Threat Level: green Handler on Duty: Russell Eubanks

SANS ISC: InfoSec Handlers Diary Blog - MS06-074: SNMP Buffer Overflow (CVE2006-5583) InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

MS06-074: SNMP Buffer Overflow (CVE2006-5583)

Published: 2006-12-12
Last Updated: 2006-12-12 19:48:39 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
The Simple Network Manamgenet Protocol (SNMP) service  is vulnerable to a buffer overflow. This service is typically used to manage network devices. Home users are not likely to have this service installed. However, many larger networks will use SNMP to controlle and monitor networked workstations and servers.

Accoridng to a note from Dave Aitel, Immunity released an exploit for this vulnerabilty to its customers.

In order to disable this service, or to check if it is running, use the "services" tab in your control pannel and make sure the 'SNMP Service' is not running. You will not see an entry for SNMP service if it is not installed.

This patch is a "patch now" for all networks that use SNMP. It runs as "system" and a succesfull exploit would provide an attacker with full access. The Microsoft bulletin only talks about port 161 UDP for this vulnerability. So one can assume that SNMP trap messages are not affected.

Common sense SNMP security (regardless of the vulnerability):
  • block port 161/udp and 162/udp at your permiter (snmpv3 may use tcp).
  • use a hard to guess community string (anything but "public").
  • disable snmp listeners if you do not need them.
References:
KB926247
CVE2006-5583






Keywords:
0 comment(s)
Diary Archives