US-CERT: United States Computer Emergency Readiness Team
Technical Cyber Security Alert TA08-162A
SNMPv3 Authentication Bypass Vulnerability
Original release date: June 10, 2008Last revised: June 10, 2008
Source: US-CERT
Systems Affected
Multiple implementations of SNMPv3, including- Net-SNMP 5.4.1, 5.3.2, 5.2.4, 5.1.4, and 5.0.11
- UCD-SNMP 4.2.7
Overview
A vulnerability in the way implementations of SNMPv3 handle specially crafted packets may allow authentication bypass.
I. Description
The Simple Network Management Protocol (SNMP) is a widely deployed protocol that is commonly used to monitor and manage network devices. SNMPv3 (RFC 3410) supports a user-based security model (RFC 3414) that incorporates security features such as authentication and privacy control. Authentication for SNMPv3 is done using keyed-hash message authentication code (HMAC), which is calculated using a cryptographic hash function in combination with a secret key. Implementations of SNMPv3 may allow a shortened HMAC code in the authenticator field to authenticate to an agent or a trap daemon using a minimum HMAC of one byte. Reducing the HMAC to one-byte makes brute-force authentication trivial.
This issue is known to affect Net-SNMP and UCD-SNMP. Other SNMP implementations may also be affected. Further information is available in the Net-SNMP SECURITY RELEASE and US-CERT Vulnerability Note VU#878044. The CVE identifier for this vulnerability is CVE-2008-0960.
II. Impact
Remote attackers may be able to read and modify any SNMP object and configuration on a vulnerable system. The attacker's ability to read and modify objects would be constrained to the privileges of the account used to authenticate to the vulnerable system.
III. Solution
Upgrade
This vulnerability is addressed in Net-SNMP versions 5.4.1.1, 5.3.2.1, 5.2.4.1, 5.1.4.1, 5.0.11.1 and UCD-SNMP 4.2.7.1. Please see the Net-SNMP download page.
Alternatively, consult your vendor for more information. See the Systems Affected section of US-CERT Vulnerability Note VU#878044 for information about specific vendors.
Apply a patch
Net-SNMP has released a patch (1989089) to address this issue. Note that patch should apply cleanly to UCD-SNMP too.
Enable the SNMPv3 privacy subsystem
The configuration should be modified to enable the SNMPv3 privacy subsystem to encrypt the SNMPv3 traffic using a secret, private key. This option does not encrypt the HMAC, but does make it harder for an attacker to create valid authentication messages.
IV. References
- US-CERT Vulnerability Note VU#878044 - <http://www.kb.cert.org/vuls/id/878044>
- RFC 3410 - <http://tools.ietf.org/html/rfc3410>
- RFC 3414 - <http://tools.ietf.org/html/rfc3414>
- SECURITY RELEASE: Multiple Net-SNMP Versions Released - <http://sourceforge.net/forum/forum.php?forum_id=833770>
- 1989089 - Fixes VU#878044 and CVE-2008-0960 - <https://sourceforge.net/tracker/index.php?func=detail&aid=1989089&group_id=12694&atid=456380>
- Net-SNMP Download - <http://www.net-snmp.org/download.html>
- CVE-2008-0960 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0960>
Feedback can be directed to US-CERT.
Produced 2008 by US-CERT, a government organization. Terms of use
Revision History
June 10 2008: Initial release
June 10 2008: Re-worded Impact and Solution sections, added CVE and VU#878044 references, added Net-SNMP version information
Get Adobe Reader