How effective is an ACL on an SNMPv2 RW string?

Started by dlots, April 22, 2016, 12:44:45 PM

Previous topic - Next topic

dlots

I was just thinking, if you know the RW string on an SNMPv2 device how effective is the ACL?  I think SNMP is UDP can't you just spoof the source since you don't really need anything back?  With that can't you change the config at will to the point you can get in?

deanwebb

This is why we have a VTY ACL and an ACL for the RW community. You have to be at the right IP address for the R or the W to happen. I mess with SNMP RW all the time and it's a real pain when the R&S guy doesn't put the IP of my device into the ACL. I've got the right community, but that darn ACL...
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

icecream-guy

Quote from: deanwebb on April 22, 2016, 01:36:00 PM
This is why we have a VTY ACL and an ACL for the RW community. You have to be at the right IP address for the R or the W to happen. I mess with SNMP RW all the time and it's a real pain when the R&S guy doesn't put the IP of my device into the ACL. I've got the right community, but that darn ACL...
but like dlots, said, we all know the RW string is "private" so if you can spoof the source, there is not much one can do,  Been pondering this myself for a bit, all I could come up with is configuring a cutdown view and exclude MIBs with the ability to change certain aspects the device config.

:professorcat:

My Moral Fibers have been cut.

deanwebb

Well, then ya gotta have stuff on the network to deal with source spoofers and shut 'em down.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Reggle

Now that you tell it like that, it's indeed a security issue dlots. Two answers: SNMPv3 and proper separation of management and production subnets.

dlots

Yeah Security's Not My Problem (SNMP) v2 kinda sucks for security

Dieselboy

Does anyone want to try it?
I understand the IP spoofing but how practical is it?

wintermute000

It will work fine if you don't care about return and the network isn't checking

Otanx

Quote from: Dieselboy on April 24, 2016, 01:14:45 PM
Does anyone want to try it?
I understand the IP spoofing but how practical is it?

Depends on what you mean by practical. Spoofing an IP address is pretty easy. However, if you are thinking about a real attacker in the wild then they face several other problems. The first hurdle is knowing what addresses are allowed. Once you have the addresses then is there anything between you and the device that will drop a spoofed packet. A firewall, ACL, or even uRPF can prevent your packet from getting to the device. Then you are limited to only commands that you can run blind as the return traffic isn't coming back to you.

-Otanx

dlots

#9
After thinking about how you could do this: If you can get something in the middle like a cap box at a remote site with a cap you can capture for SNMP, and get the source IP and the key, from there you can spoof the source, and probably get data back just fine.  Most places use the same ACL and key pretty much everywhere so with any luck you can get the R/W key and know where to source from in order to make whatever changes you need.

Otanx

To get that capture box in place you either have to install a tap, or already have admin to a switch to setup a SPAN port. If you already have that kind of access then the SNMP keys would have limited or no value, and probably not worth the time.

-Otanx

dlots

A tap install is pretty durn quick, and also you can't really see it with any monitoring tools that watch for config changes.