COMMAND

    SNMP

SYSTEMS AFFECTED

    Win NT

PROBLEM

    Following is based on Network Associates (NAI) Security  Advisory.
    This   advisory   addresses   a   vulnerability   in   the  common
    configuration of the Windows NT SNMP Service.  This  vulnerability
    allows individuals to  remotely configure network  parameters that
    are critical to the security and proper operation of the system.

    The SNMP Service implements the Simple Network Management Protocol
    in Windows NT.  This  service allows for the remote  management of
    the  network  components  of  Windows  NT.   The  SNMP  Service is
    installed  through  the  Network  control  panel  by selecting the
    Services panel,  clicking the  Add button  and then  selecting the
    SNMP Service.  It is not  installed as part of the normal  Windows
    NT installation process.  When the SNMP Service is installed,  the
    default  configuration   that  is   provided  leaves   the  system
    vulnerable  to  attack.   In  the  default  configuration the SNMP
    service answers to  a single SNMP  community ``public'', which  is
    given read-write  permissions.   The community  is a  name that is
    used much like an account name  or a password to restrict who  can
    access the  SNMP functions  and in  what capacity.   SNMP provides
    two levels of  access, read-only and  read-write.  The  Windows NT
    SNMP Service prior  to Service Pack  4 does not  allow communities
    to be configured  as read-only, so  all SNMP communities  have the
    ability to write.

    If the SNMP Service is  reconfigured with a more secure  community
    name, the system is still vulnerable to attack from users with  an
    account on the system.  The SNMP Service parameters are stored  in
    the  registry  and  are  readable  by  all  users.  A user with an
    account on the  system can read  the list of  configured community
    names and use the community name to access the SNMP Service.  With
    write access  to the  SNMP community,  a user  can perform actions
    that are usually restricted to  users with privileged access.   In
    addition to restricting access to  a list of community names,  the
    Windows NT SNMP Service has an option to restrict access to a list
    of IP addresses.  Although this may seem to provide a way to limit
    exposure  to  attacks  from  unknown  systems,  it  is  not   very
    effective.   The  SNMP  protocol  uses  UDP  packets  to  exchange
    commands  and  their  replies.    Because  the  UDP  protocol   is
    connectionless, forging the source  address of command packets  is
    trivial.   SNMP ``set''  operations can  be sent  with any  source
    address since  the reply  is not  needed.   Restricting the set of
    addresses  that  can  communicate  to  the  SNMP  service  is  not
    effective  at  preventing  malicious  ``set''  operations  if  the
    attacker knows  which addresses  are allowed  to communicate  with
    the SNMP service.  Like the community name, the list of  addresses
    that can  communicate with  SNMP is  stored in  the community  and
    accessible to users with an account on the system.

    Affected are:

    - All versions of Windows  NT where the administrator has  enabled
      the SNMP  service and  not reconfigured  the security parameters
      are vulnerable to  attack from users  that can reach  the system
      over the network.
    - All versions of Windows  NT where the administrator has  enabled
      the  SNMP  Service  are  vulnerable  to  attack  from users with
      accounts on the system.  These systems are vulnerable to  attack
      from  remote  users  if  the  administrator  has not removed the
      ``public''  community  from  the  SNMP Service configuration and
      replaced it with a hard-to-guess name.

    Remote individuals with  network access to  a machine running  the
    Windows  NT  SNMP  Service  can  query  and  set any of the system
    management variables that are supported.  Information that can  be
    queried includes:

        - the LAN Manager domain name
        - a list of users
        - a list of shares
        - a list of running services
        - a list of active TCP connections
        - a list of active UDP connections
        - a  list of  network interfaces  and their  associated IP and
          hardware addresses
        - the IP routing table and  the ARP table as well as  a number
          of networking performance statistics.

    By setting variables, an attacker can modify the IP routing  table
    and the ARP table.  An  attacker can also bring interfaces up  and
    down and set critical networking parameters such as the default IP
    time-to-live (TTL)  and IP  forwarding.   These settings  allow an
    attacker to redirect  network traffic, impersonate  other machines
    or deny the machine access to the network.  The ability to  modify
    the  routing  table,  and  enable  IP  forwarding on an NT host is
    especially dangerous if the host is a firewall with SNMP enabled.

    There  is  another  dangerous  'feature'  with  regards  to   SNMP
    community names under Windows NT  4.0 (SP3).  If SNMP  is enabled,
    and there are no community  names configured ( under   Settings ->
    Control Panel -> Network ->  Services -> SNMP Service ->  Security
    -> Accepted Community  Names ) any  community name will  be valid,
    and  will   (obviously)  have   read/write  privileges   (by  Dave
    Goldsmith).

SOLUTION

    Service Pack 4 (SP4) provides a solution to this problem by adding
    access  control  and  allowing  communities  to be configured READ
    ONLY, READ WRITE or READE  CREATE.  By default, when  Service Pack
    4 is installed, the permissions will be set to READ CREATE,  which
    still allows modification of SNMP entries, and therefore does  not
    close  this  vulnerability.   Ensure  that  the  communities   are
    configured READ ONLY to prevent modification of SNMP entries.   To
    configure the SNMP service go to:

        "Control Panel" -> "Network" -> "Services" -> "SNMP Service"

    From this  window, select  the "Security"  tab.   Once within  the
    security tab, the security settings of each community name can  be
    configured.   It  is  recommended  that  each  community  name  be
    configured READ ONLY unless  otherwise required.  The  permissions
    on the SNMP registry key allow "Everyone" access by default.  This
    access  allows  any  system  user  to  obtain  the community names
    utilized by the  SNMP service.   The permissions on  this registry
    key should also be set more strictly by the Administrator.  Ensure
    that only Administrator and other authorized users can access  the
    contents of the following registry key:

        Hive : HKEY_LOCAL_MACHINE
        Key  : System\CurrentControlSet\Services\SNMP\Parameters

    On NT 5.0,  the permissions on  this key will  be set securely  by
    default.   Ensure  that  the  community  name  is changed from the
    default "public"  community name  to a  more obscure  name.  Block
    SNMP access at your firewall or border router.  SNMP utilizes  UDP
    port  161.   As  documented  in  the  ISS scanner help system (any
    version since 5.0), you may disable just this portion of the  SNMP
    mibs by opening the key

        HKLM\System\CurrentControlSet\Services\SNMP\Parameters\ExtensionAgents

    and locate the value which contains

        SOFTWARE\Microsoft\LANManagerMIB2Agent\CurrentVersion'

    and remove it.  If your network managment practices do not require
    this  information  (which  is  freely  available  via  more secure
    mechanisms), it is best to  disable the LM extensions to  the SNMP
    service.   It may  be worthwhile  to examine  all of the extension
    agents, and only enable those which are required.