Vigil@nce: Net-SNMP, UCD-SNMP, Cisco, bypassing authentication
June 2008 by Vigil@nce
SYNTHESIS
An attacker can bypass the SNMPv3 authentication implemented in
Cisco products, Net-SNMP and UCD-SNMP.
Gravity: 3/4
Consequences: administrator access/rights, privileged access/rights
Provenance: intranet client
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 10/06/2008
Identifier: VIGILANCE-VUL-7879
IMPACTED PRODUCTS
– Cisco Catalyst [confidential versions]
– Cisco IOS [confidential versions]
– Net-SNMP [confidential versions]
– Red Hat Enterprise Linux [confidential versions]
– Unix - plateform
DESCRIPTION
The version 3 of SNMP uses a HMAC authentication. The client
authenticates by providing a HMAC hash based on a MD5/SHA-1 of
exchanged randoms and of authentication data.
The SNMP service checks the received HMAC and compares it to the
one it computed. However, the comparison is done on the size of
the user provided string, instead of on the size of the
HMAC-MD5/SHA-96. An attacker can therefore provide a HMAC of only
one byte: he has one chance over 256 that this byte is the same as
the first byte of the computed HMAC.
A network attacker can therefore bypass the authentication and
operate (SET/GET) with privileges of the connected user.
CHARACTERISTICS
Identifiers: 107408, cisco-sa-20080610-snmpv3, CSCsf04754,
CSCsf29976, CSCsf30109, CSCsq60582, CSCsq60664, CSCsq60695, CSCsq62662, CVE-2008-0960, oCERT-2008-006, RHSA-2008:0528-01, RHSA-2008:0529-01, VIGILANCE-VUL-7879, VU#878044