SNMP Scanning Increase

A multi-vendor SNMPv3 security bug has been found and fixed in Net-SNMP 5.x. It turns out that a lot of vendors suffered the same issues, probably from commonly derived code. Vendors including Juniper, Cisco, and NetApp, among others, have been affected and have made updates available to customers. The bug is in the HMAC digest authentication mechanism that SNMPv3 uses. It reduced the size of the effective authentication digest to 1 byte. So, an attacker can brute force her way across all 256 packets to bypass authentication. Within a couple of days exploit code was available.

In ATLAS, we’ve started to see an increase in SNMP scanning on UDP ports 161 and 162.

UDP_161_week.png

SNMP agent scanning by ASN targeting UDP port 161 for a one week period covering the vulnerability and exploit disclosure.

UDP_162_week.png

SNMP trap daemon scanning by source ASN targeting UDP port 162 for the one week time period around the disclosure of the vulnerability and exploit release.

We have not seen reports of attacks being successful at this point. If you can, upgrade, otherwise block SNMP at the border.

One Response to “SNMP Scanning Increase”

June 16, 2008 at 6:42 am, Vermehrte Angriffe: Hacker stürzen sich auf SNMP-Schwachstelle - WinBoard - Die Windows Community said:

[…] von Arbornetworks.com haben nun einen merkbaren Anstieg der Scans auf die Ports UDP 161 und 162 verzeichnet. Derzeit habe man noch keinen erfolgreichen Angriff gesehen. Wer kann, solle die bereitgestellten […]

Comments are closed.