SNMPv3 Authentication Bypass Vulnerability
RISK: Medium Risk
A vulnerability has been identified in the way implementations of SNMPv3 handle specially crafted packets may allow authentication bypass.
The Simple Network Management Protocol (SNMP) is a widely deployed protocol that is commonly used to monitor and manage network devices. SNMPv3 (RFC 3410) supports a user-based security model (RFC 3414) that incorporates security features such as authentication and privacy control. Authentication for SNMPv3 is done using keyed-hash message authentication code (HMAC), which is calculated using a cryptographic hash function in combination with a secret key. Implementations of SNMPv3 may allow a shortened HMAC code in the authenticator field to authenticate to an agent or a trap daemon using a minimum HMAC of one byte. Reducing the HMAC to one-byte makes brute-force authentication trivial.
This issue is known to affect Net-SNMP and UCD-SNMP. Other SNMP implementations may also be affected.
Impact
- Elevation of Privilege
- Remote Code Execution
System / Technologies affected
- Net-SNMP versions 5.4.1.1, 5.3.2.1, 5.2.4.1, 5.1.4.1, 5.0.11.1
- UCD-SNMP version 4.2.7.1
Solutions
Before installation of the software, please visit the software manufacturer web-site for more details.
- Apply a patch:
- Net-SNMP has released a patch (1989089) to address this issue.
- Note that patch should apply cleanly to UCD-SNMP too. - Enable the SNMPv3 privacy subsystem
- The configuration should be modified to enable the SNMPv3 privacy subsystem to encrypt the SNMPv3 traffic using a secret, private key. This option does not encrypt the HMAC, but does make it harder for an attacker to create valid authentication messages.
Vulnerability Identifier
Source
Related Link
Share with