What is it?
Simple Network Management Protocol (SNMP) is used by network administrators to monitor and control devices (computers, routers, printers, etc.) remotely. There are 3 versions of SNMP. SNMP uses ports 161 and 162.
Wikipedia (link below) provides a good overview of the versions, capabilities and security implications of SNMP.
Why is it a risk?
Being able to control devices remotely is inherently both powerful and dangerous.
All three versions of SNMP have vulnerabilities. Versions 1 & 2 send data unencrypted which allows attackers to eavesdrop on the commands and responses. While version 3 uses encryption and authentication keys, it can be manipulated to override the keys being used.
A Denial of Service attack (DoS) is when an attacker attempts to overwhelm a victim’s server.
A Distributed Denial of Service (DDoS) attack is when the attacker uses many unwitting accomplice computers to attack their victim. By orchestrating the actions of many computers, it is easier for the attacker to overwhelm their victim.
A server with a publicly accessible port (like the one described in this alert) can be turned into such an accomplice.
How can you mitigate the risk?
Turn SNMP off on devices if you are not using it.
Disallow SNMP across the Internet using firewall rules; either disallow all traffic on ports 161 & 162 or limit access to specific IP addresses or Mac Addresses.
Switch to SNMPv3; it’s much more secure than versions 1 or 2.
Don’t use the default “community read string.” Create a strong community string at least 20 characters long using the same rules that you would use for generating passwords.
Don’t use NoAuthNoPriv mode in version 3; it makes version 3 act more like version 2.
Resources:
Wikipedia SNMP
https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol
