Under New Management: Practical Attacks on SNMPv3

1 Under New Management: Practical Attacks on SNMPv3 Nigel Lawrence and Patrick TraynorGeorgia Tech Information Security Center (GTISC)Georgia Institute of Technology{nlawrence@, monitoring is a necessity for both reducingdowntime and ensuring rapid response in the case of soft-ware or hardware failure. Unfortunately, one of the mostwidely used protocols for monitoring networks, the Sim-ple Network Management Protocol ( SNMPv3 ), does notoffer an acceptable level of confidentiality or integrityfor these services. In this paper, we demonstrate two at-tacks against the most current and secure version of theprotocol with authentication and encryption enabled. Inparticular, we demonstrate that Under reasonable condi-tions, we can read encrypted requests and forge messagesbetween the network monitor and the hosts it Attacks are made possible by an insecure discoverymechanism, which allows an adversary capable of com-promising a single network host to set the keys used bythe security functions.}

2 Our Attacks show that SNMPv3places too much trust on the underlying network, and thatthis misplaced trust introduces vulnerabilities that can IntroductionManaging large networks can be a daunting task. Suchsystems regularly contain thousands of devices, rang-ing from traditional desktop computers and servers toswitches, printers and IP-enabled appliances. Ensuringthat all such devices remain responsive and that they per-form their assigned duties requires significant resourcesfrom the network operator. Fortunately, tools and proto-cols such as the Simple Network Management Protocol( snmp ) exist to assist in this a number of features associated with snmp have changed since its initial standardization[12], themost important revisions in the current release of thisprotocol ( SNMPv3 ) focus on security.

3 Requests to viewstatus and change settings can now be both authenticatedand made confidential, reducing the attack surface withina network. While the individual constructions used toprovide these security guarantees are well understood( , HMAC), the overall security of the protocol itselfhas not been evaluated. Accordingly, we are left withthe following question:Does SNMPv3 achieve the confi-dentiality and authenticity guarantees that it aims to pro-vide?In this paper, we demonstrate that SNMPv3 fails toprovide its advertised security , wedemonstrate that the contents of encrypted messages toanyhost in the network can be recovered through thecompromise of only a single machine. Second, we thendemonstrate that spoofed messages that pass all authen-tication checks can be injected foranyhost in the net-work using the same compromised platform.

4 In somecases checks can also be redirected to other hostswith-out compromising a host. The vulnerabilities we demon-strate are implementation-agnostic, and demonstrate afundamental flaw in the current protocol. This flaw oc-curs in the discovery mechanism used in the User-basedSecurity Model for SNMPv3 . Discovery is primarilyused to exchange identifiers and timing information be-tween agents. Unfortunately, it also partially determinesthe encryption and authentication keys used for discoverymessages are sent unencrypted and unauthenticated, thisallows a MITM to manipulate the keys used to protect theintegrity and confidentiality of the snmp messages. Be-cause the discovery mechanism is itself vulnerable, it canbe manipulated to allow an attacker to select the encryp-tion and authentication keys used by the protocol.

5 Suc-cessfully executed, such Attacks could potentially allowan adversary to reveal information about devices withinthe network, as well as to potentially modify device be-havior. For instance, on a UPS it may be possible to dis-able the audible alarms, modify the nominal input/outputvoltages and frequencies, or shut it down remotely [11].Other devices such as switches may allow modificationof security settings which include: disabling protection1from unicast flooding, disabling port security, or chang-ing the list of secure MAC addresses [2].We implement and demonstrate both of our Attacks ina network using Nagios [3] and Net- snmp [4], one of themost widely used implementations of SNMPv3 . We thendiscuss considerations to make such Attacks successfuland to avoid detection. Finally, we discuss potential mit-igation for this threat including changes to the SNMPv3 Networks today are often large and complex, and main-taining the devices on those networks is a considerablechallenge.

6 Network adminstrators are often tasked withmonitoring and maintaining a wide variety of devices ontheir network ( , servers, routers), and an increasing ofthese devices have extremely limited or entirely lack on-board user-interfaces ( , HVAC controls, PDUs, sen-sors, etc). The snmp protocol solves several problemsfor administrators. For instance, it allows them to con-figure and monitor devices that may otherwise be diffi-cult to access. For many devices, configuration must bedone via snmp , the serial port, or a web interface. Ofthese options, only snmp allows for scalable configura-tion management accross a diverse group of devices. Forexample, a managed LAN switch can be configured withfeatures such as port specific Quality of Service (QoS)and lists of authorized MAC addresses through snmp requests.

7 An adminstrator can then verify or modify theconfiguration ofallof their managed switches through asingle application. Accordingly, snmp is found in vir-tually every large network as a matter of this section, we give a brief overview of the techni-cal details required to understand the weaknesses in Messages: snmp is a protocol used to monitornetworked devices. These devices often include printers,routers, switches, servers, air conditioners, power dis-tribution units (PDUs), temperature sensors, and manyother devices. Monitored devices run an snmp agentwhich typically communicates with a , used by the manager to change thevalues of Object Identifiers (OIDs) on managed :Discovery is the process by which SN-MPv3 agents learn thesnmpEngineIDof an-other agent and synchronize their a unique identifier for snmp agents.

8 Because it is required to perform authentica-tion and encryption, discovery occurs before the send-ing of authenticated requests. Discovery has two parts,both of which occur without authentication or encryp-tion. In the first, a request is sent to an snmp agentto request the agent ssnmpEngineID. Upon receipt ofthe request, the a response is sent containing that agent ssnmpEngineID. Because the discovery process iscompletely unprotectedthe receivedsnmpEngineIDcan not be :In order to provide integrity and confiden-tiality, SNMPv3 s User-based Security Model (USM)allows for several different security levels dependingon the user s focus specifically on theauthPrivsecurity level which requires the use of bothauthentication and encryption [9].

9 SNMPv3 provides message integrity/authenticationby using an MD5 or SHA-1 HMAC of thesnmpEngineIDusing the password as the resulting HMAC is then used as a localized keyfor both authentication and encryption[9].SNMPv3localized keys allow each host to use different encryp-tion/authentication keys even if they are configuredwith the same password. The localized key is then usedto create a keyed hash of the whole packet, which isverified upon receipt of the packets are encrypted using either the DataEncryption Standard (DES) or the Advanced EncryptionStandard (AES) with the aforementioned HMAC usedas the key[9, 8]. The SNMPv3 request/response fieldcontaining the request ID, request type, and requestedOID is encrypted in each message; both usernames andsnmpEngineIDsare left as Management: Because every agent has its ownlocalized key, agents must decide which key to use whensending messages.

10 Localized keys are generated basedon the combination of password most snmp agents only respond to queries, theresponding agents keys are almost always used for se-cure communication. This will be the case in all of ourexamples. This allows most agents to communicate with-out knowing the password used to generate their key. Thesmall number of agents that generate requests are typi-cally configured to send a request to a given IP address,and to use a specific password for authentication and en-cryption. The requesting agent uses discovery to retreivethesnmpEngineIDassociated with a given IP address,and then generates the keys it will use to 1: An example of an manager sends a discovery message to the in-tended device and receives a response indicating thesnmpEngineIDassociated with that then sent and the requested value is VulnerabilitiesThe Attacks we demonstrate highlight two main first is that the discovery messages used to nego-tiate the authentication and encryption keys are neitherauthenticated nor encrypted.