[131] in Security FYI
IMPORTANT: Recent announcement of SNMP vulnerabilities
daemon@ATHENA.MIT.EDU (Bob Mahoney)
Fri Feb 15 14:53:23 2002
Mime-Version: 1.0
Message-Id: <p05010409b8931076a3e9@[66.92.67.187]>
Date: Fri, 15 Feb 2002 14:54:28 -0500
To: netusers@mit.edu, security-fyi@mit.edu, itpartners@mit.edu
From: Bob Mahoney <bobmah@MIT.EDU>
Cc: itlt@mit.edu
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
A new computer security problem was announced this week, and reported
widely in the popular press. It is based on newly-discovered
vulnerabilities in the SNMP service (Simple Network management
Protocol), which is used by many network devices, from routers and
switches to ordinary desktop systems.
This vulnerability, while not yet being exploited widely, is
considered significant. There are some reports of intruder scanning
and exploit of this vulnerability, which CERT and other security
organizations are working to confirm. But the likelihood is that
widespread attempts to exploit this vulnerability may only be a
matter of days.
The network security team continues to assess the impact of this
vulnerability. We will be scanning for vulnerable systems and
notifying system administrators who need to take action, starting
with the systems deemed most vulnerable.
**PLEASE NOTE: While some scanning tools are being released publicly
that attempt to detect vulnerable SNMP processes, MITnet users need
to be aware that the MIT rules of use PROHIBIT such scanning.**
You are free to examine machines under your control directly, but
please do not attempt to probe multiple systems via the network, even
ones under your control, as this is likely to be seen as malicious
activity and may result disconnection.
If you would like to address this problem in advance of further
information from us, we ask that you contact your vendor (directly or
via standard patch/advisory web sites), and download any patches
available from them to address this situation.
Traffic to these services *may* be blocked at the campus border in
the near term, if we feel if is necessary to allow users and system
administrators time to address their local systems. But this would
likely be an interim measure, and does not free users from the need
to address this vulnerability. Any compromised (or merely malicious)
machines on the campus network would still be able to impact other
local systems, so the danger, though lessened, would still exist.
If you have additional questions or concerns, please send mail to
security@mit.edu, and we will try and provide answers.
Thank you.
-Bob Mahoney, for security@mit.edu
CERT FAQ on this situation: http://www.cert.org/tech_tips/snmp_faq.html
The CERT advisory itself: http://www.cert.org/advisories/CA-2002-03.html
