Most SNMP implementations on those kinds of network devices use version 1 or version 2, which have a very weak authentication method. SNMP version 1 contains a set of bugs in the waySNMP traps and requests messages are handled and decoded that can be exploited in many ways, from denial of service to rewriting the configuration.
SNMP versions 1 and 2 use community strings for authentication. These are sent on UDP port 161 unencrypted; so it is very easy for a man in the middle to sniff the community strings.When you set up SNMP on a device (including a Linux box),you must set up two community strings: one that has read-only access and the default is “public”, and one that has read-write access and the default is “private”. If you don’t change the communities to SNMP-enabled devices, it is very easy in the absence of a firewall to view their configuration and change it.
This is very dangerous for the devices and the network; so here’s what you should try to do:
- Try not to use SNMP, unless you have to.
- Whenever possible, use SNMP version3, which has user mode authentication and can do encryption.
- In any case, if you use SNMP, change the default communities.
- Create a proper firewall on the device or on a device in front of it, allowing only trusted hosts to connect using SNMP.
For instance, a Cisco router running SNMP with the community string “public” reveals its entire running configuration, including usernames and passwords as well as the enable secret and password. If the router has the SNMP community “private” for write access, you can modify absolutely everything in the configuration. More than that, most Cisco routers have SNMP enabled by default with the default communities and without filters.