A vulnerability in the way implementations of SNMPv3 handle specially crafted packets may allow authentication bypass.
The Simple Network Management Protocol (SNMP) is a widely deployed protocol that is commonly used to monitor and manage network devices. SNMPv3 (RFC 3410) supports a user-based security model (RFC 3414) that incorporates security features such as authentication and privacy control. Authentication for SNMPv3 is done using keyed-hash message authentication code (HMAC), which is calculated using a cryptographic hash function in combination with a secret key. Implementations of SNMPv3 may allow a shortened HMAC code in the authenticator field to authenticate to an agent or a trap daemon using a minimum HMAC of one byte. Reducing the HMAC to one-byte makes brute-force authentication trivial.
This issue is known to affect Net-SNMP and UCD-SNMP. Other SNMP implementations may also be affected. Further information is available in the Net-SNMP SECURITY RELEASE and US-CERT Vulnerability Note VU#878044. The CVE identifier for this vulnerability is CVE-2008-0960.
Remote attackers may be able to read and modify any SNMP object and configuration on a vulnerable system. The attacker's ability to read and modify objects would be constrained to the privileges of the account used to authenticate to the vulnerable system.
This vulnerability is addressed in Net-SNMP versions 5.4.1.1, 5.3.2.1, 5.2.4.1, 5.1.4.1, 5.0.11.1 and UCD-SNMP 4.2.7.1. Please see the Net-SNMP download page.
Alternatively, consult your vendor for more information. See the Systems Affected section of US-CERT Vulnerability Note VU#878044 for information about specific vendors.
Net-SNMP has released a patch (1989089) to address this issue. Note that patch should apply cleanly to UCD-SNMP too.
The configuration should be modified to enable the SNMPv3 privacy subsystem to encrypt the SNMPv3 traffic using a secret, private key. This option does not encrypt the HMAC, but does make it harder for an attacker to create valid authentication messages.
Feedback can be directed to US-CERT.
Produced 2008 by US-CERT, a government organization. Terms of use
Revision History
June 10 2008: Initial release
June 10 2008: Re-worded Impact and Solution sections, added CVE and VU#878044 references, added Net-SNMP version information