Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: MS06-074: SNMP Buffer Overflow (CVE2006-5583) - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
MS06-074: SNMP Buffer Overflow (CVE2006-5583)
The Simple Network Manamgenet Protocol (SNMP) service  is vulnerable to a buffer overflow. This service is typically used to manage network devices. Home users are not likely to have this service installed. However, many larger networks will use SNMP to controlle and monitor networked workstations and servers.

Accoridng to a note from Dave Aitel, Immunity released an exploit for this vulnerabilty to its customers.

In order to disable this service, or to check if it is running, use the "services" tab in your control pannel and make sure the 'SNMP Service' is not running. You will not see an entry for SNMP service if it is not installed.

This patch is a "patch now" for all networks that use SNMP. It runs as "system" and a succesfull exploit would provide an attacker with full access. The Microsoft bulletin only talks about port 161 UDP for this vulnerability. So one can assume that SNMP trap messages are not affected.

Common sense SNMP security (regardless of the vulnerability):
  • block port 161/udp and 162/udp at your permiter (snmpv3 may use tcp).
  • use a hard to guess community string (anything but "public").
  • disable snmp listeners if you do not need them.

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANSFIRE 2022


4506 Posts
ISC Handler
Dec 12th 2006

Sign Up for Free or Log In to start participating in the conversation!