Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: MS06-074: SNMP Buffer Overflow (CVE2006-5583) - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
MS06-074: SNMP Buffer Overflow (CVE2006-5583)
The Simple Network Manamgenet Protocol (SNMP) service  is vulnerable to a buffer overflow. This service is typically used to manage network devices. Home users are not likely to have this service installed. However, many larger networks will use SNMP to controlle and monitor networked workstations and servers.

Accoridng to a note from Dave Aitel, Immunity released an exploit for this vulnerabilty to its customers.

In order to disable this service, or to check if it is running, use the "services" tab in your control pannel and make sure the 'SNMP Service' is not running. You will not see an entry for SNMP service if it is not installed.

This patch is a "patch now" for all networks that use SNMP. It runs as "system" and a succesfull exploit would provide an attacker with full access. The Microsoft bulletin only talks about port 161 UDP for this vulnerability. So one can assume that SNMP trap messages are not affected.

Common sense SNMP security (regardless of the vulnerability):
  • block port 161/udp and 162/udp at your permiter (snmpv3 may use tcp).
  • use a hard to guess community string (anything but "public").
  • disable snmp listeners if you do not need them.
References:
KB926247
CVE2006-5583






I will be teaching next: Defending Web Applications Security Essentials - SANS Munich March 2019

Johannes

3411 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!