PDA

Bekijk Volledige Versie : Medium Vulnerability in SNMP on Linsys BEFVP41


Branson Matheson
12/04/03, 10:05
While the following is not a critical vulnerability, it is a serious
problem for those that are implementing these VPN routers in production
environments.




Problem:




The MIB information available from the default 'public' community name on
the external interface of a Linksys VPN router includes information about
the hosts on the inside of the protected network including routes, hardware
addresses ( MAC ), and some configuration information. What is NOT
available include information about the VPN's configured, any preshared
keys, VPN routes, or endpoint IP's.




Testability:





install the net-snmp package and run the following on any Linksys router


that has not had it's community names altered:




snmpwalk -v 1 -c public {ip}




This has been tested on versions 1.40.3f and 1.40.4 ( latest ) version.




Solution:





Change the community names configured in the 'password' section of the


VPN routers web based config tool. There is no current way to disable SNMP.




Vendor:




I have sent numerous mails to the vendor concerning this issue starting
about 90 days ago. The last several have been ignored.
Stefan Laudat
13/04/03, 06:05
I'd kiss a frog if this was true. Actually I use over 50 of these
toys in production and it would have made me very happy if I could use
SNMP from outside the external interface. No surprise for me that
the tech support did not respond on your emails, it's likely that
they're using outsourced software in their products, since I've
had a nice discussion some time ago with one of their support
representative who didn't ever know what I was talking about when
referring words like 'Crypto engine failure','isakmp' etc
I also have some bug issues open in their tech support, which
remained unanswered until today. What I know is they told me SNMP
is *not* usable from outside, and I've tested this for myself.
All filters were off, not blocking any wan request, remote management
on.
Recently I've bought a new one which contains version 1.40.5,
still unreleased on the web site, so hang on for this release.
Once again, don't rely on their support (which is stinky), maybe
Cisco will fix this as they've bought them some weeks ago.


> The MIB information available from the default 'public' community name on
> the external interface of a Linksys VPN router includes information about
> the hosts on the inside of the protected network including routes, hardware
> addresses ( MAC ), and some configuration information. What is NOT
> available include information about the VPN's configured, any preshared
> keys, VPN routes, or endpoint IP's.
>

--
Stefan Laudat
CCNA & CCAI
-------------
Marriage is the only adventure open to the cowardly.
-- Voltaire