Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Failed PCI Compliance scan - SNMP parameters

Posted on 2012-03-11
8
2,232 Views
Last Modified: 2012-12-05
I have a client of mine that recently failed a PCI-compliance network scan by Trustwave. In a nutshell, the scan turned up a Guessable SNMP Community String. I have all ports blocked from the WAN, and I've disabled ports 161 and 162 on the LAN. They continue to fail the test, and need to remedy this or they will start incurring fines from their credit card company. What do I do? I know what SNMP is, but I'm not an SNMP expert. Help me Experts Exchange!

CVE-1999-0517  udp/161 Guessable SNMP Community String

Severity: High
PCI Status: Fail
Description: SNMP is a protocol used for remote monitoring and configuration of network devices and servers. The community string (essentially, the password) for your SNMP service was easily guessed. Although only the "read" (monitoring) string was tested, this probably means that the "write" (configuration) string is also guessable. An attacker who knows the community strings for this device will be able to monitor or reconfigure the device, potentially leading to a serious denial of service to your system or network.
Remediation: At a minimum, you should change your read and write community strings to something that is hard to guess. If SNMP is not required, you should disable it. Also, SNMP (UDP/161) should not be generally accessible from the Internet.
0
Comment
Question by:oregonfinn
8 Comments
 
LVL 57

Accepted Solution

by:
giltjr earned 500 total points
ID: 37708284
Are they scanning from inside or the outside?

If scanning from the outside, can you verify the IP address they are hitting?  Could it be your ISP has SNMP enabled with a guessable name?

If it is from the inside of your network, then just change your SNMP community names to something a bit more complex.
0
 
LVL 5

Expert Comment

by:1ly4me
ID: 37709538
Try using nmap to scan your IP's to find out open ports.

Are you trying to scan servers or routers or firewalls?

Thanks
Rajan
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 37710134
It would seem reasonable to ask them what IP they are seeing the community string on; I have seen cases where ISPs leave *their own routers* open for SNMP/ReadOnly so their customers/billing dept can gather performance metrics, so it might not even be your device.

Other than that, once you find where it goes to, see what else runs on that node, and if it doesn't need SNMP, just disable it entirely.
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 79

Expert Comment

by:lrmoore
ID: 37712734
Most likely they are finding devices with "public" or "private" as the SNMP community strings. These are the defaults in almost every device ever made that has SNMP enabled and are easily guessed.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 37713804
@Lrmoore: Yup. but when given what looks suspiciously like the output of a automated scan, first step is usually to ask what IP the issue is with; often external pentest evals do an entire IP range, and can include devices upstream of the client, devices shared with other clients etc etc. Being able to say a given IP is "out of scope" because it isn't owned by the client is often easier than fixing an issue.
0
 

Author Comment

by:oregonfinn
ID: 38664524
Sorry for not maintaining this feed. The answer was amazingly simple and silly. Because of extreme pressure from the client to solve this, I overlooked the obvious.

The scanning agency (Trustwave) was scanning the known external IP address of my client's network. But the ISP had changed their IP address (dynamic IP user) on the router. Trustwave had no way to know this. To quote Indiana Jones and Sallah, "They're digging in the wrong place!"

The takeaway from this is worthy to be remembered: Don't overlook the basics, especially when the client provides a self-diagnosis of the problem. They are calling you because they can't figure it out!
0
 

Author Comment

by:oregonfinn
ID: 38664528
I've requested that this question be closed as follows:

Accepted answer: 0 points for oregonfinn's comment #a38664524

for the following reason:

Words of Wisdom in dealing with annoying customers.
0
 

Author Closing Comment

by:oregonfinn
ID: 38664529
The answer: Verify the IP they are scanning. Duh.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
Examines three attack vectors, specifically, the different types of malware used in malicious attacks, web application attacks, and finally, network based attacks.  Concludes by examining the means of securing and protecting critical systems and inf…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question