Security Surprises with SNMP v3
Update (2021-10-08): This issue was cited in an excellent paper on SNMP v3 discovery by Taha Albakour, Oliver Gasser, Robert Beverly, and Georgios Smaragdakis. If you are interested in this type of research, please check out our Modern Network Discovery presentation and research-tagged blog posts. Rumble uses these techniques for device fingerprinting, remote MAC detection, age detection and multi-homed (alias) interface discovery.
Earlier this week, Gerry Gosselin and Eric Rioux of VertitechIT were investigating a strange result in the Rumble asset inventory; After scanning an external subnet with Rumble, they noticed that the main internet router was responding to SNMP probes on its normal address and HSRP address. The router in question had a strong SNMP v2 community as well an IP ACL on the SNMP service. Rumble still reported the router vendor, manufacturing date, and MAC address via SNMP, all unauthenticated and from the internet. What was going on?
The router that Gerry and Eric were testing had the following SNMP and ACL configuration in place:
snmp-server community OURCOMMUNITY RO SNMP_ALLOWED snmp-server ifindex persist ip access-list standard SNMP_ALLOWED permit x.x.x.0 0.0.0.255
Although the SNMP v2 server was properly restricted and SNMP v3 was not explicitly configured, the SNMP v3 service was still leaking information about the device via unauthenticated requests from the internet.
SNMP is known to be a common weak point in device security. Default, guessible, and hardcoded SNMP communities expose information and management capabilities to the network at large. The lack of encryption in SNMP v1 and v2 allow attackers to capture credentials sent by management tools. Attackers can abuse the weak security of one device to obtain sensitive information about other systems on the network.
These concerns led to the development of SNMP v3, which introduces encryption, strong authentication, and message integrity. SNMP v3 has been the official version of the protocol since 2004, but still holds a few surprises when it comes to information exposure. To successfully authenticate over SNMP v3, the client device needs the EngineID of the server, and obtains this by sending a minimal SNMP v3 request. The response includes both the Authoritative EngineID and the Context EngineID:
These EngineID values expose a vendor name and often, the MAC address of the device. The MAC address in turn can be used to identify the vendor and manufacturing date of the device (via mac-ages). Rumble will also correlate the MAC address across the scan scope, linking all responsive IP addresses to the same asset using this technique. The EngineBoots, EngineTime, and the usmStatsUnknownEngineIDs counter (the final reported value) can be useful to an attacker are well.
Preventing this exposure requires explicit ACLs on the external interfaces. Gerry and Eric were able to stop this information leak by applying a UDP ACL on port 161. No changes were needed to the existing SNMP v2 configuration.
ip access-list extended INTERNET_IN deny udp any x.x.x.0 0.0.0.255 eq snmp
In cases where SNMP v3 over TCP is used, additional ACL lines may be necessary to completely block access to the SNMP v3 service. If you find this stuff interesting, you might like our recent talk on Modern Network Discovery, which covers the SNMP v3 information leaks (slide 25) among other methods used by Rumble to discover and enumerate network devices.
Thanks again to Gerry Gosselin and Eric Rioux of VertitechIT for reaching out about this issue, identifying the root cause, and sharing their notes!
Update: It appears that Cisco bug CSCtw74132 (“SNMP v3 information leaking vulnerability” April 18, 2019) may be the root cause and may apply to a wider range of products than initially thought:
May 10, 2022
Rumble 2.13: Sync assets & software from SentinelOne, track more cloud resources, view cross-organization inventory, and schedule automated reports
What’s new with Rumble 2.13? Sync asset and software inventory from SentinelOne Explore software identified through Rumble scans Track more cloud resources from AWS, Azure, and GCP Work with your asset inventory across organizations Schedule and email the …Read More
April 5, 2022
Rumble 2.12: Generate organization reports, create scan templates, synchronize GCP, and invite external users
What’s new with Rumble 2.12? Generate Organization Overview Report for stakeholders Create scan templates to simplify scan management Synchronize your GCP virtual machines to Rumble Invite external Rumble users to your account Fingerprints and protocol updates User …Read More
November 2, 2021
Rumble 2.8: Synchronize your VMware inventory, import Censys scan data, and run RFC 1918 scans faster
What’s new with Rumble 2.8? Integration improvements Synchronize your VMware virtual machine inventory Import external scan data from Censys Scan, search, and self-hosted improvements Discover all RFC 1918 networks, faster Customize scan schedules with more options …Read More