Contact Us
+1.831.460.7010

sneak-preview-updatedThe SilverCreek Vulnerability Test Suite tests the robustness of an SNMP agent in the face of a Denial-of-Service attack. These attacks can disable computer systems and networks and ultimately the operation of your organization. Denial-of-service attacks come in a variety of forms and aim at a variety of services. Attackers exploit vulnerabilities in SNMP agents in order to disrupt network connectivity by preventing network devices with SNMP agents from operating.

Some DoS attacks focus on finding vulnerabilities in the encapsulation of SNMP packets. If the agent has any weaknesses at all in the algorithms it uses to decode an SNMP packet, then it is likely to crash, hang, reboot, or exhibit other undesirable behavior. SNMP packets are encapsulated according to ASN.1 which describes the grammar, and BER which describes the translation mechanism, for SNMP packets.

The SilverCreek SNMP Vulnerability Test Suite introduces abnormalities into the grammar and the encapsulation of the SNMP packet to make it malformed. The parameters that can be changed for encapsulation are type, length, and payload. By changing the tag (what ASN.1 type is it?), length (how long is the payload?), and value (the payload) to wrong or unexpected values, a normal, valid packet becomes a pathological packet.

SNMP Vulnerability Test Suite Summary:

  • Automatically run all network penetration and vulnerability test cases against one agent/device
  • Automatically runs all network penetration and vulnerability test cases against all the agents on all the devices in the network in one step
  • Verify if the agent properly responded by reviewing PASS/FAIL (deterministic) results
  • Pinpoint the precise sequence and type of packet that caused the failure and generate a report.
  • Fully integrated with the SilverCreek Test Suite, Tools, Reports, etc. minimizing the learning curve
  • Complete solution; supports all versions of SNMP -- v1, v2c, and v3
  • Verify if the manufacturer's patches resolve all vulnerability problems
  • Change values and parameters in the test cases
  • Eliminates legal worries. There are no Free Software Foundation-GNU License dependencies. All the code is the original work of InterWorking Labs.

CERT Advisories

The SilverCreek Vulnerability Test Suite addresses the issues cited in the CERT Advisories concerning SNMP. The Test Suite has more than 700,000 test cases arranged in approximately 450 test groups. Each group focuses on a specific concept:

  • Modifying the Type of a specific component of the SNMP packet
  • Modifying the Length of a specific component of the SNMP packet
  • Modifying the Value of a specific component of the SNMP packet (to something unexpected, problematic, indecipherable, etc..)
  • Modifying community string values

Here are a few examples of the test types:

(1)
{ V1-get-community-l-1 {}

"
V1-get-community-len-1 The test packets
sent in this test have invalid

length field in community string BER
encoding.

The test packets sent in this test
have very long community string value,

and each of them a gain has length
field encoded as value from 0 to (2^512).

The expected outcome is for the agent
to discard those malformed packets

and continue to respond to normal requests."

(2)

{V1-get-OID-l-2 {}

"
V1-get-OID-l-2: The test packets sent
in this test have invalid OID BER

encoding.

For example, OID length part contains
very big integer value

(2 ^ i -1),(2 ^ i),(2 ^ i +1), where
i ranges from 1 to 512, and the

message contains multiple variable
bindings.

The expected outcome is for the agent
to discard those malformed packets

and continue to respond to normal requests."

Test Scope and Methodology

For SNMPv1 vulnerabilities:
105 test cases, with 30,000 test instances each, equals 3,150,000 possible test variations

For SNMPv2c vulnerabilities:
113 test cases, with 30,000 test instances each, equals 3,390,000 possible test variations

For SNMPv3 vulnerabilities:
191 test cases, with 30,000 test instances each, equals 5,730,000 possible test variations

As a side note, it is a good idea, for more extensive testing to use:

* the v3 and v2c vulnerability tests against a v1 agent
* the v1 and v2c vulnerability tests against a v3 agent
* the v1 and v3 vulnerability tests against a v2c agent

In this way, you can determine that the agent behaves properly by discarding the test packets that are not appropriate for the version of the agent.

Reports from the field confirm that even after vendor patches were installed, the SilverCreek SNMP Vulnerability Test Suite found additional vulnerabilities on many network devices. This means those devices were still vulnerable to new network attacks. It is important to be pro-active and take all measures to secure a network. The SNMP Vulnerability Test Suite, is an essential tool in the arsenal of network security protection solutions.

What is the execution time for the SilverCreek SNMP Vulnerability Test Suite?

Execution time depends on the size and complexity of the SNMP agent and the number of vulnerabilities it contains.  InterWorking Labs tested a v2c agent that tested in 12 hours (but it did reboot several times), and a v1 agent that tested in less than an hour.

During testing, my device behaved irregularly and no information was displayed!

The SilverCreek SNMP Vulnerability Test Suite is sending confusing and problematic packets to your device, by design.  Your device may crash and stop responding. You may need to reboot your device. It is a good idea to save test results to determine when/why your agent failed. It is also a good idea to open the console window and enable the debugging features.  This allows you to see what SilverCreek is sending to your agent and what your agent is returning.  It may be most convenient to analyze the test result file to see the tests your agent failed.  You can also rerun a selected test and with the debugging features turned on,   get a real-time view of what is taking place.

In summary, the SilverCreek Vulnerability Test Suite tests the robustness of an SNMP agent in the face of a Denial-of-Service attack.

Some DoS attacks focus on finding vulnerabilities in the encapsulation of SNMP packets. If the agent has any weaknesses at all in the algorithms it uses to decode an SNMP packet, then it is likely to crash, hang, reboot, or exhibit other undesirable behavior. SNMP packets are encapsulated according to ASN.1 which describes the grammar, and BER which describes the translation mechanism, for SNMP packets.


Want to know more about SNMP protocol vulnerabilities?



Client Reviews

I love the way you can customize the tests.

- Michael MacFaden, VMWare

Not sure what you need?