Vulnerability Note VU#878044

SNMPv3 improper HMAC validation allows authentication bypass

Original Release date: 10 Jun 2008 | Last revised: 16 Jul 2009

Overview

A vulnerability in the way implementations of SNMPv3 handle specially crafted packets may allow authentication bypass.

Description

SNMP can be configured to utilize version 3, which is the current standard version of SNMP. SNMPv3 incorporates security features such as authentication and privacy control among other features. Authentication for SNMPv3 is done using keyed-Hash Message Authentication Code (HMAC), a message authentication code calculated using a cryptographic hash function in combination with a secret key. Implementations of SNMPv3 may allow a shortened HMAC code in the authenticator field to authenticate to an agent or a trap daemon using a minimum HMAC of 1 byte.

This issue is known to affect Net-SNMP and UCD-SNMP. Other SNMP implementations may also be affected.

Impact

This vulnerability allows attackers to read and modify any SNMP object that can be accessed by the impersonated user. Attackers exploiting this vulnerability can view and modify the configuration of these devices.

Solution


Upgrade

This vulnerability is addressed in Net-SNMP versions 5.4.1.1, 5.3.2.1, 5.2.4.1, 5.1.4.1, 5.0.11.1 and UCD-SNMP 4.2.7.1. Please see the Net-SNMP download page.

Alternatively, consult your vendor. See the Systems Affected section below for more information.

Apply a patch

Net-SNMP has released a patch to address this issue. For more information refer to SECURITY RELEASE: Multple Net-SNMP Versions Released. Users are encouraged to apply the patch as soon as possible. Note that patch should apply cleanly to UCD-snmp too.


Enable the SNMPv3 privacy subsystem

The configuration should be modified to enable the SNMPv3 privacy subsystem to encrypt the SNMPv3 traffic using a secret, private key. This option does not encrypt the HMAC, but does minimize the possible affects from this vulnerability.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
eCosCentricAffected-13 Jun 2008
Extreme NetworksAffected20 May 200822 Apr 2009
Global Technology AssociatesAffected20 May 200816 Jul 2009
Internet Initiative JapanAffected-19 Jun 2008
Juniper Networks, Inc.Affected20 May 200809 Jun 2008
netsnmpAffected16 May 200810 Jun 2008
Network Appliance, Inc.Affected20 May 200804 Jun 2008
Red Hat, Inc.Affected20 May 200806 Jun 2008
SNMP ResearchAffected-06 Jun 2008
Sun Microsystems, Inc.Affected20 May 200816 Jun 2008
AdventNet Inc. Not Affected13 Jun 200818 Jun 2008
Computer AssociatesNot Affected20 May 200820 Jun 2008
Computer Associates eTrust Security ManagementNot Affected20 May 200820 Jun 2008
Force10 Networks, Inc.Not Affected20 May 200812 Jun 2008
Fortinet, Inc.Not Affected20 May 200827 May 2008
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This issue was reported by Wes Hardaker at Net-SNMP. Thanks also to Jeff Case of SNMP Research and oCERT.

This document was written by Chris Taschner and David Warren.

Other Information

  • CVE IDs: CVE-2008-0960
  • US-CERT Alert: TA08-162A
  • Date Public: 31 May 2008
  • Date First Published: 10 Jun 2008
  • Date Last Updated: 16 Jul 2009
  • Severity Metric: 7.56
  • Document Revision: 36

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.