troubleshooting Question

Failed PCI Compliance scan - SNMP parameters

Avatar of oregonfinn
oregonfinnFlag for United States of America asked on
VulnerabilitiesNetworking ProtocolsNetwork Security
8 Comments1 Solution3141 ViewsLast Modified:
I have a client of mine that recently failed a PCI-compliance network scan by Trustwave. In a nutshell, the scan turned up a Guessable SNMP Community String. I have all ports blocked from the WAN, and I've disabled ports 161 and 162 on the LAN. They continue to fail the test, and need to remedy this or they will start incurring fines from their credit card company. What do I do? I know what SNMP is, but I'm not an SNMP expert. Help me Experts Exchange!

CVE-1999-0517  udp/161 Guessable SNMP Community String

Severity: High
PCI Status: Fail
Description: SNMP is a protocol used for remote monitoring and configuration of network devices and servers. The community string (essentially, the password) for your SNMP service was easily guessed. Although only the "read" (monitoring) string was tested, this probably means that the "write" (configuration) string is also guessable. An attacker who knows the community strings for this device will be able to monitor or reconfigure the device, potentially leading to a serious denial of service to your system or network.
Remediation: At a minimum, you should change your read and write community strings to something that is hard to guess. If SNMP is not required, you should disable it. Also, SNMP (UDP/161) should not be generally accessible from the Internet.
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 1 Answer and 8 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 8 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros