Bad timing for SNMP alert
Why does it seem that not a week goes by without a security flaw detected in some widely popular software? The latest security hole is in the venerable Simple Network Management Program, version 1. The problems were discovered last year by Finland’s Oulu University Secure Programming Group. OUSPG’s members devised a test suite that sent SNMP server software sample packets containing unexpected values or illegally formatted data, according to CERT. The group discovered many different vulnerabilities on different vendors’ implementations of SNMP. The flaws could allow sophisticated system programmers to crash devices running SNMP agents. In some vendors’ implementations, it might be possible for miscreants to gain access to a device without crashing it.
A troubling aspect of the story is the timing for revealing the vulnerabilities. Security consultants generally like to give vendors a chance to develop fixes for problems they find before announcing their discoveries and gaining respect for having found them. In this case, however, word began to get out to the user community before all the vendors were ready. Because SNMP is so widely implemented, not all companies had fixes ready by the time the problem was announced.
There’s disagreement in the security field about the prudence of disclosing security problems. Security guru Marcus Ranum fueled the debate in October 2000 when he called for security analysts to work with vendors before announcing vulnerabilities. His manifesto was widely mischaracterized, and he was called a traitor by the libertarian faction of the security community for suggesting any restrictions on the free flow of information.
Ranum was right, however. It’s in more people’s interest to begin working on a solution before announcing the problem. Here’s hoping that next time vendors have time to fix their flaws before their customers suffer from them.
Articles | Administrator | 
Thursday, February 14, 2002 12:00 pm
Subscribe