Security Surprises with SNMP v3
Earlier this week, Gerry Gosselin and Eric Rioux of VertitechIT were investigating a strange result in the Rumble asset inventory; After scanning an external subnet with Rumble, they noticed that the main internet router was responding to SNMP probes on its normal address and HSRP address. The router in question had a strong SNMP v2 community as well an IP ACL on the SNMP service. Rumble still reported the router vendor, manufacturing date, and MAC address via SNMP, all unauthenticated and from the internet. What was going on?
The router that Gerry and Eric were testing had the following SNMP and ACL configuration in place:
snmp-server community OURCOMMUNITY RO SNMP_ALLOWED snmp-server ifindex persist ip access-list standard SNMP_ALLOWED permit x.x.x.0 0.0.0.255
Although the SNMP v2 server was properly restricted and SNMP v3 was not explicitly configured, the SNMP v3 service was still leaking information about the device via unauthenticated requests from the internet.
SNMP is known to be a common weak point in device security. Default, guessible, and hardcoded SNMP communities expose information and management capabilities to the network at large. The lack of encryption in SNMP v1 and v2 allow attackers to capture credentials sent by management tools. Attackers can abuse the weak security of one device to obtain sensitive information about other systems on the network.
These concerns led to the development of SNMP v3, which introduces encryption, strong authentication, and message integrity. SNMP v3 has been the official version of the protocol since 2004, but still holds a few surprises when it comes to information exposure. To successfully authenticate over SNMP v3, the client device needs the EngineID of the server, and obtains this by sending a minimal SNMP v3 request. The response includes both the Authoritative EngineID and the Context EngineID:
These EngineID values expose a vendor name and often, the MAC address of the device. The MAC address in turn can be used to identify the vendor and manufacturing date of the device (via mac-ages). Rumble will also correlate the MAC address across the scan scope, linking all responsive IP addresses to the same asset using this technique. The EngineBoots, EngineTime, and the usmStatsUnknownEngineIDs counter (the final reported value) can be useful to an attacker are well.
Preventing this exposure requires explicit ACLs on the external interfaces. Gerry and Eric were able to stop this information leak by applying a UDP ACL on port 161. No changes were needed to the existing SNMP v2 configuration.
ip access-list extended INTERNET_IN deny udp any x.x.x.0 0.0.0.255 eq snmp
In cases where SNMP v3 over TCP is used, additional ACL lines may be necessary to completely block access to the SNMP v3 service. If you find this stuff interesting, you might like our recent talk on Modern Network Discovery, which covers the SNMP v3 information leaks (slide 25) among other methods used by Rumble to discover and enumerate network devices.
Thanks again to Gerry Gosselin and Eric Rioux of VertitechIT for reaching out about this issue, identifying the root cause, and sharing their notes!
Update: It appears that Cisco bug CSCtw74132 (“SNMP v3 information leaking vulnerability” April 18, 2019) may be the root cause and may apply to a wider range of products than initially thought:
April 13, 2021
Collecting Device Serial Numbers and Asset Tags over SNMP
A few weeks ago, one of our customers asked us if we could pull serial numbers out of Cisco devices because this would be very useful for their MSSP business. We were able to update the scan engine quick and this feature is now included as of release 1.15.3. Pulling serial …Read More
March 30, 2020
SMB2 Session Prediction & Consequences
Server Message Block Research The Rumble scan engine received big updates this month for the HTTP, RDP, and SMB protocols. The SMB work was focused on improving protocol support for SMB1, SMB2, and SMB3, including better desktop/server detection, and reporting of available …Read More
November 19, 2019
Authenticated SNMP v3 Support
After announcing v1.1.5 with the new Switch Topology report, quite a few folks wrote in to ask if this feature was available in SNMPv3 environments. As of this evening, the answer is yes. To leverage SNMP v3 credentials in a Rumble scan, set the following options in the …Read More