approach and launch a man-in-the-middle attack, and eavesdrop on the communication between two hosts to gather private data. Man-in-the-middle attacks are dangerous because they cause data leaks.

Both the original SNMPv1 and SNMPv2c are vulnerable to this type of attack because they display community strings in clear-text. As a consequence, one of the best ways to protect against DoS and man-in-the-middle attacks is to avoid using SNMPv1 and SNMPv2c, while restricting SNMP-enabled devices to read-only access.

SNMPv3’s Discovery Mechanism Vulnerability 

SNMPv3 attempted to address the public community string vulnerability of SNMPv1, and SNMPv2c head-on by adding encryption and authentication to make it harder for cybercriminals to sniff SNMP traffic. While authentication and encryption were useful additions to SNMP, SNMPv3 there is still a vulnerability hackers can use to read encrypted communications and create spoofed messages.

In the Under New Management: Practical Attacks on SNMPv3 report, Nigel Lawrence and Patrick Traynor suggest that SNMP has a “fundamental flaw,” and that the discovery mechanism of SNMPv3 “can be manipulated to allow an attacker to select the encryption and authentication keys used by the protocol.”

If attackers gain control of SNMPv3’s encryption and authentication keys then they would not only be able to collect information about devices but also control the devices. Fortunately, there are a number of steps that administrators can use to protect against this vulnerability, including:

  • Ensure no SNMP agents are using DHCP (reduced chance of spoofing).
  • Use IPsec (to protect the discovery process).
  • Use the Transport Security Model (TSM) to secure traffic.

SNMP Command Injection (GE and Symantec Web Gateway)

With SNMP you not only need to worry about protocol vulnerabilities but also updating your devices. Outdated device firmware could give attackers the opportunity to start executing commands, causing a whole host of problems.

We’ve listed two known command injection vulnerabilities below:

  • General Electric Industrial Solutions UPS SNMP/Web adapter devices with outdated firmware (4.8 and below) allow remote users to execute commands.
  • SNMPConfig.php in the Symantec Web Gateway console allows remote users to execute commands (in versions 5.2.1 and below)

Keeping your network firmware updated whether manually or with a configuration management tool eliminates vulnerabilities for attackers to exploit. This makes it harder for them to gain access to your devices and launch command injection attacks.

How to Find SNMP Vulnerabilities: Penetration Testing 

One simple way to identify configuration issues is to conduct penetration testing. Penetration testing is where you take on the role of an attacker and attempt to hack into your network with the aim of discovering vulnerabilities so you can fix them before a real attacker has a chance to exploit them.

In this section, we’re going to look at how to find SNMP community strings with NMAP (Network Mapper) on Linux. NMAP is a free vulnerability scanning tool that functions through the command line. SNMP functions at UDP port 161. You can run a UDP scan in NMAP by entering the following command (sU specifies the port, sV specifies version detect, and IP address of your router):

-sU -p161, 162 -sV 105.100.75.149 

The UDP scan will take a few minutes to complete. Once the scan is finished you’ll see the STATE, SERVICE, and VERSION of ports 161 and 162

After verifying that the port is open, you can run an NMAP script to brute force the community string credentials. You can do this by entering the following command:

-sU -p161 105.100.75.149 - -script snmp-brute 

Once the scan is finished, you’ll see a list of community strings discovered by NMAP. If no credentials are found then NMAP won’t produce any output.

As you can see, if you’re using an earlier version of SNMP it’s very easy for a hacker to scan for community strings. Using SNMPv3 shuts down this potential entry point so cybercriminals have to work much harder to get access to your information.

How to Protect Against SNMP Vulnerabilities: Best Practices 

cyber security

While SNMP opens up lots of options for networking, it needs to be secured carefully to avoid security breaches. If it isn’t secured properly, then the intruder will be able to obtain information on ARP tables, usernames, and TCP connections. You can keep SNMP secure by following the best practices below:

1. Disable SNMP on hosts when you’re not using them 

If you’re not using SNMP on a host then disable it. Disabling SNMP will stop the protocol from acting as an entry point for attackers so that there is no opportunity for unauthorized listening.

2. Change the default SNMP community read string 

Most SNMP-enabled device vendors provide equipment with the default community string “public.” While the default community string is convenient for setting up a device it needs to be changed otherwise an attacker can use to gather information from your network.

3. Block SNMP traffic to ports 161 and 162 

If UDP ports 161 and 162 are open, then attackers have an opportunity to access your SNMP traffic, and potentially the opportunity to reconfigure your devices and disrupt normal operation. To combat this, you can block traffic to ports 161 and 162 at the firewall. Alternatively, you can opt to monitor the traffic to watch out for malicious activity.

4. Create Access Control Lists (ACLs) 

Access Control Lists (ACLs) are useful because they allow you to restrict access to computers so that only authorized computers can access an SNMP device. Filtering access keeps out attackers and decreases the likelihood of a data breach. Create an ACL for all devices with read and/or write SNMP permissions.

5. Regularly update software throughout your network

Updating the software of your devices regularly makes sure that there are no unpatched vulnerabilities that hackers can use to breach your device. Keeping device software updated is also recommended for general network security and for avoiding other types of threats like malware and ransomware.

6. Restrict access to SNMP devices 

Restrict access to SNMP-enabled devices by limiting which nodes have read-write permissions and assign read-only permissions where possible. Configuring devices with read-only permissions will restrict the users’ ability to change device parameters, lowering the risk of DoS attacks and other malicious changes if a device is compromised.

7. Choose strong community strings 

Community strings are like passwords in that they should be made as strong as possible. Create community strings that are over 20 characters, with a mixture of uppercase letters, lowercase letters, numbers, and special characters. It’s also a good idea to avoid dictionary words or words related to you or your company. Remember that attackers can try to brute force your password without being locked out!

8. Avoid NoAuthNoPriv and Use AuthNoPriv or AuthPriv (SNMPv3)

Avoid using the NoAuthNoPriv mode as it doesn’t encrypt transmissions. Instead, use the AuthNoPriv mode to encrypt authentication credentials and configure it to use MD5 and SHA for extra security. If you require more security you can use the AuthPriv mode to encrypt authentication credentials and device responses at the cost of system performance.

9. Configure SNMP users with views (SNMPv3)

Use the SNMP view command to restrict which OIDs and performance data they can view. Limiting access to performance data means that if a device becomes compromised the intruder only has access to partial information.

Are SNMP Vulnerabilities Still a Threat? 

While you’re far more likely to be targeted by threats like malware, phishing attempts, and malware, SNMP vulnerabilities shouldn’t be ignored when a single attack can result in a costly data breach or DoS attack that puts you out of action. Taking the time to implement some basic configurations is well worth the time invested when you consider the average cost of downtime is $5,600 per minute.

Opt for SNMPv3 (If You Can!) 

SNMP is an essential network monitoring protocol for network administrators and provides a ton of valuable monitoring information, but it’s important to be aware of the risks. We’ve just scratched the service of some of the vulnerabilities that SNMP has, from weaknesses in the protocol itself to exploits through third-party devices.

So when using SNMP you want to make sure that you pay particular attention to what version you’re using (ideally SNMPv3 – but remember there are still vulnerabilities to defend against!) and to the firmware versions of your network devices. Simply keeping your devices updated can make your life much easier.

Remember that SNMP versions 1, 2, and 2c present the highest level of risk because community strings are communicated in clear text, and can be used by attackers during an attack.

SNMP vulnerabilities FAQs

Is SNMP a security risk?

SNMP is often used without any encryption, which makes it a security risk. This means that it is very important to protect your network from intrusion. SNMP v3 is secure. However, as it is complicated to set up, many network managers prefer not to upgrade to it. 

Is SNMP a secure protocol?

SNMP v3 is secure. However, SNMP v1 and SNMP v2c are not secure. SNMP v3 includes processes for authentication and messages are encrypted.

Should SNMP be exposed to the Internet?

SNMP messages should be protected. Where monitoring systems operate over the internet to consolidate the monitoring of multiple sites, the transmission of SNMP messages across the internet should be encrypted. One technique for this activity is to establish a VPN between sites and use that to protect the SNMP stream.