SNMP Scanning Increase
A multi-vendor SNMPv3 security bug has been found and fixed in Net-SNMP 5.x. It turns out that a lot of vendors suffered the same issues, probably from commonly derived code. Vendors including Juniper, Cisco, and NetApp, among others, have been affected and have made updates available to customers. The bug is in the HMAC digest authentication mechanism that SNMPv3 uses. It reduced the size of the effective authentication digest to 1 byte. So, an attacker can brute force her way across all 256 packets to bypass authentication. Within a couple of days exploit code was available.
In ATLAS, we’ve started to see an increase in SNMP scanning on UDP ports 161 and 162.
SNMP agent scanning by ASN targeting UDP port 161 for a one week period covering the vulnerability and exploit disclosure.
SNMP trap daemon scanning by source ASN targeting UDP port 162 for the one week time period around the disclosure of the vulnerability and exploit release.
We have not seen reports of attacks being successful at this point. If you can, upgrade, otherwise block SNMP at the border.