SNMP Abuse

The Simple Network Management Protocol (SNMP) may be abused to provide unauthorised access to network devices. SNMP provides a standardised framework for a common language that is used for monitoring and managing devices in a network.

Threat ID:: CC-1448
Category:: Exploit
Threat Severity:: Medium
Threat Vector:: Insecure network, Exploit
Published:: 6 June 2017 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

Threat details

SNMP depends on community strings to grant access to portions of devices' management systems. Where SNMP v1 or SNMP v2 is used, attackers are able to sniff network traffic to determine the community string used. This compromise can enable a Man-in-the-Middle attack on SNMP enabled devices.

SNMP v3 has the ability to authenticate and encrypt payloads which replaces the simple/clear text password sharing method used in v1 and v2. The safest approach is to combine SNMP with management information base (MIB) whitelisting using SNMP views. This technique ensures that even with exposed credentials, information cannot be read from or written to the device unless the information is needed for monitoring or normal device re-configuration. The majority of devices that support SNMP contain a generic set of MIBs that are vendor agnostic.

Remediation steps

Type	Step
	Ensure devices are using the latest version of SNMP (UDP port 161), SNMPv3, where possible. If SNMPv1, v2 or v2c must be used, ensure they are not publicly reachable. Segregate SNMP traffic using a separate management network, with data transferred independently of other traffic. If SNMP traffic must be transmitted alongside standard network traffic it should be encrypted. Where possible, dedicated management ports should be used. Ensure network community strings are not left with default settings. When configuring community strings implement strong password policies and ensure the strings are not public. SNMPv3 provides authentication and encryption capabilities through the authPriv User-based Security Model (US) specification. Ensure that this is implemented on SNMP enabled devices. If devices are unable to support authPriv, the alternative authNoPriv specification can be used to provide some level of improved security. Implement extended access control lists (ACL) to prevent unauthorised devices or accounts from accessing SNMP enabled devices. Access to devices with higher SNMP permissions should be strictly controlled.

Type

Step

Ensure devices are using the latest version of SNMP (UDP port 161), SNMPv3, where possible. If SNMPv1, v2 or v2c must be used, ensure they are not publicly reachable.
Segregate SNMP traffic using a separate management network, with data transferred independently of other traffic. If SNMP traffic must be transmitted alongside standard network traffic it should be encrypted. Where possible, dedicated management ports should be used.
Ensure network community strings are not left with default settings. When configuring community strings implement strong password policies and ensure the strings are not public.
SNMPv3 provides authentication and encryption capabilities through the authPriv User-based Security Model (US) specification. Ensure that this is implemented on SNMP enabled devices. If devices are unable to support authPriv, the alternative authNoPriv specification can be used to provide some level of improved security.
Implement extended access control lists (ACL) to prevent unauthorised devices or accounts from accessing SNMP enabled devices. Access to devices with higher SNMP permissions should be strictly controlled.

Last edited: 17 February 2020 11:39 am