COMMAND

    SNMP

SYSTEMS AFFECTED

    WinNT 4.0 (all versions), WinNT 2000 (all versions)

PROBLEM

    Following has been  rediscovered   by  Chris  Anley  from   @stake
    and posted in a Microsoft Security Bulletin MS00-095 and MS00-096.
    The SNMP  service in  Windows NT  4.0 and  2000 enables the remote
    management of the computer. Loose permissions in the registry key

        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters

    allow malicious users with access to the registry to read the SNMP
    community names stored  in the ValidCommunities  key value.   This
    allows the malicious users to manage the computer via SNMP.

    Malicious users also can sniff  the network and obtain these  same
    strings.  This is one of many reasons that Mike Warfield refers to
    SNMP as Security Not  My Problem.  The  protocol (at least v1)  is
    inherently insecure.  It hardly seems to be worthwhile to go to  a
    lot  of  trouble  trying  to  secure  something  that  is normally
    broadcast in the clear all over the network.

    By  default,  the  permissions  on  this  section  of the registry
    resolve to:

        admins:F
        server ops:change
        everyone:R

    There are slight variations between  Win2k and NT 4.0, and  depend
    on the role of the system, but the above is a reasonable  summary.
    So by default, users cannot change these strings.

    Another point would be what the strings actually get you.   Unless
    the community string allows  write access, the users  can't manage
    anything, just gather information.  The information which is  made
    available by only a  read-only community string would  normally be
    freely available to local users in any case.

    Windows 2000 (both Pro and Server) does not allow remote non-admin
    access to this portion of the registry. NT 4.0 Server behaves  the
    same way.  NT 4.0 Workstation depends upon whether one of the last
    registry  patches  have  been  applied.   Understanding the remote
    implications of this issue are important.

    This issue were  already pointed out  3 years ago  or more and  MS
    addressed this only now.

SOLUTION

    Microsoft has released a patch which rectifies this issue:

        WinNT4.0Intel: http://download.microsoft.com/download/winntsp/Patch/Q266794/NT4/EN-US/Q265714i.EXE
       WinNT2000Intel: http://download.microsoft.com/download/win2000platform/Patch/Q266794/NT5/EN-US/Q266794_W2K_SP2_x86_en.EXE