----- Original Message ----- From: "The SANS Institute" <[EMAIL PROTECTED]> To: "George Tuttle (SD208296)" <[EMAIL PROTECTED]> Sent: Tuesday, February 12, 2002 2:55 PM Subject: SANS FLASH ALERT: Widespread SNMP Vulnerability
> To: George Tuttle (SD208296) > From: Alan Paller, Director of Research, The SANS Institute > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > SANS FLASH ALERT: Widespread SNMP Vulnerability > 2:30 PM EST 12 February, 2002 > > > Note: This is preliminary data! If you have additional information, > please send it to us at [EMAIL PROTECTED] > > In a few minutes wire services and other news sources will begin > breaking a story about widespread vulnerabilities in SNMP (Simple > Network Management Protocol). Exploits of the vulnerability cause > systems to fail or to be taken over. The vulnerability can be found in > more than a hundred manufacturers' systems and is very widespread - > millions of routers and other systems are involved. > > Your leadership is needed in making sure that all systems for which you > have any responsibility are protected. To do that, first ensure that > SNMP is turned off. If you absolutely must run SNMP, get the patch from > your hardware or software vendor. They are all working on patches right > now. It also makes sense for you to filter traffic destined for SNMP > ports (assuming the system doing the filtering is patched). > > To block SNMP access, block traffic to ports 161 and 162 for tcp and > udp. In addition, if you are using Cisco, block udp for port 1993. > > The problems were caused by programming errors that have been in the > SNMP implementations for a long time, but only recently discovered. > > CERT/CC is taking the lead on the process of getting the vendors to get > their patches out. Additional information is posted at > http://www.cert.org/advisories/CA-2002-03.html > > Two final notes. > > Note 1: Turning off SNMP was one of the strong recommendations in the > Top 20 Internet Security Vulnerabilities that the FBI's NIPC and SANS > and the Federal CIO Council issued on October 1, 2001. If you didn't > take that action then, now might be a good time to correct the rest of > the top 20 as well as the SNMP problem. The Top 20 document is posted > at http://www.sans.org/top20.htm > > Note 2: If you have Cisco routers (that's true for 85% of our readers) > you are going to have to patch them to fix this problem. This is a great > time to make the other fixes that will protect your Cisco routers from > an increasingly common set of increasingly bad attacks. > > A great new free tool will be announced on Thursday that checks Cisco > routers, finds most problems, and provides specific guidance on fixing > each problem it finds. We've scheduled a web broadcast for Thursday > afternoon at 1 PM EST (18:00 UTC) to tell you about it and how to get > it. > > Mark your calendar now and we'll supply complete data in tomorrow's > Newsbites and on the SANS web site tomorrow, as well. > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.6 (BSD/OS) > Comment: For info see http://www.gnupg.org > > iD8DBQE8aX8y+LUG5KFpTkYRAnzlAJ920GGAqfFGAcNhrMQs+7N7wjBrEgCgkZM7 > 63OGBNgmoFsv/aajLby5+7g= > =isBR > -----END PGP SIGNATURE----- > --------------------------------------------------------- Archived messages from this list can be found at: http://www.mail-archive.com/tech-cord@aea5.k12.ia.us/ ---------------------------------------------------------