Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

04:55 PM
Connect Directly

Network Management Systems Vulnerable To SNMP Attacks

Products from many vendors vulnerable to XSS attacks because of basic input validation errors, Rapid7 says in report.

Many network management systems that are used to discover and monitor desktops, servers, printers, and other equipment connected to the network such as routers and switches, are vulnerable to attacks via the Simple Network Management Protocol (SNMP).

Security vendor Rapid7 says it discovered the issue when researching how attackers could leverage SNMP to target systems that rely heavily on the protocol. It decided to look at network management systems because of how attractive such systems are to attackers looking to scope a target network, and because of how extensively network management software and hardware uses SNMP to manage and monitor network devices.

The exercise led to Rapid7 finding a total of 13 vulnerabilities in network management products from nine vendors that would have let adversaries carry out sustained cross-site scripting attacks over SNMP. The nine vendors are Spiceworks, Ipswitch, Castle Rock, ManageEngine, CloudView, Paessler, Opmantek, Opsview, and Netikus. The new report consolidates the findings of Rapid7s previous research on the topic.

All of the vulnerabilities resulted from a failure to validate machine-provided input, Rapid7 said in the report.  “Machine-to-machine communications often escape the scrutiny afforded to more typical user-to-machine communication,” the authors of the report noted. In this case, the oversight exposed the web-based administration consoles of the systems from the nine vendors to persistent XSS attacks and a format string exploit, Rapid7 said.

All nine vendors were notified of the issue and the vulnerabilities have subsequently been patched.

Most modern network management systems are managed via web-based interfaces, use SNMP by default to track and manage systems, and can be configured to automatically receive device SNMP data or "traps" from systems on the network.

From an attacker’s standpoint, network management systems provide an ideal target because they maintain information in near real-time about the network components they manage. Such systems can point attackers to the most valuable targets on a network including less-obvious ones like a printer doing payroll runs, or an HR server with personally identifiable information on employees, Rapid7 said.

One problem is that most network management systems implicitly trust data received from any new device on the network during the discovery process, without properly validating the input before processing it. This gives attackers a way to plant a rogue device on the network, wait for it to be discovered by the NMS and then use the rogue device to deliver a persistent XSS payload. Since network management systems are frequently monitored, most XSS payloads will get triggered fairly quickly, the security researchers at Rapid7 said.

Typically, XSS attacks involve the use of HTTP requests to the targeted web application. In this case, the researchers showed how the SNMP protocol could be used just as effectively to enable relatively easy attacks on network management systems.

For the attacks described by the researchers in the paper, an adversary would need a way to plant a rogue device on the network. The device can be a small, easy-to-hide device such as a Raspberry Pi or a Beaglebone, which are easy to drop in a conference room, behind a printer or under a desk, and go completely unnoticed, says Deral Heiland, research lead at Rapid7 and lead author of the report.

“During pen testing [and] red team exercises we have done exactly that,” he says.

“Physical access to the network to drop a rogue device would make it possible to leverage the device discovery attack we discussed in our paper,” he says. “It is also possible if a networked system is compromised via some remote method to reconfigure the device’s SNMP setting with attack code, so when the data is consumed by the NMS, the exploit would work.”

Related stories:


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
What the FedEx Logo Taught Me About Cybersecurity
Matt Shea, Head of Federal @ MixMode,  6/4/2021
A View From Inside a Deception
Sara Peters, Senior Editor at Dark Reading,  6/2/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-13
The package studio-42/elfinder before 2.1.58 are vulnerable to Remote Code Execution (RCE) via execution of PHP code in a .phar file. NOTE: This only applies if the server parses .phar files as PHP.
PUBLISHED: 2021-06-12
Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature.
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.