Ascend Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: (ASCEND) [rootshell] Security Bulletin #16 (fwd)
In enteract.private.lists.ascend-users, you wrote:
>can easily pick up your community names. But at least by doing
>the above, they will also have to spoof your IP address in order to
>use the community names to do any damage.
There is a problem with this. Employing IP-address-based ACLs for SNMP
does make it harder to get SNMP values from a MIB, but it does not make it
any harder to set them. Setting an SNMP value simply involves sending a
single UDP SNMP "setRequest" packet. An attacker can trivially forge these
to appear to originate from any IP address. Because of this, an attacker
that knows your write community can still, even with ACLs enabled, TFTP
the configuration file.
You can take steps to make this work; employ inside/outside spoof
protection filters at the perimiter of your network, so arbitrary
attackers on the Internet can't spoof INTERNAL IP addresses. Make sure
dialup customers can't source packets from incorrect addresses, too.
--
-----------------------------------------------------------------------------
Thomas H. Ptacek Secure Networks, Inc.
-----------------------------------------------------------------------------
http://www.enteract.com/~tqbf "mmm... sacrilicious"
++ Ascend Users Mailing List ++
To unsubscribe: send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd: <http://www.nealis.net/ascend/faq>
Follow-Ups:
References: