Skip to main content

StringBleed SNMP Vulnerability

A new vulnerability found in a number of devices offering SNMP (Simple Network Management Protocol) functionality can allow an remote, unauthenticated attacker to launch attacks against the affected devices with full read/write privileges which could result in widespread compromises.
Threat ID:
CC-1380
Category:
Exploit
Threat Severity:
Medium
Threat Vector:
Insecure network
Published:
3 May 2017 12:00 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

A new vulnerability found in a number of devices offering SNMP (Simple Network Management Protocol) functionality can allow an remote, unauthenticated attacker to launch attacks against the affected devices with full read/write privileges which could result in widespread compromises.

Threat details

SNMP is a network protocol that allows information on devices within a network to be accessed from a remote location for monitoring purposes. There are three versions of SNMP available for implementation, each with improvements over the last version.

A key difference in version 3 is the authentication mechanisms which offer username and password authentication. This is considered more secure than versions 1 and 2 which rely on human readable community strings. These work by passing the string along with an SNMP request and if the string matches the request, it is processed.

The recently discovered vulnerability, named StringBleed was found during research into the use of weak community strings on public facing SNMP enabled devices using SNMP versions 1 and 2. While scanning the public IP address space, it was found that a number of devices appeared to authenticate regardless of the community string used. The flaw is present in over one hundred and fifty unique device types across multiple vendors with new vendors being discovered regularly.

Once a vulnerable device is found, an attacker is presented with full read/write capabilities, allowing the operation of the device to be impacted as well as making sensitive information available. This can provide further intelligence around the infrastructure of a target network.

The research into this topic has produced a list of affected cable modem models which currently stands at seventy eight vulnerable models which are publically listed. With this information, it is more likely that malicious attacks will be seen in the near future as the attack is easily adapted into an automated attack that could result in any vulnerable devices being compromised in a relatively short amount of time.

Remediation steps

Type Step
  • Ensure devices are using the latest version of SNMP, SNMPv3, where possible. If SNMPv1 or v2 must be used, ensure they are not publicly reachable.
  • Segregate SNMP traffic using a separate management network, with data transferred independently of other traffic. If SNMP traffic must be transmitted alongside standard network traffic it should be encrypted. Where possible dedicated management ports should be used.
  • Ensure network community strings are not left with default settings. When configuring community strings implement strong password policies to ensure 
  • SNMPv3 provides authentication and encryption capabilities through the authPriv User-based Security Model (US) specification. Ensure that this is implemented on SNMP enabled devices. If devices are unable to support authPriv, the alternative authNoPriv specification can be used to provide some level of improved security.
  • Implement extended access control lists (ACL) to prevent unauthorised devices or accounts from accessing SNMP enabled devices. Access to devices with higher SNMP permissions should be strictly controlled.

Last edited: 17 February 2020 11:39 am