Source: cve@mitre.org
Memory leak in Simple Network Management Protocol (SNMP) agent (snmp.exe) for Windows NT 4.0 before Service Pack 4 allows remote attackers to cause a denial of service (memory consumption) via a large number of SNMP packets with Object Identifiers (OIDs) that cannot be decoded.
Remote attackers can trigger a denial-of-service (DoS) condition on vulnerable Windows NT 4.0 systems by sending a flood of malformed SNMP packets. This vulnerability, stemming from a memory leak in the SNMP agent, leads to excessive memory consumption, rendering the system unresponsive and potentially causing service outages.
Step 1: Packet Crafting: An attacker crafts a series of SNMP packets. Each packet contains one or more Object Identifiers (OIDs) that are designed to be undecodable by the target SNMP agent. These OIDs may be invalid, malformed, or simply not supported by the agent's configuration.
Step 2: Packet Delivery: The attacker sends the crafted SNMP packets to the target Windows NT 4.0 system, specifically targeting the SNMP agent (snmp.exe), typically on UDP port 161.
Step 3: Agent Processing: The SNMP agent receives the packets and attempts to process the included OIDs. Due to the malformed or unsupported OIDs, the agent enters an error state, but fails to properly handle the error.
Step 4: Memory Allocation: The agent allocates memory to handle the processing of the undecodable OIDs. The agent does not free the allocated memory after the processing attempt.
Step 5: Memory Leak: The allocated memory is not released, leading to a memory leak. Each subsequent packet with undecodable OIDs causes the agent to allocate more memory without releasing it.
Step 6: Resource Exhaustion: The memory leak continues, gradually consuming all available system memory. This leads to performance degradation and eventually a denial-of-service (DoS) condition, where the system becomes unresponsive and potentially crashes.
The vulnerability lies within the SNMP agent (snmp.exe) on Windows NT 4.0 before Service Pack 4. Specifically, the agent fails to properly handle and release memory when processing SNMP packets containing Object Identifiers (OIDs) that cannot be decoded. When the agent encounters an undecodable OID, it allocates memory to process the packet but doesn't free that memory after the processing attempt. Repeatedly sending such packets causes a memory leak, where the allocated memory is never reclaimed. Over time, this uncontrolled memory consumption exhausts system resources, leading to a DoS condition. The root cause is a lack of proper error handling and resource management within the SNMP agent's OID parsing logic. The agent doesn't account for invalid or malformed OIDs, leading to the allocation of memory without a corresponding deallocation.
Due to the age of the vulnerability and the affected OS, it is unlikely to be actively targeted by sophisticated APTs. However, it could be exploited by less skilled attackers or used as part of a broader attack chain. This vulnerability is not listed on the CISA KEV catalog.
Monitor network traffic for a high volume of SNMP packets, especially those with unusual or malformed OIDs.
Analyze SNMP agent process memory usage over time. A steadily increasing memory footprint indicates a potential memory leak.
Examine system logs for errors related to SNMP processing or resource exhaustion.
Use network intrusion detection systems (IDS) configured to detect malformed SNMP packets or unusual SNMP traffic patterns.
Monitor system performance metrics (CPU, memory, disk I/O) for signs of degradation or resource exhaustion.
Upgrade to a supported operating system. Windows NT 4.0 is no longer supported and does not receive security updates.
If upgrading is not possible, apply Service Pack 4 or later, which may contain mitigations for this vulnerability (though it's not explicitly stated).
Disable the SNMP service if it is not required. This is the most effective way to eliminate the risk.
Implement network segmentation to isolate vulnerable systems.
Use a network firewall to restrict SNMP traffic to only trusted sources and block all other SNMP traffic.
Regularly monitor system performance and resource usage to detect potential memory leaks or other performance issues.
Consider using a host-based intrusion detection system (HIDS) to monitor for suspicious activity on the affected systems.