Microsoft Windows NT 4.0 SNMP Community Name Vulnerability
BID:2112
Info
Microsoft Windows NT 4.0 SNMP Community Name Vulnerability
| Bugtraq ID: | 2112 |
| Class: | Design Error |
| CVE: |
CVE-1999-0517 |
| Remote: | Yes |
| Local: | Yes |
| Published: | Nov 17 1998 12:00AM |
| Updated: | Jul 11 2009 04:46AM |
| Credit: | This vulnerability was disclosed in Network Associates, Inc. SECURITY ADVISORY #30 dated November 17, 1998 |
| Vulnerable: |
Microsoft Windows NT Workstation 4.0 SP3 Microsoft Windows NT Workstation 4.0 SP2 Microsoft Windows NT Workstation 4.0 SP1 Microsoft Windows NT Workstation 4.0 Microsoft Windows NT Terminal Server 4.0 SP3 Microsoft Windows NT Terminal Server 4.0 SP2 Microsoft Windows NT Terminal Server 4.0 SP1 Microsoft Windows NT Terminal Server 4.0 Microsoft Windows NT Server 4.0 SP3 Microsoft Windows NT Server 4.0 SP2 Microsoft Windows NT Server 4.0 SP1 Microsoft Windows NT Server 4.0 Microsoft Windows NT Enterprise Server 4.0 SP3 Microsoft Windows NT Enterprise Server 4.0 SP2 Microsoft Windows NT Enterprise Server 4.0 SP1 Microsoft Windows NT Enterprise Server 4.0 Microsoft Windows NT 4.0 SP6 Microsoft Windows NT 4.0 SP5 Microsoft Windows NT 4.0 SP3 Microsoft Windows NT 4.0 SP2 Microsoft Windows NT 4.0 SP1 Microsoft Windows NT 4.0 |
| Not Vulnerable: |
Microsoft Windows NT Workstation 4.0 SP6a Microsoft Windows NT Workstation 4.0 SP6 Microsoft Windows NT Workstation 4.0 SP5 Microsoft Windows NT Workstation 4.0 SP4 Microsoft Windows NT Terminal Server 4.0 SP6 Microsoft Windows NT Terminal Server 4.0 SP5 Microsoft Windows NT Terminal Server 4.0 SP4 Microsoft Windows NT Server 4.0 SP6a Microsoft Windows NT Server 4.0 SP6 Microsoft Windows NT Server 4.0 SP5 Microsoft Windows NT Server 4.0 SP4 Microsoft Windows NT Enterprise Server 4.0 SP6a Microsoft Windows NT Enterprise Server 4.0 SP6 Microsoft Windows NT Enterprise Server 4.0 SP5 Microsoft Windows NT Enterprise Server 4.0 SP4 Microsoft Windows NT 4.0 SP6a Microsoft Windows NT 4.0 SP6 Microsoft Windows NT 4.0 SP5 Microsoft Windows NT 4.0 SP4 Microsoft Windows 2000 Terminal Services Microsoft Windows 2000 Server Microsoft Windows 2000 Professional Microsoft Windows 2000 Datacenter Server Microsoft Windows 2000 Advanced Server |
Discussion
Microsoft Windows NT 4.0 SNMP Community Name Vulnerability
Windows NT 4.0 and Windows NT 2000 provides optional SNMP (Simple Network Management Protocol) services. SNMP allows remote retrieval and setting of information related to TCP/IP networking processes. SNMP services provide two levels of access: read-only and read/write. All versions of SNMP provided with Windows NT 4.0 prior to Service Pack 4 only allow read/write access to SNMP functions to authorized administrators - there is no ability to set "read-only". Service Pack 4 introduced the ability to set permissions to either "read-only" or "read/write".
SNMP provides a simple authentication scheme whereby an administrator can gain access to SNMP functions by knowing a "community name". A default installation of SNMP on Windows NT 4.0 allows access to SNMP with the community name "public". This alone presents a security risk, although most administrators using SNMP would likely change the default community name used to access SNMP services. Unfortunately, SNMP Community Names are stored in the registry as plaintext and can be retrieved by anybody who can access it. IP Address restrictions can also be implemented to control access to SNMP functions but IP address restriction information is also stored in the registry in plaintext. Forged UDP packets can be used to circumvent this. Although an attacker using this approach would not be able to read information returned from the SNMP services, this still allows use of the "set" command to alter network critical settings such as the IP routing table and ARP table, set IP Forwarding, IP TTL (time to live), enable/disable interfaces, etc. SNMP Services are not installed by default and must be added by the Windows NT administrator. Windows 2000 also stores SNMP community names and IP restrictions in the registry.
Windows NT 4.0 and Windows NT 2000 provides optional SNMP (Simple Network Management Protocol) services. SNMP allows remote retrieval and setting of information related to TCP/IP networking processes. SNMP services provide two levels of access: read-only and read/write. All versions of SNMP provided with Windows NT 4.0 prior to Service Pack 4 only allow read/write access to SNMP functions to authorized administrators - there is no ability to set "read-only". Service Pack 4 introduced the ability to set permissions to either "read-only" or "read/write".
SNMP provides a simple authentication scheme whereby an administrator can gain access to SNMP functions by knowing a "community name". A default installation of SNMP on Windows NT 4.0 allows access to SNMP with the community name "public". This alone presents a security risk, although most administrators using SNMP would likely change the default community name used to access SNMP services. Unfortunately, SNMP Community Names are stored in the registry as plaintext and can be retrieved by anybody who can access it. IP Address restrictions can also be implemented to control access to SNMP functions but IP address restriction information is also stored in the registry in plaintext. Forged UDP packets can be used to circumvent this. Although an attacker using this approach would not be able to read information returned from the SNMP services, this still allows use of the "set" command to alter network critical settings such as the IP routing table and ARP table, set IP Forwarding, IP TTL (time to live), enable/disable interfaces, etc. SNMP Services are not installed by default and must be added by the Windows NT administrator. Windows 2000 also stores SNMP community names and IP restrictions in the registry.
Exploit / POC
Microsoft Windows NT 4.0 SNMP Community Name Vulnerability
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution / Fix
Microsoft Windows NT 4.0 SNMP Community Name Vulnerability
Solution:
Upgrade to Service Pack 4 to enable SNMP read-only permissions if "set" access is not required. In addition to this, restrict read access to the registry keys (HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities) to authorized local users only.
Solution:
Upgrade to Service Pack 4 to enable SNMP read-only permissions if "set" access is not required. In addition to this, restrict read access to the registry keys (HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities) to authorized local users only.
References
Microsoft Windows NT 4.0 SNMP Community Name Vulnerability
References:
References: