Vulnerability Note VU#878044

SNMPv3 improper HMAC validation allows authentication bypass

Overview

A vulnerability in the way implementations of SNMPv3 handle specially crafted packets may allow authentication bypass.

I. Description

SNMP can be configured to utilize version 3, which is the current standard version of SNMP. SNMPv3 incorporates security features such as authentication and privacy control among other features. Authentication for SNMPv3 is done using keyed-Hash Message Authentication Code (HMAC), a message authentication code calculated using a cryptographic hash function in combination with a secret key. Implementations of SNMPv3 may allow a shortened HMAC code in the authenticator field to authenticate to an agent or a trap daemon using a minimum HMAC of 1 byte.

This issue is known to affect Net-SNMP and UCD-SNMP. Other SNMP implementations may also be affected.

II. Impact

This vulnerability allows attackers to read and modify any SNMP object that can be accessed by the impersonated user. Attackers exploiting this vulnerability can view and modify the configuration of these devices.

III. Solution

Upgrade

This vulnerability is addressed in Net-SNMP versions 5.4.1.1, 5.3.2.1, 5.2.4.1, 5.1.4.1, 5.0.11.1 and UCD-SNMP 4.2.7.1. Please see the Net-SNMP download page.

Alternatively, consult your vendor. See the Systems Affected section below for more information.

Apply a patch

Net-SNMP has released a patch to address this issue. For more information refer to SECURITY RELEASE: Multple Net-SNMP Versions Released. Users are encouraged to apply the patch as soon as possible. Note that patch should apply cleanly to UCD-snmp too.

Enable the SNMPv3 privacy subsystem

The configuration should be modified to enable the SNMPv3 privacy subsystem to encrypt the SNMPv3 traffic using a secret, private key. This option does not encrypt the HMAC, but does minimize the possible affects from this vulnerability.

Systems Affected

Vendor	Status	Date Notified
3com, Inc.	Unknown	20-May-2008
ACCESS	Unknown	2-Jun-2008
AdventNet Inc.	Not Vulnerable	18-Jun-2008
Alcatel	Unknown	20-May-2008
Apple Computer, Inc.	Unknown	2-Jun-2008
Aruba Networks, Inc.	Unknown	20-May-2008
Asante Technologies, Inc.	Unknown	13-Jun-2008
Atheros Communications, Inc.	Unknown	13-Jun-2008
AT&T	Unknown	20-May-2008
Avaya, Inc.	Unknown	20-May-2008
Avici Systems, Inc.	Unknown	20-May-2008
BEA Systems, Inc.	Unknown	13-Jun-2008
Borderware Technologies	Unknown	20-May-2008
Bro	Unknown	20-May-2008
Broadcom	Unknown	13-Jun-2008
Charlotte's Web Networks	Unknown	20-May-2008
Check Point Software Technologies	Unknown	20-May-2008
Cisco Systems, Inc.	Unknown	13-Jun-2008
Clavister	Unknown	20-May-2008
Computer Associates	Not Vulnerable	20-Jun-2008
Computer Associates eTrust Security Management	Not Vulnerable	20-Jun-2008
Conectiva Inc.	Unknown	20-May-2008
Cosinecom	Unknown	13-Jun-2008
Covalent Technologies	Unknown	13-Jun-2008
cPanel Inc.	Unknown	13-Jun-2008
Cray Inc.	Unknown	20-May-2008
Cyclades, Inc.	Unknown	13-Jun-2008
D-Link Systems, Inc.	Unknown	20-May-2008
Data Connection, Ltd.	Unknown	20-May-2008
Debian GNU/Linux	Unknown	20-May-2008
eCosCentric	Vulnerable	13-Jun-2008
EMC Corporation	Unknown	20-May-2008
Engarde Secure Linux	Unknown	20-May-2008
Enterasys Networks	Unknown	20-May-2008
Ericsson	Unknown	20-May-2008
eSoft, Inc.	Unknown	20-May-2008
Extreme Networks	Not Vulnerable	17-Jun-2008
F5 Networks, Inc.	Unknown	20-May-2008
Fedora Project	Unknown	20-May-2008
Force10 Networks, Inc.	Not Vulnerable	12-Jun-2008
Fortinet, Inc.	Not Vulnerable	27-May-2008
Foundry Networks, Inc.	Not Vulnerable	17-Jun-2008
FreeBSD, Inc.	Unknown	20-May-2008
Fujitsu	Unknown	20-May-2008
Funkwerk Enterprise Communications	Not Vulnerable	18-Jun-2008
Gentoo Linux	Unknown	4-Jun-2008
Global Technology Associates	Unknown	20-May-2008
Harris Corporation	Unknown	13-Jun-2008
Hewlett-Packard Company	Unknown	20-May-2008
Hitachi	Unknown	20-May-2008
Hyperchip	Unknown	20-May-2008
IBM Corporation	Not Vulnerable	18-Jun-2008
IBM Corporation (zseries)	Unknown	20-May-2008
IBM eServer	Unknown	20-May-2008
Ingrian Networks, Inc.	Unknown	20-May-2008
Inktomi Corporation (now Yahoo!)	Unknown	13-Jun-2008
Intel Corporation	Not Vulnerable	21-May-2008
Internet Initiative Japan	Vulnerable	19-Jun-2008
Internet Security Systems, Inc.	Not Vulnerable	4-Jun-2008
Intoto	Unknown	20-May-2008
IP Filter	Unknown	20-May-2008
IP Infusion, Inc.	Unknown	20-May-2008
Juniper Networks, Inc.	Vulnerable	9-Jun-2008
Lantronix	Unknown	13-Jun-2008
Linux Kernel Archives	Unknown	20-May-2008
Lotus Software	Unknown	13-Jun-2008
Lucent Technologies	Unknown	20-May-2008
Luminous Networks	Unknown	20-May-2008
m0n0wall	Unknown	20-May-2008
Mandriva, Inc.	Unknown	20-May-2008
Marconi, Inc.	Unknown	13-Jun-2008
McAfee	Unknown	20-May-2008
MetaSwitch	Unknown	13-Jun-2008
Metrobility, Inc.	Unknown	13-Jun-2008
Microsoft Corporation	Not Vulnerable	28-May-2008
MontaVista Software, Inc.	Unknown	20-May-2008
Motion Media Technologies, Inc.	Unknown	13-Jun-2008
Multinet (owned Process Software Corporation)	Unknown	20-May-2008
Multitech, Inc.	Unknown	20-May-2008
NEC Corporation	Unknown	20-May-2008
Net-Policy	Unknown	13-Jun-2008
NetBSD	Unknown	20-May-2008
netfilter	Unknown	20-May-2008
Netgear, Inc.	Unknown	13-Jun-2008
Netscape Communications Corporation	Unknown	13-Jun-2008
netsnmp	Vulnerable	10-Jun-2008
netsnmpj	Unknown	13-Jun-2008
Network Appliance, Inc.	Vulnerable	4-Jun-2008
NextHop Technologies, Inc.	Unknown	20-May-2008
Nokia	Unknown	20-May-2008
Nortel Networks, Inc.	Unknown	20-May-2008
Novell, Inc.	Not Vulnerable	4-Jun-2008
OpenBSD	Unknown	20-May-2008
openSNMP	Unknown	13-Jun-2008
Openwall GNU/*/Linux	Unknown	20-May-2008
Oracle Corporation	Unknown	13-Jun-2008
Polycom	Unknown	13-Jun-2008
QNX, Software Systems, Inc.	Unknown	20-May-2008
Quagga	Unknown	20-May-2008
QUALCOMM Incorporated	Unknown	13-Jun-2008
Rad Vision, Inc.	Unknown	13-Jun-2008
Red Hat, Inc.	Vulnerable	6-Jun-2008
Redback Networks, Inc.	Unknown	20-May-2008
Riverstone Networks, Inc.	Unknown	20-May-2008
Secure Computing Network Security Division	Unknown	20-May-2008
Secureworx, Inc.	Unknown	20-May-2008
Silicon Graphics, Inc.	Unknown	20-May-2008
Slackware Linux Inc.	Unknown	20-May-2008
SmoothWall	Unknown	20-May-2008
SNMP Research	Vulnerable	6-Jun-2008
Snort	Unknown	20-May-2008
Soapstone Networks	Unknown	2-Jun-2008
Sony Corporation	Unknown	20-May-2008
Sourcefire	Unknown	20-May-2008
Stonesoft	Not Vulnerable	23-Jun-2008
Sun Microsystems, Inc.	Vulnerable	16-Jun-2008
SUSE Linux	Unknown	20-May-2008
Symantec, Inc.	Unknown	20-May-2008
The SCO Group	Unknown	20-May-2008
The Teamware Group	Unknown	13-Jun-2008
TippingPoint, Technologies, Inc.	Not Vulnerable	21-May-2008
Trustix Secure Linux	Unknown	20-May-2008
Turbolinux	Unknown	20-May-2008
Ubuntu	Unknown	20-May-2008
Vertical Networks, Inc.	Unknown	13-Jun-2008
Watchguard Technologies, Inc.	Unknown	20-May-2008
Wind River Systems, Inc.	Unknown	20-May-2008
ZyXEL	Unknown	20-May-2008

References

http://sourceforge.net/forum/forum.php?forum_id=833770
http://www.ocert.org/advisories/ocert-2008-006.html
http://secunia.com/advisories/30574/
http://secunia.com/advisories/30665/
http://sunsolve.sun.com/search/document.do?assetkey=1-66-238865-1

Credit

This issue was reported by Wes Hardaker at Net-SNMP. Thanks also to Jeff Case of SNMP Research and oCERT.

This document was written by Chris Taschner and David Warren.

Other Information

Date Public:	2008-05-31
Date First Published:	2008-06-10
Date Last Updated:	2008-06-25
CERT Advisory:
CVE-ID(s):	CVE-2008-0960
NVD-ID(s):	CVE-2008-0960
US-CERT Technical Alerts:	TA08-162A
Metric:	7.56
Document Revision:	34

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Produced 2008 by US-CERT, a government organization
Disclaimers and copyright information

Get Adobe Reader