0

I read on Wikipedia's Article on SNMP

SNMPv1 and v2 are vulnerable to IP spoofing attacks, whether it runs over TCP or UDP, and is a subject to bypassing device access lists that might have been implemented to restrict SNMP access.

I'd like to ask why.

schroeder
  • 123,438
  • 55
  • 284
  • 319
PhantomR
  • 101
  • 1
  • There is a "citation needed" flag. I can find no reference that SNMP over TCP is vulnerable. – schroeder Feb 04 '20 at 14:14
  • I'd really appreciate even an answer as to why it's vulnerable over UDP :) – PhantomR Feb 04 '20 at 14:20
  • 1
    That's really easy to look up. UDP is connectionless. – schroeder Feb 04 '20 at 14:22
  • The wiki explains it, too. What are you asking? What don't you know? Do you know how IP spoofing works? Are you asking how to spoof an IP? – schroeder Feb 04 '20 at 14:23
  • 1
    Strictly speaking, SNMP is vulnerable to IP Spoofing because it does not verify the sender IP. That's potentially interesting if sent over TCP, but not at all interesting if using UDP. So, to be able to answer you, we need to know what you need to know. – schroeder Feb 04 '20 at 14:27
  • To be honest, I don't know. I was reading a Pentesting course at my University and it mentioned that SNMP is UDP-based, so it's vulnerable to IP Spoofing. I was able to find this same statement on Wikipedia (albeit with TCP included as well).. I was wondering what it meant, since in IP spoofing cases, you can't actually receive answers, right? Oh, I think I see the problem here... you don't NEED an answer, is that it? You can just issue a SNMP command (using a spoofed IP, either to use a trusted IP or to hide your identity?) to modify some configuration data (without needing answer)? – PhantomR Feb 04 '20 at 14:38
  • Also (please see my previous reply, too), is the reason it shouldn't be vulnerable over TCP the fact that you need bidirectional communication (so source IP matters) in order to establish a TCP session? – PhantomR Feb 04 '20 at 14:41
  • 1
    That's right: you don't need a reply. If the SNMP server is set to only accept connections from a whitelist, then you can spoof an IP on the whitelist and issue commands. Very bad news (and bad design). IP spoofing in TCP will fail before passing data because the initial handshake will fail. So, I'm interested in the TCP IP spoofing vulnerability, if there is one – schroeder Feb 04 '20 at 15:07
  • Yay, the handshake was what I was thinking, too. Thank you, I think I got it now. I'd also like to know why the TCP implementation would be vulnerable, but Wikipedia might be wrong on this one – PhantomR Feb 04 '20 at 15:17
  • [citation needed] :) – schroeder Feb 04 '20 at 15:35

1 Answers1

-1

SMMP is used to manage low-end devices, they usually have only rudimentary networm stacks. No firewall, for one.

vonbrand
  • 149
  • 3