How effective is an ACL on an SNMPv2 RW string?

dlots · April 22, 2016, 12:44:45 PM

I was just thinking, if you know the RW string on an SNMPv2 device how effective is the ACL? I think SNMP is UDP can't you just spoof the source since you don't really need anything back? With that can't you change the config at will to the point you can get in?

deanwebb · April 22, 2016, 01:36:00 PM

This is why we have a VTY ACL and an ACL for the RW community. You have to be at the right IP address for the R or the W to happen. I mess with SNMP RW all the time and it's a real pain when the R&S guy doesn't put the IP of my device into the ACL. I've got the right community, but that darn ACL...

icecream-guy · April 22, 2016, 01:43:33 PM

Quote from: deanwebb on April 22, 2016, 01:36:00 PM
This is why we have a VTY ACL and an ACL for the RW community. You have to be at the right IP address for the R or the W to happen. I mess with SNMP RW all the time and it's a real pain when the R&S guy doesn't put the IP of my device into the ACL. I've got the right community, but that darn ACL...

but like dlots, said, we all know the RW string is "private" so if you can spoof the source, there is not much one can do, Been pondering this myself for a bit, all I could come up with is configuring a cutdown view and exclude MIBs with the ability to change certain aspects the device config.

deanwebb · April 22, 2016, 04:25:00 PM

Well, then ya gotta have stuff on the network to deal with source spoofers and shut 'em down.

Reggle · April 23, 2016, 04:39:33 AM

Now that you tell it like that, it's indeed a security issue dlots. Two answers: SNMPv3 and proper separation of management and production subnets.

dlots · April 24, 2016, 12:57:36 PM

Yeah Security's Not My Problem (SNMP) v2 kinda sucks for security

Dieselboy · April 24, 2016, 01:14:45 PM

Does anyone want to try it?
I understand the IP spoofing but how practical is it?

wintermute000 · April 24, 2016, 05:21:19 PM

It will work fine if you don't care about return and the network isn't checking

Otanx · April 24, 2016, 10:38:22 PM

Quote from: Dieselboy on April 24, 2016, 01:14:45 PM
Does anyone want to try it?
I understand the IP spoofing but how practical is it?

Depends on what you mean by practical. Spoofing an IP address is pretty easy. However, if you are thinking about a real attacker in the wild then they face several other problems. The first hurdle is knowing what addresses are allowed. Once you have the addresses then is there anything between you and the device that will drop a spoofed packet. A firewall, ACL, or even uRPF can prevent your packet from getting to the device. Then you are limited to only commands that you can run blind as the return traffic isn't coming back to you.

-Otanx

dlots · April 25, 2016, 06:04:58 AM

After thinking about how you could do this: If you can get something in the middle like a cap box at a remote site with a cap you can capture for SNMP, and get the source IP and the key, from there you can spoof the source, and probably get data back just fine. Most places use the same ACL and key pretty much everywhere so with any luck you can get the R/W key and know where to source from in order to make whatever changes you need.

Otanx · April 25, 2016, 10:46:18 PM

To get that capture box in place you either have to install a tap, or already have admin to a switch to setup a SPAN port. If you already have that kind of access then the SNMP keys would have limited or no value, and probably not worth the time.

-Otanx

dlots · April 26, 2016, 07:08:26 AM

A tap install is pretty durn quick, and also you can't really see it with any monitoring tools that watch for config changes.