1. Home
  2. Network Vulnerabilities
  3. How to remediate – Nessus SNMP Scanner
Searching...

How to remediate – Nessus SNMP Scanner

Contents

1. Introduction

The Nessus SNMP Scanner vulnerability involves the enumeration of Simple Network Management Protocol (SNMP) information on a system, which can reveal open ports and other network details. This matters to businesses as it provides attackers with reconnaissance data for further exploitation attempts. Systems running SNMP services are typically affected. A successful scan could lead to information disclosure impacting confidentiality.

2. Technical Explanation

This vulnerability occurs because the SNMP service is accessible and responds to enumeration requests. An attacker can use tools like Nessus to query the system for open ports and associated information. The main precondition is that UDP port 161 or 162 must be reachable on the target machine. There is no specific CVE currently associated with this general scanning activity, but it’s a common reconnaissance technique. An attacker could use SNMPwalk to discover device details, potentially identifying sensitive data and services running on the network.

  • Root cause: The SNMP service is enabled without sufficient access controls or monitoring.
  • Exploit mechanism: An attacker sends SNMP queries to the target system using tools like Nessus or SNMPwalk to gather information about open ports, device configuration, and running services. For example, an attacker could use a community string of ‘public’ if it’s the default setting.
  • Scope: Affected platforms include any operating systems (Windows, Linux, macOS) running an SNMP service. Products with embedded network devices are also in scope.

3. Detection and Assessment

Confirming vulnerability involves checking for open SNMP ports and accessible community strings. A quick check is to see if the service is listening on standard ports. Thorough assessment requires a full scan using a tool like Nessus or an SNMPwalk utility.

  • Quick checks: Use netstat -an | grep :161 (Linux) or Get-NetTCPConnection -LocalPort 161 (PowerShell) to check for listening ports.
  • Scanning: Nessus plugin ID 34850 can identify SNMP information enumeration. Other scanners may have similar checks.
  • Logs and evidence: Check system logs for SNMP activity, particularly on UDP port 161 or 162. Event IDs will vary by operating system.
netstat -an | grep :161

4. Solution / Remediation Steps

Fixing this issue involves disabling the SNMP service if it’s not required, or configuring strong access controls. These steps should be performed carefully to avoid disrupting network management functions.

4.1 Preparation

  • Ensure you have documented the current SNMP configuration for rollback purposes. A roll back plan is to restore the previous configuration from the backup.
  • A change window may be needed, depending on network impact and approval requirements.

4.2 Implementation

  1. Step 1: Disable the SNMP service if it’s not required. On Windows, use Stop-Service SNMP followed by Set-Service -Name SNMP -StartupType Disabled in PowerShell.
  2. Step 2: If the service is needed, configure strong community strings and access control lists (ACLs) to restrict access to authorized networks only.
  3. Step 3: Review firewall rules to ensure that UDP ports 161 and 162 are not unnecessarily exposed to external networks.

4.3 Config or Code Example

Before

# snmpd.conf (example)
community public default RW
acl_access * deny all
acl_access localnet read view all

After

# snmpd.conf (example)
community strong_password default RW
acl_access * deny all
acl_access 192.168.1.0/24 read view all

4.4 Security Practices Relevant to This Vulnerability

Practices that directly address this vulnerability type include least privilege and secure defaults. Least privilege limits the impact if SNMP is compromised. Secure defaults prevent easy enumeration of network information.

  • Practice 1: Implement least privilege by restricting access to SNMP services only to authorized users and networks.
  • Practice 2: Use strong, unique community strings instead of default values like ‘public’ or ‘private’.

4.5 Automation (Optional)

# Example PowerShell script to disable SNMP on multiple servers
$servers = @("server1", "server2", "server3")
foreach ($server in $servers) {
  try {
    Stop-Service -ComputerName $server -Name SNMP -Force
    Set-Service -ComputerName $server -Name SNMP -StartupType Disabled
    Write-Host "SNMP disabled on $server"
  } catch {
    Write-Host "Error disabling SNMP on $server: $($_.Exception.Message)"
  }
}

5. Verification / Validation

Confirm the fix by checking that the SNMP service is no longer accessible or that strong access controls are in place. Re-run the earlier detection methods to verify the issue is resolved.

  • Post-fix check: Use netstat -an | grep :161 (Linux) or Get-NetTCPConnection -LocalPort 161 (PowerShell) and confirm that port 161 is no longer listening, or use a tool like SNMPwalk to verify access is denied.
  • Re-test: Re-run the Nessus scan with plugin ID 34850 and confirm it does not report any SNMP information enumeration vulnerabilities.
  • Smoke test: Verify that network management systems relying on SNMP can still function correctly, if applicable.
  • Monitoring: Monitor system logs for SNMP activity to detect any unauthorized access attempts. For example, look for failed authentication messages related to the SNMP service.
netstat -an | grep :161

6. Preventive Measures and Monitoring

Update security baselines to include strong SNMP configuration requirements. Add checks in CI/CD pipelines to prevent insecure configurations from being deployed. Implement a regular patch review cycle for network devices. For example, ensure that all SNMP services are configured according to CIS benchmarks.

  • Baselines: Update security baselines or policies to require strong community strings and access control lists for SNMP services.
  • Pipelines: Add checks in CI/CD pipelines to scan configuration files for default community strings or insecure settings.
  • Asset and patch process: Implement a regular review cycle (e.g., quarterly) to verify that all network devices are configured securely and patched against known vulnerabilities.

7. Risks, Side Effects, and Roll Back

Disabling the SNMP service may disrupt network management functions. Incorrectly configuring access controls could also cause issues. Roll back by restoring the previous configuration from the backup or re-enabling the service with its original settings.

  • Risk or side effect 1: Disabling SNMP may impact network monitoring tools that rely on it. Mitigation is to carefully plan the change and test thoroughly.
  • Roll back: 1. Restore the system snapshot taken before the changes. 2. If a snapshot wasn’t used, restore the SNMP configuration from the backup file. 3
Updated on December 27, 2025

Was this article helpful?

Yes No

Related Articles