Using SNMP it is possible to obtain the condition of a hard-drive partition, uptime of Switches, Routers, UPS, etc or traffic density on the port of a Router, etc. and run into Application Layer on TCP/IP stack. Furthermore, it runs multitude devices and operation systems such ;

• Core Network Devices (Routers, Switches, Hubs, Bridges, and Wireless Network Access Points)
• Consumer Broadband Network Devices (Cable Modems and DSL Modems)
• Consumer Electronic Devices (Cameras and Image Scanners)
• Networked Office Equipment (Printers, Copiers, and FAX Machines)
• Network and Systems Management/Diagnostic Frameworks (Network Sniffers and Network Analyzers)
• Networked Medical Equipment (Imaging Units and Oscilloscopes)
• Manufacturing and Processing Equipment, etc. 

The agent module which works and collect the information on the intended device, the manager part that interacts with the agent and takes the data from it, additionally, network management element which works on the manager and provides all the devices visible, traceable and reconfigurable, are the three main components of the SNMP protocol in order to work properly.

SNMP is a request-wait for apply based protocol. Network Management Component sends a request to a device that consist of Agent module, and after that the Agent returns the reply of the request to network management component. Management and Monitoring issues are handled five different types of messages in SNMPv1 which is is formally defined in RFC1157 : GetRequest, SetRequest, GetNextRequest, GetResponse, and Trap.

A single SNMP message is referred to as a Protocol Data Unit (PDU). These messages are described using Abstract Syntax Notation One (ASN.1) and translated into binary format using Basic Encoding Rules (BER). SNMP request messages are sent from managers to agents. Request messages can poll the agent for current performance or configuration data, ask for the next SNMP object in a Management Information Base (MIB), or modify configuration settings. SNMP agents should reliably decode request messages and process the resulting application data.

OUSPG’s research focused on the manner in which SNMPv1 agents and managers handle request and trap messages. By applying the PROTOS c06-snmpv1 test suite to a variety of popular SNMPv1-enabled products, the OUSPG revealed the following vulnerabilities:

VU#107186 – Multiple vulnerabilities in SNMPv1 trap handling

SNMP trap messages are sent from agents to managers. A trap message may indicate a warning or error condition or otherwise notify the manager about the agent’s state. SNMP managers must properly decode trap messages and process the resulting data. In testing, OUSPG found multiple vulnerabilities in the way many SNMP managers decode and process SNMP trap messages.

VU#854306 – Multiple vulnerabilities in SNMPv1 request handling

SNMP request messages are sent from managers to agents. Request messages might be issued to obtain information from an agent or to instruct the agent to configure the host device. SNMP agents must properly decode request messages and process the resulting data. In testing, OUSPG found multiple vulnerabilities in the way many SNMP agents decode and process SNMP request messages.

Vulnerabilities in the decoding and subsequent processing of SNMP messages by both managers and agents may result in denial-of-service conditions, format string vulnerabilities, and buffer overflows. Some vulnerabilities do not require the SNMP message to use the correct SNMP community string.

The CERT Advisory goes on to report the impact of these vulnerabilities:
    1. unauthorized privileged access
    2. denial-of-service attacks
    3. unstable behavior (service interruptions)
The CISO needs to keep the following concerns in mind when managing risk in the enterprise.

1. Threat: Fuzzing – Exposed Shared Secrets: A major vulnerability of SNMP v1/v2c is that the shared secret is sent in the clear; it is not encrypted. This is true whether the SNMP request is querying counter information, inspecting topology data, or reconfiguring the device. Since the shared secret is not hidden, an attacker can monitor the SNMP traffic to determine network topology and harvest those shared secrets. Among hackers, this is called fuzzing; amongst security professionals, this is Packet Sniffing.

   For example, using SNMP v1/v2c in an insecure network such as a DMZ means an attacker can monitor SNMP traffic and get community strings to perform their own queries or reconfigure devices using SNMP SET. By monitoring SNMP traffic or performing a query directly, an attacker can quickly determine the sysObjectID for each device. The sysObjectID tells the hacker the kind of operating system (OS) the device has. Knowing which OS allows the attacker to determine a suitable target and pick suitable tools to use against that target.
    

2. Threat: Service Interruptions: Vulnerabilities with decoding and processing the SNMP request message (whether a trapor request) in various software products is exploited by the Badly Formed SNMP Trap Attack. The impact of this attack is to blind the management software (prevent it from receiving more traps by causing it to crash) or blind the agent (making it unable to be queried by causing it to crash). The ability of the management software to continue to manage is degraded at best or disabled at worst.

   From within a DMZ, an attacker can reach the management software in the secure network when holes in the firewall are open to allow SNMP traffic or SNMP traps through directly. The attacker constructs special packets with ASN.1 decode errors. When the management console receives the message, it may exit abnormally. When critical daemons exit abnormally, the management software is degraded, causing service
   interruptions.
    

3. Threat: Denial Service : The denial-of-service attack disables management software by sending to a host more SNMP traffic than the host can process. The backlog of traffic to process causes the SNMP agent or manager to dedicate an unbalanced amount of CPU to process the attack’s traffic.

   From within a DMZ, an attacker can flood SNMP traps to the management console when SNMP traps are permitted to flow through firewalls from the DMZ to the secure side. This flood of traps (whether they are bogus or legitimate) causes the management software to backlog. The software uses too much CPU while processing the backlog, causing the management software to stop functioning effectively.

4. Threat: Unauthorized Privilege Access: This threat is the most feared by system managers – a vulnerability that can provide the attacker elevated, privileged access on a host or network device. A common vulnerability is caused by buffer overflow, but is specific to the software processing the SNMP packet.

   If an attacker determines SNMP v1/v2c SET community strings, the attacker can execute privileged commands. On networking devices, privileged commands may be used to reconfigure the device to behave undesirably. With advanced host agents, commands may be sent to the agent, which then execute in privileged state.

Today, mitigating risks with the SNMP protocol involves the choice of one or more mitigating factors:

• using SNMPv3 (not v1 or v2c),
• deploying an IPS appliance to protect against denial-of-service, or
• a management protocol proxy firewall which verifies SNMP traffic to ensure its authentic and valid as well as mitigating SNMP-based attacks.
• changing the community strings after set up SNMP
• keeping the protocol up to date

All the Resources are in the Reference Page.