suse vulnurable to the snmp thing?
It effects all version out of SNMP. Expect a fix soon..but it's not just a SuSE problem. I would disable this service if it's unneeded...or take steps to secure whatever it's running on. * Jon Doe (linuxgeek@woh.rr.com) [020212 18:37]: ->Is this snmp exploit I"m hereing about effect suse 7.3? -> ->-- ->To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com ->For additional commands send e-mail to suse-linux-e-help@suse.com ->Also check the FAQ at http://www.suse.com/support/faq and the ->archives at http://lists.suse.com -> -----=====-----=====-----=====-----=====----- Ben Rosenberg mailto:ben@whack.org -----=====-----=====-----=====-----=====----- "I've never been quarantined. But the more I look around the more I think it might not be a bad thing." -JC
On Tue, 12 Feb 2002 18:52:37 -0800
Ben Rosenberg
It effects all version out of SNMP.
Expect a fix soon..but it's not just a SuSE problem.
I would disable this service if it's unneeded...or take steps to secure whatever it's running on.
Well I think it runs my network access. :) Not sure though, everything was so automatic at install. I have a cable router with a decent firewall. Do I need snmp to connect to the router?
No..God no. Disable that very, very quickly. It doesn't provide
connectivity at all. It's for monitoring systems and doing other such
things. :)
Your safe if you just completely turn it off. :)
* Jon Doe (linuxgeek@woh.rr.com) [020212 19:00]:
->On Tue, 12 Feb 2002 18:52:37 -0800
->Ben Rosenberg
On Tue, 12 Feb 2002 19:03:31 -0800
Ben Rosenberg
No..God no. Disable that very, very quickly. It doesn't provide connectivity at all. It's for monitoring systems and doing other such things. :)
Your safe if you just completely turn it off. :)
Ok, one last question? Where do I turn it off? I am looking in Yast2 control center and can't seem to find anything about snmp, very new to suse..lol.
I would edit /etc/rc.config and change this line to no.
# Start UCD SNMP daemon? (yes/no)
#
START_SNMPD="no"
I would then execute as root...
rcsnmpd stop
You can do this in an xterm.
Then I would run SuSEconfig so that it knows not to start snmp at next
boot.
You should be good to go.
* Jon Doe (linuxgeek@woh.rr.com) [020212 19:10]:
->On Tue, 12 Feb 2002 19:03:31 -0800
->Ben Rosenberg
begin Ben Rosenberg's quote: | No..God no. Disable that very, very quickly. It doesn't provide | connectivity at all. It's for monitoring systems and doing other | such things. :) | | Your safe if you just completely turn it off. :) i've been following the traffic on all this over on security focus, and it looks as if this is an *enormous* problem that is not going to disappear anytime soon. to quote from one post there: This is big. I strongly recommend disabling SNMP on as many devices as possible. It isn't a single vulnerability, but a suite of potentially hundreds of vulnerabilities. This is just the beginning, more will be coming. These problems aren't new; they have been known since the early 1990s. It's just that SNMP developers have always though of them as "bugs" rather than "vulnerabilities". Thousands of different devices, such as printers, are vulnerable. Somebody is going to develop an exploit that compromises the printer and forwards copies of everything printed back out to the hacker. This is only one example of the severity of the problem - there are many closed systems that cannot be updated; you can often disable SNMP, but you cannot update it and fix the bugs. You should also block UDP port 7 (echo) on your firewalls. Spoofed SNMP requests can be bounced off of such ports. Don't rely upon IP access control lists to protect you. UDP is stateless and packets can be spoofed. SNMP has always been a huge vulnerability, even when it could not be directly exploited. Your first impulse should always be to disable it. There are exploits that have been used in the underground for years that still haven't made it to bugtraq. Some older versions of Solaris (2.6?) put n SNMP service at a port in the range 32768-32800 (same vulnerability as putting a portmapper at a high port). This wasn't mentioned in the CERT advisory. If you are a heavy Sun shop, these should be blocked anyway. Monitor the "snmp" group at 1.3.6.1.2.1.11. Some of these statistics will track some of the bad stuff that this exploits generates. It's a poor-man's network IDS to detect people playing around on your network. [eoq] scary stuff. -- dep if you go with the flow you'll get chopped to pieces by the turbines.
participants (3)
-
Ben Rosenberg
-
dep
-
Jon Doe