SNMP community name is world readable by default (SNMP_Lanman_Enum)

About this signature or vulnerability

RealSecure Network, RealSecure Server Sensor, RealSecure Desktop Protector, BlackICE Agent for Server, RealSecure Guard, RealSecure Sentry, BlackICE PC Protection, BlackICE Server Protection, IBM Security Server Protection for Windows, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IDS, Proventia Desktop, Proventia Network IPS, RealSecure Desktop Protector 3.6, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware:

This signature detects enumeration of LanManager/Windows NT resources. This may indicate an attacker's attempt to view a Windows NT server's user database.


Default risk level

Low risk vulnerability  Low

Sensors that have this signature

RealSecure Network: 7.0, RealSecure Server Sensor: 7.0, RealSecure Desktop Protector: 3.6, BlackICE Agent for Server: 3.6, RealSecure Guard: 3.6, RealSecure Sentry: 3.6, BlackICE PC Protection: 3.6.cbd, BlackICE Server Protection: 3.6.cbd, IBM Security Server Protection for Windows: 1.0.914.0, IBM Security Server Protection for Windows: 2.1.14.2400, Proventia Network MFS: 1.0, Proventia-G 1.1 and earlier: G Series, Proventia Network IDS: A Series, Proventia Desktop: 8.0.614.1, Proventia Network IPS: 2.0, RealSecure Desktop Protector 3.6: baseline, RealSecure Desktop: baseline, Proventia Server IPS for Linux technology: 1.0, Virtual Server Protection for Vmware: 1.0

Systems affected

Microsoft Windows NT: 4.0, Microsoft Windows 2000, Microsoft Windows XP, Microsoft Windows 2003 Server

Type

Pre-attack Probe

Vulnerability description

The Simple Network Management Protocol (SNMP) reveals a large amount of information, including shares, usernames, and the status of running services. The only authentication available is by knowing the SNMP community name. If this information is readable by Everyone, an attacker could gather information that should only be available to administrative users.

How to remove this vulnerability

Remove the SNMP Service if it is not required. If your systems require SNMP, take steps to secure the SNMP community names using the Registry Editor and the control panel.

To remove the SNMP Service:

— OR —

Change the permissions on the ValidCommunities registry key, and configure SNMP security settings in the Control Panel.

To edit the registry so that only approved users can access the SNMP Community Name:

CAUTION: Use Registry Editor at your own risk. Any change using Registry Editor may cause severe and irreparable damage and may require you to reinstall your operating system. Internet Security Systems cannot guarantee that problems caused by the use of Registry Editor can be solved.

  1. Open Registry Editor. From the Windows Start menu, select Run, type regedt32, and click OK.
  2. Select the HKLM\System\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities registry key.
  3. From the Security menu, select Permissions to display the Registry Key Permissions dialog box.
  4. Set the permissions to permit only approved users access.

— AND —

To configure Windows SNMP security settings in the control panel:

  1. Open the SNMP Service security settings, using the steps listed below, depending on your version of Windows.
  2. Verify that your configuration contains the following security settings:
    • At least one Accepted Community Name exists. Empty lists cause SNMP to accept requests from anyone. (This is discussed in Microsoft Knowledge Base Article Q99880. See References.)
    • The Accepted Community Names are not default or easily guessed names, such as public.
    • The Only Accept SNMP Packets from These Hosts option is selected, and one or more hosts, IP addresses, or IPX addresses are specified.
    • Each host and community name in the lists is a valid, authorized destination.

To access the SNMP service security settings:

Microsoft Windows NT: 4.0
Edit the Registry to permit only approved users access to the SNMP Community Name. Edit the registry as follows: 1. From the Start menu, select 'Run.' 2. Type 'regedt32.exe' and click 'OK.' This opens the Registry Editor. 3. Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities. 4. From the Security menu, choose 'Permissions'. 5. Set the permissions to permit only approved users access.
Microsoft Windows 2000
Edit the Registry to permit only approved users access to the SNMP Community Name. Edit the registry as follows: 1. From the Start menu, select 'Run.' 2. Type 'regedt32.exe' and click 'OK.' This opens the Registry Editor. 3. Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities 4. From the Security menu, choose 'Permissions'. 5. Set the permissions to permit only approved users access.

References

Request for Comment document RFC 1157
A Simple Network Management Protocol (SNMP)
ftp://ftp.isi.edu/in-notes/rfc1157.txt

Microsoft Knowledge Base Article 99880
SNMP Agent Responds to Any Community Name
http://support.microsoft.com/default.aspx?scid=kb;[LN];99880

Network Associates, Inc. COVERT Labs Security Advisory #30
Windows NT SNMP Security Permissions
http://www.pgp.com/research/covert/advisories/030.asp

Network Associates, Inc. COVERT Labs Security Advisory #30, November 17, 1998
Windows NT SNMP Security Permissions
http://packetstormsecurity.nl/advisories/nai/nai.30.nt.snmp.vulns

ISS X-Force
SNMP community name is world readable by default
http://www.iss.net/security_center/static/21.php

CVE
CVE-1999-0517
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0517