Simple Network Management Protocol (SNMP) importance and its challenges (Vulnerabilities, Attacks)

What is SNMP?
Simple Network Management Protocol (SNMP) is an internet standard protocol used to monitor and manage network devices connected over an IP. Devices like routers, switches, firewalls, load balancers, servers, CCTV cameras, and wireless devices communicate using SNMP.

SNMP collects data from these devices, organizes them, and sends them for network monitoring and management, which helps with fault detection and isolation. SNMP is an integral part of both the monitored endpoints and the monitoring system.

SNMP is one of the most widely-used monitoring protocols in the world. Countless network hardware manufacturers include SNMP with devices to make it easier for an enterprise to monitor infrastructure. However, despite its popularity, SNMP isn’t without its limitations. SNMP protocol allows to enumerate hardware, software, network of any target device using Port 161 and 162.

SNMP Port Numbers
SNMP generally uses User Datagram Protocol (UDP) port numbers 161 and 162. An SNMP port is an SNMP communication endpoint—a logical construct that identifies SNMP data transfers. SNMP message transfers happen via UDP. The Transport Layer Security (TLS) or Datagram Transport Layer Security (DTLS) protocols are also used at times.

Cybercriminals can leverage vulnerabilities in the protocol to break into a network, steal your private information, and launch DoS attacks. Knowing just a little about the basics of SNMP vulnerabilities can help you to prepare your defenses accordingly.

SNMP Protocol
Simple Network Management Protocol is an application layer protocol defined by the Internet Architecture Board in RFC 1157. SNMP is used to exchange management information between network devices. It is one of the most commonly used protocols for network management. SNMP is part of the Transmission Control Protocol/Internet Protocol (TCP/IP) suite as defined by the Internet Engineering Task Force.

Organizations use SNMP to monitor and manage devices in a local area network (LAN) or wide area network (WAN). Most network devices on the market come bundled with SNMP agents. If not, some devices allow network admins to install the agents

How does SNMP Work?
SNMP is a protocol that network administrators use to monitor devices such as computers, routers, switches, servers, printers, and printers. SNMP works by having an SNMP manager send Get requests alongside an SNMP agent located inside an SNMP-enable device. The requests also contain a community string with an ID or password.

Each request has an Object Identifier (OID) or query string to retrieve specific information from the device. Based on the Get requests, the SNMP agent pulls data from managed objects in the Management Information Base (MIB) on the local device. The agent then sends the collected data from the MIB to the SNMP manager where a human user can view it through a URL.

The agent can also initiate alert messages or SNMP traps that tell the manager when a piece of hardware overheats or fails. SNMP traps provide periodic performance information so that a user can tell when a device is working or not.

There are two modes that SNMP operates in:

Read-only – A mode where an agent can query devices and read information but cannot alter configurations. Contains a “public” community string.
Read-write – A mode where an agent can make changes to a device and its configurations. Contains a “private” community string.
One of the key vulnerabilities of a number of versions of the SNMP protocol (SNMPv1 and SNMPv2) is that SNMP messages are sent across the network unencrypted, meaning that someone with a packet sniffer can read the community string in plain text. In other words, they can steal the login credentials and then use them to eavesdrop on the message content or take control of the SNMP-enabled devices.

SNMP Protocol Versions (SNMPv1, SNMPv2c, SNMPv3)
There are three types of SNMP that you need to be aware of:

The original SNMP protocol, which only supports 32-bit counters. SNMPv1 is easy to set up but is only protected by a community string. A plain text community string is sent from devices within a range of permitted IP addresses.

So if malicious entities gain access to the network then they’ll be able to discover the community string in plain text. Once they have the community string they can create a spoofed IP address and interact with your network. The best way to control this risk is by restricting devices to SNMP read-only access unless absolutely necessary to provide write access.

An updated version of SNMP rebased in 1993 that added support for 64-bit counters with improved error handling and SET commands. Enhanced error handling support now means you can view expanded error codes to differentiate between errors.

It’s important to note that this version of SNMP still sends community strings as clear text with no encryption options, leaving it vulnerable to the same security concerns as SNMPv1.

The latest version of SNMP with additional security features such as the User-based Security Model (USM), and View-based Access Control Model (VACM), authentication, and encryption. To ensure that SNMP messages can’t be read by unauthorized entities, SNMPv3 encrypts SNMP trap messages. Perhaps the only drawback of SNMPv3 is that it’s more complex than other versions because of the improved security features.

Which SNMP Version is Best?
In terms of security, SNMPv3 blows SNMPv1 and SNMPv2c out of the water. The lack of privacy, authentication, and access control make SNMPv1 and SNMPv2 much more vulnerable to being compromised than SNMPv3. SNMPv3’s encryption restricts who can view SNMP traffic while SHA and MD5 authenticate that SNMP messages can only be read by authorized users.

Although SNMPv3 is the most secure, its complexity and network performance footprint mean that you should only use it if you need to maintain read-write access for a prolonged period of time. Otherwise, you’ll most likely be okay using SNMPv1 or SNMPv2c and setting read-only permissions.

Key SNMP Vulnerabilities
The CVE is a list of known security vulnerabilities that you can use to identify risk factors within your IT environment. The CVE includes an extensive list of SNMP vulnerabilities that you can use to keep track of risks to your network. There are too many to list here, so we’re going to look at a couple of these vulnerabilities below:

  • CVE-2002-0013 Attackers can exploit SNMPv1 to launch a DoS attack or gain access privileges by overwhelming SNMP by sending a high number of GetRequest, GetNextRequest, or SetRequest messages.
  • CVE-2002-0012 – Attackers can use SNMPv1 trap handling to execute a DoS attack or gain access privileges.
    CVE-2002-0013 and CVE-2002-0012 are particularly devastating because a hacker can launch a DoS attack or gain admin access to your files. Most DoS attacks occur when an attacker uses a packet sniffer to infiltrate your network and obtain the plain-text community strings.

Once hackers have the community string they can use it to break into multiple devices and send a high volume of GetRequests, GetNextRequests, or SetRequest messages to overwhelm the network’s resources with malicious traffic. Such attacks will result in the network service being unavailable to other users and cause costly downtime.

Alternatively, the cybercriminal can take a more passive approach and launch a man-in-the-middle attack, and eavesdrop on the communication between two hosts to gather private data. Man-in-the-middle attacks are dangerous because they cause data leaks.

Both the original SNMPv1 and SNMPv2c are vulnerable to this type of attack because they display community strings in clear-text. As a consequence, one of the best ways to protect against DoS and man-in-the-middle attacks is to avoid using SNMPv1 and SNMPv2c, while restricting SNMP-enabled devices to read-only access.

SNMPv3’s Discovery Mechanism Vulnerability
SNMPv3 attempted to address the public community string vulnerability of SNMPv1, and SNMPv2c head-on by adding encryption and authentication to make it harder for cybercriminals to sniff SNMP traffic. While authentication and encryption were useful additions to SNMP, SNMPv3 there is still a vulnerability hackers can use to read encrypted communications and create spoofed messages.

If attackers gain control of SNMPv3’s encryption and authentication keys then they would not only be able to collect information about devices but also control the devices. Fortunately, there are a number of steps that administrators can use to protect against this vulnerability, including:

Ensure no SNMP agents are using DHCP (reduced chance of spoofing).
Use IPsec (to protect the discovery process).
Use the Transport Security Model (TSM) to secure traffic.

SNMP Command Injection
With SNMP you not only need to worry about protocol vulnerabilities but also updating your devices. Outdated device firmware could give attackers the opportunity to start executing commands, causing a whole host of problems.

Below listed two known command injection vulnerabilities:

  • General Electric Industrial Solutions UPS SNMP/Web adapter devices with outdated firmware (4.8 and below) allow remote users to execute commands.
  • SNMPConfig.php in the Symantec Web Gateway console allows remote users to execute commands (in versions 5.2.1 and below)
    Keeping your network firmware updated whether manually or with a configuration management tool eliminates vulnerabilities for attackers to exploit. This makes it harder for them to gain access to your devices and launch command injection attacks.

SNMP Best Practices

  1. Disable SNMP on hosts when you’re not using them
    If you’re not using SNMP on a host then disable it. Disabling SNMP will stop the protocol from acting as an entry point for attackers so that there is no opportunity for unauthorized listening.
  2. Change the default SNMP community read string
    Most SNMP-enabled device vendors provide equipment with the default community string “public.” While the default community string is convenient for setting up a device it needs to be changed otherwise an attacker can use to gather information from your network.
  3. Block SNMP traffic to ports 161 and 162
    If UDP ports 161 and 162 are open, then attackers have an opportunity to access your SNMP traffic, and potentially the opportunity to reconfigure your devices and disrupt normal operation. To combat this, you can block traffic to ports 161 and 162 at the firewall. Alternatively, you can opt to monitor the traffic to watch out for malicious activity.
  4. Create Access Control Lists (ACLs)
    Access Control Lists (ACLs) are useful because they allow you to restrict access to computers so that only authorized computers can access an SNMP device. Filtering access keeps out attackers and decreases the likelihood of a data breach. Create an ACL for all devices with read and/or write SNMP permissions.
  5. Regularly update software throughout your network
    Updating the software of your devices regularly makes sure that there are no unpatched vulnerabilities that hackers can use to breach your device. Keeping device software updated is also recommended for general network security and for avoiding other types of threats like malware and ransomware.
  6. Restrict access to SNMP devices
    Restrict access to SNMP-enabled devices by limiting which nodes have read-write permissions and assign read-only permissions where possible. Configuring devices with read-only permissions will restrict the users’ ability to change device parameters, lowering the risk of DoS attacks and other malicious changes if a device is compromised.
  7. Choose strong community strings
    Community strings are like passwords in that they should be made as strong as possible. Create community strings that are over 20 characters, with a mixture of uppercase letters, lowercase letters, numbers, and special characters. It’s also a good idea to avoid dictionary words or words related to you or your company. Remember that attackers can try to brute force your password without being locked out!
  8. Avoid NoAuthNoPriv and Use AuthNoPriv or AuthPriv (SNMPv3)
    Avoid using the NoAuthNoPriv mode as it doesn’t encrypt transmissions. Instead, use the AuthNoPriv mode to encrypt authentication credentials and configure it to use MD5 and SHA for extra security. If you require more security you can use the AuthPriv mode to encrypt authentication credentials and device responses at the cost of system performance.
  9. Configure SNMP users with views (SNMPv3)
    Use the SNMP view command to restrict which OIDs and performance data they can view. Limiting access to performance data means that if a device becomes compromised the intruder only has access to partial information.

SNMP vulnerabilities FAQs
Is SNMP a security risk?
SNMP is often used without any encryption, which makes it a security risk. This means that it is very important to protect your network from intrusion. SNMP v3 is secure. However, as it is complicated to set up, many network managers prefer not to upgrade to it.

Is SNMP a secure protocol?
SNMP v3 is secure. However, SNMP v1 and SNMP v2c are not secure. SNMP v3 includes processes for authentication and messages are encrypted.

Should SNMP be exposed to the Internet?
SNMP messages should be protected. Where monitoring systems operate over the internet to consolidate the monitoring of multiple sites, the transmission of SNMP messages across the internet should be encrypted. One technique for this activity is to establish a VPN between sites and use that to protect the SNMP stream.