Security Best Practice: Protect Yourself against Multiple SNMP Vulnerabilities
| Check Point Reference: | SBP-2007-03 | |
| Date Published: | ||
| Severity: | ||
| Last Updated: | ||
| Source: | SmartDefense Research Center | |
| Protection Provided by: |
VPN-1
|
|
| Who is Vulnerable? Network devices that support SNMP | ||
| Vulnerability Description The Simple Network Management Protocol (SNMP) is an application layer protocol that is part of the Transmission Control Protocol/Internet Protocol (TCP/IP) protocol suite. SNMP allows administrators to remotely manage network devices made by many different vendors, including servers, workstations, routers, firewalls, and so forth. The SNMP Service allows the local computer to service incoming SNMP requests. SNMP is subjected to multiple attacks including message length related attacks, invalid command attacks, and invalid version attacks. Such attacks may lead to a buffer overflow on an affected system. Some of these attacks may also hide malicious code or format string characters in the body of a SNMP message. |
||
|
Vulnerability Details SmartDefense offers several preemptive protections against SNMP related vulnerabilities: Invalid SNMP Data Length - An attacker can create buffer overflow on a vulnerable system via a malicious SNMP massages with invalid data length. By enabling the protection, SmartDefense will block SNMP messages with malformed data length. Invalid SNMP Version - There are currently 3 versions of the SNMP protocol: SNMPv1, SNMPv2 and SNMPv3. To prevent invalid version based attacks, SmartDefense will detect and block SNMP messages that have a malformed or missing version field. Invalid SNMP PDU Type - The SNMP protocol is controlled by a list of PDU types (commands). By enabling the protection, SmartDefense will detect and block invalid SNMP commands. Invalid SNMP PDU Type Length - Overly long SNMP commands may cause buffer overflow on an affected system. SmartDefense will detect and block PDU types with malformed size. |
Protection Overview
SmartDefense offers several preemptive protections against SNMP related vulnerabilities. The protections allow you to detect and block SNMP messages that have malformed or missing fields, to block overly long or malformed SNMP commands and more.
In order for the protection to be activated, update your VPN-1/InterSpect/Connectra product to the latest SmartDefense update. For information on how to update SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.
To configure the defense, select your product from the list below and follow the related protection steps.
VPN-1 NGX R62
How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence > SNMP Protocol Inspection > Block GetBulk Vulnerability (MS06-074).
2. In the configuration pane, under Settings > Mode, check Active.
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: SNMP Protection Violation
Attack Information:
Malformed SNMP data
Invalid SNMP PDU type
Invalid SNMP PDU type length
Invalid SNMP data length
Invalid SNMP version
VPN-1 NGX R61, R60 & VPN-1 NG with Application Intelligence R55W
How Can I Protect My Network?
1. In the Smartdefense tree, click Application Intelligence > SNMP Protocol Inspection.
2. Enable the following protection:
SNMP Enforcement
3. Install security policy.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: SNMP Protection Violation
Attack Information:
Malformed SNMP data
Invalid SNMP PDU type
Invalid SNMP PDU type length
Invalid SNMP data length
Invalid SNMP version
VPN-1 NG with Application Intelligence R55
How Can I Protect My Network?
1. In the Smartdefense tree, click Application Intelligence > SNMP Protocol Inspection.
2. Enable the following protection:
SNMP Enforcement
3. Install security policy.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log rules 99161, 99162, 99163, 99164 and 99165 for malformed SNMP data, invalid SNMP PDU type, invalid SNMP PDU type length, invalid SNMP data length, invalid SNMP data length and invalid SNMP version accordingly.
VPN-1 VSX NGX
How Can I Protect My Network?
1. In the Smartdefense tree, click Application Intelligence > SNMP Protocol Inspection.
2. Enable the following protection:
SNMP Enforcement
3. Install security policy.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log rules 99161, 99162, 99163, 99164 and 99165 for malformed SNMP data, invalid SNMP PDU type, invalid SNMP PDU type length, invalid SNMP data length, invalid SNMP data length and invalid SNMP version accordingly.
InterSpect NGX
How Can I Protect My Network?
1. In the lefthand menu, click Profiles > Default Protection > SmartDefense. The SmartDefense page opens.
2. In the SmartDefense tree, click Application Intelligence > SNMP Protocol Inspection.
3. Enable the following protection:
SNMP Enforcement
4. Install security policy.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: SNMP Protection Violation
Attack Information:
Malformed SNMP data
Invalid SNMP PDU type
Invalid SNMP PDU type length
Invalid SNMP data length
Invalid SNMP version
InterSpect 2.0
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > SNMP Protocol Inspection.
2. Enable the following protection:
SNMP Enforcement
3. Install security policy.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: SNMP Protection Violation
Attack Information:
Malformed SNMP data
Invalid SNMP PDU type
Invalid SNMP PDU type length
Invalid SNMP data length
Invalid SNMP version
Connectra NGX R62/R61
How Can I Protect My Network?
1. In the left-hand menu, click Security > SmartDefense > Application Intelligence.
2. In the Dynamic Attacks pane, select the following:
SNMP Enforcement
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:
Attack Name: SNMP Protection Violation
Attack Information:
Malformed SNMP data
Invalid SNMP PDU type
Invalid SNMP PDU type length
Invalid SNMP data length
Invalid SNMP version