===================================================================== CERT-Renater Note d'Information No. 2008/VULN212 _____________________________________________________________________ DATE : 11/06/2008 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running SNMPv3 implementations. ====================================================================== http://www.us-cert.gov/cas/techalerts/TA08-162A.html ______________________________________________________________________ National Cyber Alert System Technical Cyber Security Alert TA08-162A SNMPv3 Authentication Bypass Vulnerability Original release date: June 10, 2008 Last revised: -- Source: US-CERT Systems Affected * Multiple Implementations of SNMPv3 Overview A vulnerability in the way implementations of SNMPv3 handle specially crafted packets may allow authentication bypass. I. Description The Simple Network Management Protocol (SNMP) is a widely deployed protocol that is commonly used to monitor and manage network devices. SNMPv3 ( RFC 3410) supports a user-based security model (RFC 3414) that incorporates security features such as authentication and privacy control. Authentication for SNMPv3 is done using keyed-hash message authentication code (HMAC), a message authentication code calculated using a cryptographic hash function in combination with a secret key. Implementations of SNMPv3 may allow a shortened HMAC code in the authenticator field to authenticate to an agent or a trap daemon using a minimum HMAC of one byte. Reducing the HMAC to one-byte HMAC makes brute-force authentication trivial. This issue is known to affect Net-SNMP and UCD-SNMP. Other SNMP implementations may also be affected. II. Impact This vulnerability allows attackers to read and modify any SNMP object that can be accessed using the authentication credentials that got them into the system. Attackers exploiting this vulnerability can view and modify the configuration of these devices. Attackers must gain access using credentials with write privileges in order to modify configurations. III. Solution Upgrade Please consult your vendor for more information. Apply a patch Net-SNMP has released a patch to address this issue. For more information, refer to SECURITY RELEASE: Multiple Net-SNMP Versions Released. Users are encouraged to apply the patch as soon as possible. Note that patch should apply cleanly to UCD-snmp too. Enable the SNMPv3 privacy subsystem The configuration should be modified to enable the SNMPv3 privacy subsystem to encrypt the SNMPv3 traffic using a secret, private key. This option does not encrypt the HMAC, but does minimize the possible affects from this vulnerability. IV. References * RFC 3410 - * RFC 3414 - * SECURITY RELEASE: Multiple Net-SNMP Versions Released - * US-CERT Vulnerability Note - ____________________________________________________________________ The most recent version of this document can be found at: ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to with "TA08-162A Feedback VU#878044" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit . ____________________________________________________________________ Produced 2008 by US-CERT, a government organization. Terms of use: ____________________________________________________________________ Revision History June 10 2008: Initial release ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================