← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
tenable:76474 · Disclosed 2014-07-11

SNMP &#x27

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

Like leaving a bullhorn on your loading dock that mostly shouts at someone else

Tenable plugin 76474 flags an SNMP agent that answers GETBULK with unusually large replies, making it usable as a UDP reflection/amplification node in a DDoS attack. In practice, the affected population is not a single software version range but any internet-reachable SNMP service on UDP/161 that will answer GETBULK, especially SNMPv2c deployments with weak or default read communities such as public; the plugin was published on 2014-07-11 and describes an exposure pattern, not one cleanly patchable product defect.

Tenable's MEDIUM is a little generous for enterprise patch prioritization. The decisive friction is that this only matters at scale when the device is *externally reachable* and *queryable* over SNMP from an attacker's vantage point; most managed enterprise SNMP stays internal or ACL-restricted. Also, the primary impact is usually being abused to hit a third party, not direct compromise of your host, so this belongs in network-exposure cleanup rather than front-of-line patching.

"This is usually exposed-service hygiene, not a patch-now enterprise emergency."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Find an exposed reflector candidate

The attacker scans for UDP/161 and identifies devices that answer SNMP from the public internet, commonly using zmap, masscan, nmap, Shodan, or Censys. This is commodity recon, but it only pays off where SNMP is exposed outside the management plane.
Conditions required:
  • Target device is reachable from the internet on UDP/161
  • SNMP service is enabled on the public-facing interface
Where this breaks in practice:
  • Most enterprise deployments keep SNMP on private management networks
  • Perimeter ACLs, ISP filters, and branch firewalls often block SNMP from untrusted sources
Detection/coverage: External attack-surface tools, Shadowserver Open SNMP reporting, and simple UDP/161 exposure scans catch this well.
STEP 02

Obtain readable SNMP access

To weaponize GETBULK, the attacker usually needs a valid read path, often a default or weak community string such as public in SNMPv1/v2c. Tools like onesixtyone or plain snmpwalk are enough to validate access.
Conditions required:
  • A readable community string is accepted, or SNMPv3 is configured without meaningful access restrictions
  • The attacker can query the agent directly
Where this breaks in practice:
  • Randomized communities and SNMPv3 auth/privacy break the low-effort path
  • Many enterprises already disabled public years ago
Detection/coverage: Credentialed vuln scanning and config audit catch default/weak communities; unauthenticated scanners often miss non-default but still over-permissive SNMP.
STEP 03

Trigger oversized GETBULK replies

Using spoof-capable tooling such as hping3, scapy, or the Team Poison SNMP reflector tool cited by PLXsert, the attacker sends GETBULK requests with large max-repetitions. The reflector emits responses substantially larger than the request, creating amplification.
Conditions required:
  • The SNMP agent supports GETBULK behavior useful for amplification
  • The attacker's upstream path permits packet spoofing
Where this breaks in practice:
  • BCP38 ingress filtering kills spoofed-source reflection at the sender side
  • Not every SNMP agent yields strong amplification ratios
Detection/coverage: NetFlow/sFlow and firewall telemetry can show unsolicited SNMP responses leaving the network; host-based agents usually do not help on embedded network gear.
STEP 04

Abuse the device as a DDoS node

The attacker points the spoofed source at the victim, and your device sends the amplified SNMP reply to that third party. Operational fallout for you is abuse complaints, provider scrutiny, and noisy outbound traffic rather than a classic host compromise.
Conditions required:
  • Outbound SNMP replies are allowed
  • Enough reflectors exist to make the campaign worthwhile
Where this breaks in practice:
  • Blast radius is mostly externalized to the victim, which lowers direct business impact on the asset owner
  • Rate limiting, egress filtering, and ISP intervention reduce campaign usefulness
Detection/coverage: Border telemetry, DDoS scrubbing alerts, and abuse-desk reports are the best signals; endpoint scanners rarely see the misuse in real time.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusYes, as a *technique*: Akamai/PLXsert reported 14 SNMP reflection campaigns observed since 2014-04-11. That is evidence of operational abuse of exposed SNMP, not proof your internally managed switches are under immediate exploit pressure.
KEV statusThe CVE Tenable cites for scoring context, CVE-2008-4309, is not KEV-listed per OpenCVE's current KEV flag. More importantly, the plugin describes an *exposure condition* broader than that single Net-SNMP bug.
Proof-of-concept / weaponizationPublic weaponization has existed for years; Network World cites a Team Poison tool that sends spoofed SNMP GETBULK requests for reflection. Abuse is low-skill once exposure and a readable community are present.
EPSSOpenCVE shows EPSS 11.4% for CVE-2008-4309. Treat that cautiously here because Tenable is borrowing a CVE score source for a broader reflector/misconfiguration finding, not a neat one-to-one software defect.
Vendor scoringTenable labels plugin 76474 Medium, with CVSS v2 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) and VPR Low 3.0. That VPR is closer to reality for patch-priority triage.
Affected populationAny internet-reachable SNMP agent that answers GETBULK, especially SNMPv2c with default or weak read communities. This is exposure-driven, not a single vendor/version blast radius.
Fixed versionThere is no universal patched version for the reflector condition because the real fix is to remove public reachability or weak SNMP access. If you are specifically chasing CVE-2008-4309 in Net-SNMP, NVD lists fixes in 5.4.2.1 / 5.3.2.3 / 5.2.5.1 and downstream distro backports.
Exposure dataShadowserver still runs an Open SNMP Report, which tells you this exposure remains operationally relevant. Historical internet-wide examples were large: Rapid7 cited 229,409 Ambit and 224,544 Netopia devices exposed via SNMP in Shodan data.
Disclosure / ageNessus plugin publication date is 2014-07-11. The underlying reflection technique was already publicly discussed by BITAG/Comcast in 2012 and by Akamai/PLXsert in 2014.
Reporting / research lineagePrimary sources tie the risk story to Tenable, BITAG/Comcast, Akamai Prolexic PLXsert, Shadowserver, and older exposure research from Rapid7.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to LOW (2.9/10)

The single biggest downgrading factor is attacker position: the device must be externally reachable over SNMP and permissive enough to answer usable GETBULK requests. That sharply narrows the exposed population in well-run enterprises, and the impact is usually reflector abuse against a third party rather than direct compromise of your own estate.

HIGH Severity downgrade from vendor MEDIUM to operational LOW for enterprise patch prioritization
MEDIUM Applicability across heterogeneous SNMP products because the plugin models exposure more than a single code flaw

Why this verdict

  • Baseline down from Tenable's MEDIUM: Tenable already hints this is not urgent by giving the plugin a VPR Low 3.0, even while preserving a legacy CVSS v2 medium label.
  • Attacker position narrows hard: meaningful abuse requires unauthenticated remote network reachability to UDP/161 *plus* a readable SNMP path; in enterprise reality that usually implies a mis-exposed management interface, not broad workstation/server exposure.
  • Prerequisite compounding matters: needing public exposure, workable community access, and spoof-capable upstream paths creates multiple real-world breakpoints. Each of those cuts reachable population and suppresses exploitation value in normal corporate environments.
  • Blast radius is limited for the asset owner: the usual outcome is your device becomes a reflector in someone else's DDoS event. That's bad internet citizenship and can trigger abuse handling, but it is not equivalent to remote code execution or domain compromise.
  • Still not ignorable on edge gear: printers, routers, firewalls, branch appliances, OT gateways, and forgotten ISP-managed devices are exactly where SNMP exposure lingers, so externally exposed findings deserve cleanup even if they do not deserve crisis patching.

Why not higher?

This does not earn MEDIUM-or-higher patch priority because it lacks the two things that drive enterprise urgency: broad reachable population and direct compromise impact. If the device is not internet-exposed or does not accept weak SNMP reads, the attack path collapses immediately.

Why not lower?

I am not dropping this to IGNORE because exposed SNMP with readable communities is still routinely found on edge and unmanaged devices, and abuse is trivial once those conditions exist. The same condition can also leak system information, not just participate in reflection.

05 · Compensating Control

What to do — in priority order.

  1. Block external SNMP — Restrict UDP/161 to dedicated management networks and approved pollers only. For a LOW verdict there is no SLA; treat this as backlog hygiene, but if the asset is internet-facing edge gear, close the exposure in your next network-hardening cycle rather than waiting for a patch that may not exist.
  2. Kill default communities — Remove public/private, rotate weak read communities, and prefer SNMPv3 with auth/privacy where the platform supports it. Again, no SLA at LOW severity, but do it during normal config maintenance because this eliminates both reflection utility and easy information disclosure.
  3. Inventory public UDP/161 — Use external ASM, Shadowserver feeds, or perimeter scans to identify internet-exposed SNMP responders, especially branch, printer, ISP-managed, and OT-adjacent devices. At this severity there is no mitigation SLA; fold it into continuous exposure management.
  4. Apply egress anti-spoofing — BCP38-style anti-spoofing does not fix your reflector if it is already exposed, but it reduces your own network's ability to originate reflected attacks elsewhere. Treat it as structural network hygiene with no dedicated LOW-severity deadline.
What doesn't work
  • EDR on servers won't solve this when the risky asset is a router, switch, printer, firewall, or embedded appliance with no agent.
  • Waiting for a vendor patch is often the wrong move because this plugin mostly describes exposure/configuration, not a single patchable software defect.
  • Changing only the SNMP version string in documentation without removing public reachability does not help; an internet-reachable, weakly controlled SNMP service is still the problem.
06 · Verification

Crowdsourced verification payload.

Run this from an auditor workstation outside the target's trusted management network so you test real external exposure, not an internal-only path. Invoke it as ./check_snmp_getbulk_reflection.sh 203.0.113.10 public with no special privileges beyond having snmpbulkwalk and timeout installed; it outputs VULNERABLE, PATCHED, or UNKNOWN based on whether a public GETBULK read succeeds from that vantage.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/usr/bin/env bash
# check_snmp_getbulk_reflection.sh
# Purpose: Test whether a host appears externally usable for SNMP GETBULK reflection
# Usage: ./check_snmp_getbulk_reflection.sh <host> [community]
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

HOST="${1:-}"
COMMUNITY="${2:-public}"
OID="1.3.6.1.2.1.1"   # system subtree
TIMEOUT_BIN="$(command -v timeout || true)"
SNMPBULKWALK_BIN="$(command -v snmpbulkwalk || true)"
TMP_OUT="$(mktemp)"
TMP_ERR="$(mktemp)"
cleanup() {
  rm -f "$TMP_OUT" "$TMP_ERR"
}
trap cleanup EXIT

if [[ -z "$HOST" ]]; then
  echo "UNKNOWN - usage: $0 <host> [community]"
  exit 2
fi

if [[ -z "$SNMPBULKWALK_BIN" ]]; then
  echo "UNKNOWN - snmpbulkwalk not installed"
  exit 2
fi

if [[ -z "$TIMEOUT_BIN" ]]; then
  echo "UNKNOWN - timeout not installed"
  exit 2
fi

# Send a GETBULK-style walk with a large max-repetitions value.
# From an external vantage, a successful verbose reply means the host is externally queryable
# with the supplied read community and is therefore usable as a reflector candidate.
$TIMEOUT_BIN 8 "$SNMPBULKWALK_BIN" -v2c -c "$COMMUNITY" -Cr50 -On -t 2 -r 0 "$HOST" "$OID" >"$TMP_OUT" 2>"$TMP_ERR"
RC=$?

if [[ $RC -eq 124 ]]; then
  echo "UNKNOWN - timed out"
  exit 2
fi

ERR_CONTENT="$(tr -d '\r' < "$TMP_ERR")"
OUT_BYTES="$(wc -c < "$TMP_OUT" | tr -d ' ')"
OUT_LINES="$(wc -l < "$TMP_OUT" | tr -d ' ')"

if grep -qiE 'Timeout: No Response|No Such Object|No Such Instance|Unknown user name|Authentication failure|authorizationError' "$TMP_ERR"; then
  echo "PATCHED - no usable external GETBULK response with supplied credentials"
  exit 0
fi

if [[ $RC -ne 0 && $OUT_BYTES -eq 0 ]]; then
  echo "UNKNOWN - command error: ${ERR_CONTENT:-none}"
  exit 2
fi

# Heuristic: if we received a non-trivial response from an external vantage using SNMPv2c,
# the host is operationally vulnerable as a reflector candidate.
if [[ $OUT_LINES -ge 3 && $OUT_BYTES -ge 200 ]]; then
  echo "VULNERABLE - external SNMP GETBULK succeeded (${OUT_LINES} lines, ${OUT_BYTES} bytes)"
  exit 1
fi

if [[ $OUT_BYTES -gt 0 ]]; then
  echo "VULNERABLE - external SNMP responded, though reply was smaller than expected (${OUT_LINES} lines, ${OUT_BYTES} bytes)"
  exit 1
fi

echo "UNKNOWN - indeterminate result"
exit 2
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning, do not treat plugin 76474 like a patch-war-room item across 10,000 hosts. Query your external attack surface for UDP/161, validate whether any of those devices answer SNMPv2c GETBULK with weak/default communities, and close the exposure on edge devices during normal hardening work; for a LOW verdict there is noisgate mitigation SLA: no SLA and noisgate remediation SLA: treat as backlog hygiene. If you find a truly internet-exposed reflector on a firewall, router, printer fleet, or branch appliance, clean that specific exposure immediately as a network-hygiene exception even though the fleetwide severity remains LOW.

Sources

  1. Tenable Nessus Plugin 76474
  2. NCSC Ireland - Internet Accessible SNMP Server
  3. BITAG - SNMP DDoS Attacks
  4. Network World - DDoS attacks using SNMP amplification on the rise
  5. Rapid7 - Exposure of Critical Information Via SNMP Public Community String
  6. Shadowserver - Open SNMP Report
  7. NVD - CVE-2008-4309
  8. OpenCVE - CVE-2008-4309
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.