Quick Summary
SNMP Public Community String Configured is a network service misconfiguration where the Simple Network Management Protocol (SNMP) service is accessible using the default community string “public.” This allows unauthorized users to query system information, network configuration, and device details, potentially aiding reconnaissance and further attacks.
Vulnerability Classification
| Field | Value |
|---|---|
| Vulnerability Type | SNMP Misconfiguration |
| CWE ID | CWE-798 – Use of Hard-coded Credentials |
| CVE ID | N/A (Configuration Issue) |
| CVSS 4.0 Base Score | 7.5 (High) |
| CVSS Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N |
| OWASP Category | A05:2021 – Security Misconfiguration |
| Attack Surface | Internal / External Network |
Affected Asset / Environment
- Service: SNMP
- Default Port: 161 (UDP)
- Common Devices: Routers, Switches, Firewalls, Servers, Printers
- SNMP Versions: v1 / v2c (Community String Based)
- Testing Method: Black-box Network Assessment
- Tools Used: Nmap, snmpwalk, onesixtyone
Description
The assessor observed that the SNMP service running on the target device accepts the default community string “public.” During testing, it was possible to retrieve system information using SNMP queries without authentication controls.
SNMP v1 and v2c rely on community strings as a form of authentication. When default values such as “public” or “private” are left unchanged, attackers may easily query sensitive information from the device.
Information exposed via SNMP may include system details, running processes, network interfaces, routing tables, and configuration metadata. This significantly assists attackers during reconnaissance.
Root Cause
The issue occurs due to improper SNMP configuration where default community strings are not changed after deployment.
Common root causes include:
- Default SNMP configuration left unchanged
- Lack of secure configuration baseline
- Use of SNMP v1 or v2c instead of SNMPv3
- Absence of IP-based access restriction
- Poor device hardening practices
Business Impact
Exploitation of this vulnerability may allow attackers to gather detailed information about the internal network infrastructure. This information may include system versions, IP addresses, network topology, and device configurations.
Such reconnaissance data may be used to identify additional vulnerabilities, conduct targeted attacks, or facilitate lateral movement. In regulated environments, exposure of infrastructure details may also lead to compliance risks.
Technical Impact
An attacker can:
- Enumerate system name and uptime
- Retrieve network interface details
- Identify open ports and services
- Extract routing tables
- Gather hardware and firmware information
- Identify potential attack vectors for further exploitation
Although this vulnerability may not directly allow remote code execution, it significantly increases reconnaissance capabilities.
Proof of Concept (PoC)
Step1: Identify SNMP Service
nmap -sU -p 161 <target-ip>
If port 161/udp is open, proceed to community string testing.
Step2: Detect SNMP Version and Access
nmap -sU -p 161 --script snmp-info <target-ip>
If SNMP information is returned without authentication, further testing is required.
Step3: Attempt Enumeration Using Default Community String
snmpwalk -v2c -c public <target-ip>
If output displays system details such as system name, interfaces, or uptime, the device is vulnerable.
Step4: Brute-force Community Strings (If Authorized)
onesixtyone -c community.txt <target-ip>
If the string “public” returns valid data, default configuration is confirmed.
Exploitation Prerequisites
- Network access to UDP port 161
- SNMP v1 or v2c enabled
- Default community string configured
- No IP-based access restriction
Remediation
It is recommended that default SNMP community strings be changed immediately.
Recommended actions:
- Replace default community strings with strong, unique values
- Restrict SNMP access to specific management IP addresses
- Disable SNMP if not required
- Upgrade to SNMPv3 with authentication and encryption
- Apply firewall rules to restrict UDP port 161 access
- Regularly audit network device configurations
Detection and Monitoring
- Monitor SNMP access logs
- Alert on repeated SNMP query attempts
- Conduct periodic scans for open SNMP services
- Implement network segmentation for management interfaces