Patching the Net's Fatal Flaws

Recent research finds major holes in one of the Web's basic protocols. And if they aren't fixed, the consequences could be devastating

By Alex Salkever

Before the Web, computer viruses depended on the lowly floppy disk as their sole means of transmission. Now, thanks to widespread broadband connectivity, computer viruses can blossom into huge epidemics in no time, crashing networks and overwhelming IT staffs. So-called "worms" clog the Web with random scans, searching for vulnerable systems to corrupt or co-opt, tearing across the digital landscape in a matter of days or even hours. New hybrid worm-viruses, such as "Code Red," are even more insidious, using both e-mail and direct scans to spread their bandwidth-hogging packages to deface Web pages or erase critical files.

So far, the scope of most of these attacks has been rather limited. That's not to say large chunks of the computing world haven't been affected. The "Love Bug" virus hit machines running Microsoft e-mail clients, potentially targeting 95% of the world's desktop computers. The "Ramen" worm tagged thousands of computers running Linux. The "Code Red" worm affected Microsoft's widely installed IIS Web-server software. But in the grand scope of the Net, these attacks and most others cut a relatively confined swathe.

That reality may have changed on Feb. 12, when Oulu University's Secure Programming Group in Finland published a paper outlining major flaws in Simple Network Management Protocol. SNMP is a set of rules that allows computers and wired devices to communicate with each other via a common syntax of shared data-compression standards, among other technical minutiae.


  It's also one of the most widely used data protocols. You can find it on diverse operating systems and classes of devices, from Dell desktops to Cisco routers to Sun workstations. "You look at SNMP, and it's ubiquitous. It's on backbone routers. It's on switches. It's on desktops. It's on servers. It's on every single platform," says Stuart McClure, president and chief technology officer of security consultancy and software company Foundstone.

That ubiquity raises the specter of a massive vulnerability on the Net and larger questions about the relative safety of the common protocols that create a seamless system of data sharing. Many experts now say its time to shore up these protocols and ensure they are safe. The alternative could be wide-ranging and extremely damaging Internet attacks in the future. "We need to do this with all protocols. We also need to establish some sort of standardization which tells management quickly and simply whether or not they are employing any obviously insecure protocols," says Russ Cooper, an engineer with computer-security provider TruSecure and an expert on Microsoft NT security issues.

SNMP is only one of a handful of ubiquitous protocols. Others include TCP/IP, the basic data protocol that enables computers to transport and receive information over the Web, and UDP, a basic protocol used to identify remotely which applications are running on a system. These protocols are designed to work across platforms. Whether you use a Mac or an IBM mainframe, TCP/IP is pretty much standard.


  Most of these protocols are based on architectures from the early days of the Internet, when security was hardly a concern amongst the small community of scientists and academicians that peopled the early Web. Since they were designed more to facilitate communication than maximize security, critics have long held that these protocols are the soft underbelly of the Net.

That was precisely the assumption of the Oulu University group when they set out on a project to poke holes in these standards. Naturally, they decided to take a whack at SNMP. So they tested 12 separate Internet devices by flooding them with SNMP requests far in excess of what would normally occur on a network.

Not a single one of the devices emerged unscathed. The researchers were able to crash them and, in some cases, break into them and remotely take control of the devices.

The implications of these findings are staggering. While the test group only represented a small sample of the thousands of types of systems that connect to the Net, the results implied that SNMP weakness might well be as ubiquitous as the protocol itself. "It affects hundreds of different types of computers and network equipment. A large-scale attack against this vulnerability could drop the Internet," says Bruce Schneier, chief technology officer of Counterpane Internet Security.


  Others see a possible outcome nearly as chilling were someone to use the SNMP weakness to take control of the backbone routers that guide the huge flow of data over fiber-optic networks. They could then theoretically direct masses of data into black holes, or redirect surfers to some other site instead of their intended target.

"Once you actually control a piece of the infrastructure, you have quite a bit more capability and power. No longer are you limited to controlling a single host. You can take an entire worldwide enterprise off the network," says Craig Labovitz, director of network architecture at Arbor Networks, a Waltham, Mass., company that builds equipment to stop the "Denial of Service" attacks that can cut off public access to Web sites under an avalanche of bogus data requests.

Ironically, vendors have known that SNMP was not safe since last summer. The release of the Oulu paper, however, sealed any doubts about the urgency of creating patches for SNMP on various platforms and software systems. Currently vendors and IT staffs alike are scrambling to make sure that their networks are SNMP safe, top to bottom. Vendors have been pretty good about supplying patches for the SNMP hole since the research results were announced on Feb. 12. Still, they didn't seem so concerned last summer.


  So far, the fallout has been minimal. Major attacks using the SNMP hole have failed to materialize. That doesn't mean they won't happen, though. In fact, the National Infrastructure Protection Center and the CERT Response Center, two of the premier Federally-funded computer-security watchdogs, are already warning about automated software tools that prey on the SNMP hole.

That might be jumping the gun. But vendors and network engineers had better address this problem -- and soon. If they don't, these cracks in the foundations of Net architecture could indeed bring the whole structure down.

Salkever covers computer security issues twice a month in his Security Net column, only on BusinessWeek Online

Edited by Douglas Harbrecht

Before it's here, it's on the Bloomberg Terminal.