[Snort-sigs] SNMP has a bug - Elaborating on Greg's comment
Davis Ray Sickmon, Jr
midryder at ...358...
Tue Feb 12 13:27:09 EST 2002
I can elaborate a bit on that - this is SANS's email:
SANS FLASH ALERT: Widespread SNMP Vulnerability
1:30 PM EST 12 February, 2002
To: Matt Fearnow (SD540418)
From: Alan Paller, Director of Research, The SANS Institute
Note: This is preliminary data! If you have additional information,
please send it to us at snmp at ...359...
In a few minutes wire services and other news sources will begin
breaking a story about widespread vulnerabilities in SNMP (Simple
Network Management Protocol). Exploits of the vulnerability cause
systems to fail or to be taken over. The vulnerability can be found in
more than a hundred manufacturers' systems and is very widespread -
millions of routers and other systems are involved.
As one of the SANS alumni, your leadership is needed in making sure that
all systems for which you have any responsibility are protected. To do
that, first ensure that SNMP is turned off. If you absolutely must run
SNMP, get the patch from your hardware or software vendor. They are all
working on patches right now. It also makes sense for you to filter
traffic destined for SNMP ports (assuming the system doing the filtering
To block SNMP access, block traffic to ports 161 and 162 for tcp and
udp. In addition, if you are using Cisco, block udp for port 1993.
The problems were caused by programming errors that have been in the
SNMP implementations for a long time, but only recently discovered.
CERT/CC is taking the lead on the process of getting the vendors to get
their patches out. Additional information is posted at
A final note.
Turning off SNMP was one of the strong recommendations in the Top 20
Internet Security Threats that the FBI's NIPC and SANS and the Federal
CIO Council issued on October 1, 2001. If you didn't take that action
then, now might be a good time to correct the rest of the top 20 as well
as the SNMP problem. The Top 20 document is posted at
----- Original Message -----
From: "Noller, Gregory" <Noller2G at ...256...>
To: <snort-sigs at lists.sourceforge.net>
Sent: Tuesday, February 12, 2002 2:42 PM
Subject: [Snort-sigs] SNMP has a bug
> Sun Security Bullitin 00215
> SNMP has a bug.
> I cannot elaborate now.
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
More information about the Snort-sigs