J-Security Center

Title: Microsoft Windows NT 4.0 SNMP Community Name Vulnerability

Severity: HIGH

Description:

Windows NT 4.0 and Windows NT 2000 provides optional SNMP (Simple Network Management Protocol) services. SNMP allows remote retrieval and setting of information related to TCP/IP networking processes. SNMP services provide two levels of access: read-only and read/write. All versions of SNMP provided with Windows NT 4.0 prior to Service Pack 4 only allow read/write access to SNMP functions to authorized administrators - there is no ability to set "read-only". Service Pack 4 introduced the ability to set permissions to either "read-only" or "read/write".

SNMP provides a simple authentication scheme whereby an administrator can gain access to SNMP functions by knowing a "community name". A default installation of SNMP on Windows NT 4.0 allows access to SNMP with the community name "public". This alone presents a security risk, although most administrators using SNMP would likely change the default community name used to access SNMP services. Unfortunately, SNMP Community Names are stored in the registry as plaintext and can be retrieved by anybody who can access it. IP Address restrictions can also be implemented to control access to SNMP functions but IP address restriction information is also stored in the registry in plaintext. Forged UDP packets can be used to circumvent this. Although an attacker using this approach would not be able to read information returned from the SNMP services, this still allows use of the "set" command to alter network critical settings such as the IP routing table and ARP table, set IP Forwarding, IP TTL (time to live), enable/disable interfaces, etc. SNMP Services are not installed by default and must be added by the Windows NT administrator. Windows 2000 also stores SNMP community names and IP restrictions in the registry.

Affected Products:

  • Microsoft Windows NT 4.0
  • Microsoft Windows NT 4.0 SP1
  • Microsoft Windows NT 4.0 SP2
  • Microsoft Windows NT 4.0 SP3
  • Microsoft Windows NT 4.0 SP5
  • Microsoft Windows NT 4.0 SP6
  • Microsoft Windows NT Enterprise Server 4.0
  • Microsoft Windows NT Enterprise Server 4.0 SP1
  • Microsoft Windows NT Enterprise Server 4.0 SP2
  • Microsoft Windows NT Enterprise Server 4.0 SP3
  • Microsoft Windows NT Enterprise Server 4.0 SP5
  • Microsoft Windows NT Enterprise Server 4.0 SP6
  • Microsoft Windows NT Server 4.0
  • Microsoft Windows NT Server 4.0 SP1
  • Microsoft Windows NT Server 4.0 SP2
  • Microsoft Windows NT Server 4.0 SP3
  • Microsoft Windows NT Server 4.0 SP5
  • Microsoft Windows NT Server 4.0 SP6
  • Microsoft Windows NT Terminal Server 4.0
  • Microsoft Windows NT Terminal Server 4.0 SP1
  • Microsoft Windows NT Terminal Server 4.0 SP2
  • Microsoft Windows NT Terminal Server 4.0 SP3
  • Microsoft Windows NT Terminal Server 4.0 SP5
  • Microsoft Windows NT Terminal Server 4.0 SP6
  • Microsoft Windows NT Workstation 4.0
  • Microsoft Windows NT Workstation 4.0 SP1
  • Microsoft Windows NT Workstation 4.0 SP2
  • Microsoft Windows NT Workstation 4.0 SP3
  • Microsoft Windows NT Workstation 4.0 SP5
  • Microsoft Windows NT Workstation 4.0 SP6

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.