Security Flaw Could Affect Nearly Every Internet-Connected Device

A major security flaw that could affect nearly every Internet-connected device has been discovered. The vulnerability is within the Simple Network Management Protocol (SNMP), which lets administrators remotely manage critical devices such as routers, switches, operating systems, and network-management devices.

The flaw leaves companies vulnerable to denial-of-service attacks and service disruptions, and could give remote hackers access to systems.

A staggering number of vendors' products are vulnerable, according to Carnegie Mellon's CERT Coordination Center. "Many of the affected products provide key services to the Internet infrastructure," CERT says. "Large-scale outages of these devices could disable significant portions of the global network. The specific impact of these vulnerabilities varies from product to product."

The most pressing danger is denial-of-service attacks against SNMP-ready devices, says Chris Rouland, director of Internet Security Systems Inc.'s research division, X-Force. "A week from now, we may be concerned about the ability for hackers to gain remote, or root, access," he says.

Rouland recommends that all system administrators assess the SNMP traffic on their networks, ports 161 and 162 tcp/udp. Users aren't immune and should contact their digital subscriber line, cable modem, or router vendors about potential exposures, he adds.

Rouland says X-Force research has shown that some Cisco Systems routers and switches won't filter packets that could exploit the vulnerability, even if they're configured to do so. "I've never seen a vulnerability that affected so many vendors," Rouland says. "This one is big."

Administrators must scour their networks and make appropriate changes to a wide variety of the SNMP-enabled devices, according to the CERT advisory. The advisory adds: "In many cases, technical limitations of the SNMP protocol make it difficult or impossible to restrict access to only authorized users. Disabling SNMP as a defensive measure may not be an option for many organizations since ordinary business activities, such as billing, may be interrupted. The CERT/CC strongly encourages organizations to address these vulnerabilities carefully and methodically."

Vendors affected by the vulnerability include Alcatel, Amber Networks, Arbor, Banyan Networks, Canon, Cisco Systems, Compaq, Computer Associates, D-Link, Dell Computer, Digi, Ericsson, Extreme Networks, F5, Foundry, Fujitsu Siemens, Hewlett-Packard, Hitachi, IBM, ICL, Intel, Juniper Networks, Lantronix, Laurel, Lotus Lucent, Marconi-Fore, Microsoft, Multitech, NET-SNMP, NetGear, Nokia, Nortel Networks, Novell, SMC, Shiva, Siemens, Sumimoto, Sun Microsystems, Telebit, Teledat, 3Com, Windriver, Xerox, Xylan, and Zyxel. Users should check with their vendors for workarounds or patches.

Some of the affected vendors are no longer in business or are no longer maintaining the affected software, Rouland says, making it even more difficult to secure their networks.